Threat Intelligence by Webroot BrightCloud®

Threat intelligence is a separately licensed subscription service in Airlock Gateway that provides predefined lists of IP addresses with the purpose of allowing one or more categories of unwanted IP address origins to be blocked from accessing the protected applications. An IP address may be included in several categories.

In case you want to define custom IP address lists, please refer to Submenu – IP Address Lists.

The Threat Intelligence feed lists are categorized as follows:



Spam Sources

The Spam Sources category includes IP addresses involved in tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities.

Windows Exploits

The Windows Exploits category includes IP addresses participating in the distribution of malware, shell code, rootkits, worms or viruses for Windows platforms.

Web Attacks

The Web Attacks category includes IP addresses using cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force attacks to target vulnerabilities on a web server.


The Botnets category includes IP addresses acting as Botnet Command and Control (C&C) centers, and infected zombie machines controlled by the C&C servers.


The Scanners category includes IP addresses involved in unauthorized reconnaissance activities such as probing, host scanning, port scanning and brute force login attempts.

Denial of Service

The Denial of Services category includes IPs addresses involved in DOS or DDOS attacks, anomalous sync flood, or anomalous traffic.


The Phishing category includes IP addresses hosting phishing sites and sites related to other kinds of fraudulent activities.


The Proxy category includes IP addresses providing proxy services, including both VPN and open web proxy services.

Mobile Threats

The Mobile Threats category includes IP addresses associated with malicious and unwanted mobile applications.

Tor Proxy

The Tor Proxy category includes IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.

Threat Intelligence Feed lists are an automatically maintained type of IP Address Lists. For more information on IP Address Lists please see Submenu – IP Address Lists.

Should you find a problem with the content of the feed (e.g. a false positive), you may report this issue directly to the provider of the feed.

Please specify Airlock Gateway for the field Your product/integration.