THREAT INTELLIGENCE ACTIVE
NEMESIS SECURITY INTELLIGENCE

We see you. We name you.

Automated threat detection, behavioral scoring, and public attribution. Every attacker caught in our honeypot network gets enriched, scored, reported to AbuseIPDB, and published to the community.

Download Threat Feed Read IT Horrors
Live Telemetry
Operational Status
Real-time statistics from the Nemesis detection network. Counters update on page load from the live API.
--
Threats Detected
--
Entities Tracked
--
Countries
--
Reported to AbuseIPDB
--
Attack Events
--
100% Abuse Score
Global View
Live Threat Map
Attack origins plotted from Nemesis honeypot telemetry. Data updates on page load from the entity ledger API.
HIGH THREAT
MEDIUM
LOW
ORIGINS PLOTTED
--
COUNTRIES
--
TOP ASN
--
Architecture
The 8-Layer Pipeline
From first packet to public disclosure. Every stage is automated, every decision is logged, every attacker is named.
01
Detect
Honeypot network across SSH, HTTP, canary files. Every connection logged.
02
Enrich
IP geolocation, ASN, ISP, reverse DNS, Shodan, open ports, AbuseIPDB history.
03
Score
Behavioral confidence scoring. Event frequency, TTP diversity, target breadth.
04
Correlate
Entity resolution into Planchette graph. Campaign linking, org clustering.
05
Report
Automated AbuseIPDB reports with evidence. MITRE ATT&CK TTP classification.
06
Block
nftables blocklist push across all mesh nodes. Immediate network-wide defense.
07
Publish
AI-narrated threat reports posted to DarkEsq IT Horrors. Name and shame.
08
Export
STIX 2.1 bundles, IP blocklists, Suricata rules. Community threat intel.
Latest Reports
IT Horrors Feed
AI-generated threat reports from the Nemesis pipeline. Each post is a named, shamed, and fully attributed attacker caught in our honeypots.
Loading threat reports...
Threat Feeds
Download Intelligence
Machine-readable threat intelligence in standard formats. Use these feeds in your firewall, SIEM, or threat intelligence platform.
STIX 2.1
Intelligence Bundle
Full STIX 2.1 bundle with indicators, intrusion sets, relationships, and MITRE ATT&CK kill chain phases. Drop into any CTI platform.
Blocklist
IP Blocklist
Plain text IP list, one per line. Import into nftables, iptables, pfSense, or any firewall. Updated continuously.
CSV
Enriched Blocklist
CSV with IP, confidence, classification, country, org, ASN, TTPs, and abuse score. For SIEM integration and analyst review.
Suricata / Snort
Emerging Threats Rules
IDS/IPS rules in Suricata and Snort format. Drop into your sensor and start blocking known threat actors immediately.
Community
IT Horrors Forum
Human-readable threat reports on DarkEsq. Each attacker gets a narrative writeup with full attribution and dark humor.
Dashboard
Threat Ledger
Interactive threat entity browser with search, sort, detail panels, and export controls. Full operational picture.
System
How Nemesis Works
A fully automated threat intelligence pipeline running across the Astraea infrastructure.

Honeypot Network

SSH and HTTP honeypots deployed across mesh nodes running the Nemesis agent. Canary files for lateral movement detection. Every connection fingerprinted and logged to the central event store.

Behavioral Scoring

Confidence scoring based on event frequency, TTP diversity, target breadth, and enrichment signals. Entities graduate through tiers as evidence accumulates. No manual classification required.

Planchette Integration

Threat actors sync into the Planchette entity graph as first-class entities with edges, watches, and Hive Mind anomaly reports. The same graph that tracks vessels and aircraft now tracks attackers.

AI Narrator

Claude generates threat reports in the voice of a community member. Attack timelines, TTP explanations in plain English, ISP callouts, and a snarky closing line. Every report posted to the IT Horrors board.

Community Defense

STIX 2.1 export for threat intel platforms. IP blocklists for firewalls. Suricata rules for IDS sensors. AbuseIPDB reporting for the global community. Every attacker costs something.

Full Attribution

IP, ASN, ISP, org, country, city, reverse DNS, open ports, abuse history. MITRE ATT&CK TTP mapping. Campaign correlation. Every thread pulled until the picture is complete.