"Threat Intellegence is evidence-based knowledge including context, mechanisms, indicators, implications, and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. — Rob McMillan, Gartner Inc.
darklist highrisk list image
Darklist provides a list of the top high risk IP addresses on the Internet with an IPQ score and other critical context.

Traditional blacklists are often prone to false positives and are usually an aggregation of other lists, leading to incomplete or poor coverage. As a result, organizations relying on these lists to protect their business have "blind spots" that can miss high risk traffic and lead to breaches and compromises.

Norse Darklist™ is the next generation of blacklists. Darklist is a live, continuously updated list of the highest risk IPs on the Internet, enabling organizations to protect their network from external bad actors. Darklist provides a Norse IPQ risk score for each IP, the risk category (such as "botnet" or "Tor proxy") to provide context to the score, and latitude and longitude provided by Norse's superior geolocation capabilities. Darklist is not just another blacklist — the information is live, accurate, and contextual.

Darklist can be integrated into customers' SIEMs or other security solutions for alerting on high risk connections, forensics, and advanced threat notification. Norse Darklist delivers a level of visibility into the Internet's most dangerous IP addresses unmatched by any other solution. Darklist leverages Norse's DarkViking live threat intelligence platform to deliver a compilation of around four million IP addresses from across the globe, spanning the entire Internet. The Norse platform identifies high risk IPs through a myriad of methods including millions of honeypots, anonymous proxy (such as Tor) usage, custom crawlers, and more. When the Norse platform identifies a malicious IP it analyzes it and assigns it a risk score between 0 and 100 based on the IP's history of malicious activity. High risk IPs are added to Darklist as they are identified, so each time a customer requests a new Darklist they can be assured that it is always up to date. Darklist is available via a simple RESTful API query (manual or automated) and returned in CSV format for integration into customers' SIEMs or other security solutions.

Web Use Case

Key Features

  • API-based retrieval enables user-configurable update frequency — weekly, daily, hourly or more frequently
  • Incremental updates ensure low bandwidth usage for high frequency updates
  • Norse IPQ Score provides a simple risk weighted scoring system
  • Advanced geolocation capabilities enable scoring of transactions and connections based on an IP address' geographical location
  • Millisecond API response time delivered via a simple, flexible RESTful API.

Use Cases

  • Integration with SIEM for alerting on high risk connections
  • Integration with SIEM for correlation with anomalies for Advanced Persistent Threat (APT) identification
  • Integration with SIEM for post-attack forensics

To find out more about Darklist or to request a demo, contact us.