Threat Sensors

With a global reach from over 38 international datacenters located in strategic locations with specialized hardware designed by Norse


Supporting both server and client configurations, compromised systems are proactively accessing our honeynet. We support thousands of applications that appear as desirable targets for undesirable folks. Client based honeypots are emulating browser actions that cause compromised websites to reveal their malware.


Internet Relay Chat is a popular method for exchanging ideas and plans among bad actors. By participating in these chats, we gain intel about new and modified attack vectors.


Border Gateway Protocol is the routing protocol of the Internet. The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. By maintaining current copies of this information we can recognize if an IP address is a valid member or bogus (bogon).


Peer-to-Peer connections are created without the need for a central server. P2P networks can be set up within the home, a business, or over the Internet. Participants who are interested in communicating without detection often set these up between interested parties. We're interested and gain valuable information through participation.


Search Engine Optimization is a technique to gain rankings for specific criteria. By managing websites that will score highly when people are looking for bad things, they expose themselves as bad actors and add value to our data repository.


A crawler is a bot that systematically browses the web, typically for the purpose of indexing. Focusing on text based documents, we search for a wide range of language that could indicate malicious behavior.


The physical location of an originating IP address can be a useful factor in determining risk. Norse's geolocation capabilities are highly accurate, and the resulting information is factored into its live threat intelligence database.

Anonymous Proxy

Anonymous proxies such as Tor are used to hide the identity of the proxy user. Originally intended to protect users' personal privacy, freedom, and ability to conduct confidential business, anonymous proxies are now also widely used to launch attacks. By understanding where Tor exit points are, we can flag IPs as having higher risk than those that are not behind a proxy.

Open Source

Norse operates many popular open source applications within our Honeypot network that are free to use. This attracts bad actors who unknowingly end up divulging their tools and techniques. DNS services that do not log also look desirable to people who do not want to be detected. When bad actors use our services, they are adding to our knowledge base.