Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

ELLIO Threat Lists

ELLIO Threat Lists are managed, continuously updated IP feeds you can include or exclude in any EDL Deployment. Browse them at platform.ellio.tech/dashboard/edl-blocklists.

There are two families of lists:

  • ELLIO Blocklists - the core threat-IP feeds curated from the ELLIO Deception Network.
  • RECON Blocklists - per-provider reconnaissance scanner IP lists.

Each list shows a live IP count, a “changed N minutes ago” timestamp, and a sparkline of recent size changes.

The flagship feeds. Pick one as the backbone of your EDL.

List Size (typical) Description When to use
ELLIO Threat List MAX ~660,000 IPs Flagship ingress blocklist. Active malicious activity across the Deception Network, excluding the IPs that appear in RECON Blocklists. Default for production ingress blocking.
ELLIO Threat List RDP ~60,000 IPs Active RDP/VNC threat and scanner IPs targeting remote-access services. Anywhere you expose RDP, VNC, or other remote-access ports to the internet.
ELLIO Threat List 250K 250,000 IPs Top 250,000 threat IPs extracted from MAX. Use when 660K is too large for your firewall but you want broad coverage.
ELLIO Threat List 100K 100,000 IPs Top 100,000 threat IPs. Use on resource-constrained firewalls (Sophos, ntopng, smaller pfSense).

The 100K and 250K lists are strict subsets of MAX, ranked by recency and risk. Pick the largest list your firewall comfortably handles.

Curated lists of scanner IPs from well-known providers. Use them by excluding to keep beneficial scanners reachable, or by including if you specifically don’t want their traffic.

List Typical size Operator
Censys Scanner IPs ~600,000 IPs censys.io - internet-wide scanning.
Shodan Scanner IPs ~400 IPs shodan.io.
Shadowserver Scanner IPs ~1,200 IPs Shadowserver Foundation research.
BinaryEdge Scanner IPs ~2,300 IPs binaryedge.io.
BufferOver Scanner IPs ~50 IPs bufferover.run.
Cortex Xpanse ~4,600 IPs Palo Alto Cortex Xpanse attack-surface scanning.
Driftnet Scanner IPs ~800 IPs driftnet.io.
InfraWatch Scanner IPs ~1,400 IPs InfraWatch research.
Internet Census Scanner IPs ~1,200 IPs Internet-wide measurement projects.
InternetTL Scanner IPs ~250 IPs InternetTL.
LeakIX Scanner IPs ~80 IPs leakix.net.
NetScout Scanner IPs ~500 IPs NetScout ATLAS.
Nokia Deepfield Scanner IPs ~300 IPs Nokia Deepfield Internet Security.
Rapid7 Scanner IPs ~600 IPs Rapid7 Project Sonar.
Stretchoid Scanner IPs ~2,000 IPs Stretchoid.

Sizes shift as the operators rotate IPs and add or remove infrastructure.

The most common production recipe:

  1. Include ELLIO Threat List MAX (or 250K / 100K based on firewall capacity).
  2. Exclude the RECON lists for scanners you trust (Shadowserver, Rapid7, your own attack-surface tooling) so they reach you.
  3. Include the RECON lists for scanners you don’t (whichever ones don’t add value for you).
  4. Exclude any Common Business Services your stack depends on (CDN, M365, Google Workspace).
  5. Include your own IP Rulesets for hand-curated additions.

MAX is designed for ingress blocking, where false positives matter. Most research scanners are technically “promiscuous” rather than malicious - blocking them by default would block legitimate scanning of your own attack surface, including by tools you may have paid for.

By keeping scanner IPs in dedicated RECON lists, MAX stays high-precision and you keep explicit control over each scanner’s policy.