Paste a URL. We auto-detect format · IOC type · category · operator · feed_id. Then a 7-layer scan, then a 7-day quarantined commit.
No form fields. We probe, sniff format, parse, identify operator, classify, and pre-fill everything.
The feed is created in disabled state. When you enable it, ingest starts pulling — but for 7 days the indicators it brings are held back from customer firewalls. During this window the system runs automated quality checks against this feed's indicators; you watch the results and decide.
| Check | Cadence | Runs in 7d | What it catches |
|---|---|---|---|
| Ingest pull | 1h | ~168 | feed reachability, parse health, IOC counts |
| Tier reclassify | 30 min | ~336 | verified / trusted / community placement based on multi-source overlap |
| Allowlist-drift sweep | 6h | 28 | indicators that drifted into allowlist territory get auto-removed |
| Known-good smoke | 6h | 28 | if 54 must-not-block sites appear → webhook + operator alert |
| Cross-validation sample | daily | 7 | random 654 IOCs proven against tier criteria |
| Enrichment promote | 10 min | ~1,008 | GreyNoise/AbuseIPDB/VT live cross-check; promotes/demotes |
| Honeypot match | 5 min | ~2,016 | any sample IP attacking our honeypot mesh? → instant verified |
/v1/public/verification · /v1/public/sources — feed-level metricssmoke_failed · feed_failing · cloud_fp_caughtGET /admin/v1/feeds/quarantine shows days remaining + preview score/admin/v1/feeds/:id/quarantine/clear → feed contributes to default-ship like every other source.During quarantine the feed's indicators are stored, classified, and tested — but invisible to customer firewalls. It's a real-world test bench with no risk.