Low false positives
An IP is listed only when many independent sensors on different networks agree — and known researchers/scanners are scrubbed. Block attackers, not your own users.
See what others miss
Behavioral intel & live malware droppers — not just IPs. Indiscriminate mass-scans surfaced early, while they're still spreading.
Drops into what you run
Paste one line into the firewall or SIEM you already have — nftables, OPNsense/pfSense, RPZ, Suricata, STIX/MISP. No agent, no lock-in.
Top source countries
Top targeted ports
Top attack types
Top source networks (ASN)
Time-to-first-attack by provider
Sensor fleet by continent
Get the blocklist feed
The high-confidence mass-scanner set as a drop-in blocklist for your firewall / CrowdSec / edge — subscribers pull it from
https://hexfield.io/feed/<token>/blocklist.txt. We're refining quality before opening it up.
Cryptographically signed — don't trust, verify
Every feed file is signed offline with a key that never touches the serving infrastructure — so even a compromised edge cannot forge the list. Verify any download with stock minisign:
curl -O https://hexfield.io/hexfield.pub minisign -Vm blocklist.txt -p hexfield.pub # → "Signature and comment signature verified"
Ed25519 · public key RWTWXqJpymdOJD… · hexfield.pub