How hexfield makes the feed
A blocklist is only worth running if you can act on it (no false positives) and believe it (you can verify it yourself). Here's the pipeline that gets us both — sensor to signature.
A worldwide net of sacrificial sensors
We run a wide field of small, cheap decoy machines across many hosting providers and regions. They host no real service and have no legitimate users — so every connection they receive is, by definition, unsolicited and hostile. Breadth is the whole trick: one box's view is anecdote, hundreds of boxes on unrelated networks is evidence.
They speak just enough to make attackers reveal themselves
Each sensor impersonates the services attackers hunt for — web (HTTP) and SSH today, with more protocols rolling outexpanding. Instead of a dead port, the attacker gets a believable target and keeps going: the URLs and exploits they fire, the usernames and passwords they try, the commands they run once "in." We record what they do, not just that they knocked.
Bait that phones home when it's stolen
The sensors are seeded with planted secrets — fake credentials, keys and config files of exactly the kind an intruder loots and reuses. Each is a unique tripwire: the moment one is used anywhere on the internet, it calls back to us and proves, beyond doubt, that the actor who took it is acting on stolen data. That's some of our highest-confidence signal — there's no innocent reason to use one.
We keep the malware and read the intent
When an attacker tries to drop a payload — a dropper, a coin-miner, a botnet implant — we capture the sample and the full command sequence. Anything dangerous is only ever examined off the sensors, never executed on them. Each session is then auto-classified into standard attack techniques (the MITRE ATT&CK vocabulary) so a listing isn't a bare IP — it carries why.
We link IPs into actors
Attackers reuse infrastructure and tooling. We connect sensor events that share rare, hard-to-fake fingerprints — the same malware sample, the same dropper URL, the same exact command sequence — into campaigns, so one botnet of fifty IPs is understood as one adversary, not fifty coincidences. Generic noise (a common scanner user-agent) is deliberately not enough to merge actors, so unrelated attackers using the same off-the-shelf tool don't get falsely fused.
Only the provable makes the list
An IP earns a place on the blocklist on the weight of the evidence: how many independent sensors saw it, how spread out they are geographically, how recently, and how much. One sensor is noise; a dozen across continents in the same window is proof. Known security researchers and benign scanners are scrubbed out. You drop attackers, not your own users.
Signed so you never have to take our word for it
Every published file is cryptographically signed with a key that never touches our public servers. One command proves the list wasn't tampered with — even if our own edge were breached. Almost every other feed just asks you to trust it.
curl -O https://hexfield.io/hexfield.pub minisign -Vm blocklist.txt -p hexfield.pub # -> "Signature and comment signature verified"
Drops into what you already run
One line into nftables, OPNsense/pfSense, MikroTik, Suricata, RPZ, AWS WAF, or your SIEM via STIX/MISP — no new agents, no lock-in, and full IPv6 coverage that most feeds skip.
The frontier we're building toward: using this depth to tell an automated, AI-driven attacker from a human — a distinction the rest of the industry can't yet make.