Network Threat Intelligence
Delivered to You

The first AI-Native threat feed wired directly into your SIEM and SOAR. VPNs, Tor, residential proxies, and C2 enriched where your team already works.

Get API Access Sign Up

Try API for free

api.speculus.co/v1/▋

GET

▋

Already in your stack.

Why it matters

Your analysts are spending hours every day researching IP addresses manually. Each lookup gives the attacker just enough time to hack into your Nginx Server.

5 min

Average time to manually research a single suspicious IP

80%

Of breaches involve a network indicator that was already visible

~12 Billion

Number of attempted targeted network based attacks last year

Raw IP → Enriched Threat Identity

One API call. Every field your SOC needs: verdict, threat score, geolocation, ISP, proxy and Tor flags, as well as behavioral detection indicators, all in under 50ms.

very high risk · score 75/100

This IP belongs to an AWS EC2 instance in Hong Kong (ap-east-1) and has been identified as Botnet infrastructure.

nio@speculus:~$ curl /v1/▋

200 OK·application/json·47ms

{
  "verdict" :
    "This IP belongs to an AWS EC2 instance in
    Hong Kong (ap-east-1) and has been
    identified as Botnet infrastructure."
  ,
  "intel" : {
    "risk" : "very high",
    "score" : 75,
    "attribution" : "ValleyRAT",
    "tor_node" : false,
    "vpn_proxy" : false,
    "is_blacklisted" : false,
    "is_datacenter" : true,
    "cloud_provider" : {
      "provider" : "AWS",
      "region" : "ap-east-1",
      "service" : "EC2"
    },
    "activity" : "Botnet",
    "first_seen" : "2026-05-07 07:36:30"
  },
  "identity" : {
    "ip" : "43.199.58.243",
    "connection_type" : "",
    "isp" : "Amazon.com, Inc.",
    "org" : "Amazon Technologies Inc",
    "asn" : 16509
  },
  "location" : {
    "city" : "Hong Kong",
    "country" : "Hong Kong",
    "country_code" : "HK",
    "coordinates" : {
      "lat" : 22.3193,
      "lon" : 114.169
    }
  }
}

Three ways to deploy
Speculus

API, managed integration, or on-prem database. Speculus is built for you.

API Access01

The Speculus API

Direct, programmatic access to the NIO enrichment engine. A single REST call turns any IP address into a full intelligence object: threat score, geolocation, ASN, proxy flags, and a plain-English verdict. Built for developers who want to embed network intelligence directly into their stack.

IP enrichment in under 50ms
Threat scoring from 0–100 with plain-English verdict
Geolocation, ASN, carrier & proxy detection
REST Endpoints
99.9% uptime SLA with enterprise rate limits

Get API Access Try our API

Integration Package02

The Integration Package

Everything in the API, plus a fully managed deployment into your existing security stack. We connect NIO enrichment directly into Splunk, Elastic, Microsoft Sentinel, Palo Alto, or any SIEM/SOAR your team already operates. Includes custom dashboards, alert workflows, and ongoing support.

All API capabilities included
Native connectors for Splunk, Elastic, Sentinel & more
Custom threat dashboards and alert rule configuration
Dedicated onboarding and integration engineering
Quarterly threat intelligence briefings

Get API Access See Integrations

MMDB03

MMDB Database

The full Speculus threat intelligence dataset in MaxMind Database format, delivered directly to your infrastructure for offline, zero-latency lookups. No API calls, no round-trips, no external dependencies. Ideal for high-throughput environments where every millisecond counts.

Offline lookups with sub-millisecond query time
Compatible with any MaxMind-compatible reader
Weekly threat feed updates delivered to your endpoint
Full NIO scoring, geolocation, ASN & proxy data on-prem
Air-gapped and sovereign cloud deployments supported

Talk to us View MMDB

Real Research from
Security Engineers

Explore our research articles and learn how Speculus keeps your infrastructure safe from threats found in the wild.

All articles

Threat IntelMay 2026

Understanding Tor Nodes: The Anonymous Tunnel Into Your Network

Most business owners think they have a hardened environment. But if a Tor Exit Node is hitting your network, you have an anonymous, encrypted connection directly to your server that can be used against you.

7 min read

Read