Solutions

MMDB Database

The full Speculus threat intelligence dataset in MaxMind Database format, delivered directly to your infrastructure for offline, zero-latency lookups. No API calls, no round-trips, no external dependencies. Ideal for high-throughput environments where every millisecond counts.

Talk to usSee pricing
speculus-nio.mmdb~ 480 MB · weekly
fieldtypedescription
intel.riskenumlow · medium · high · very high · critical
intel.scoreuint80–100 numeric risk score
intel.attributionstring?Threat actor or malware family, when known
intel.tor_nodeboolActive Tor exit node
intel.vpn_proxyboolCommercial VPN or proxy provider
intel.residential_proxyboolResidential proxy network membership
intel.is_blacklistedboolListed on threat intelligence feeds
intel.is_datacenterboolDatacenter or cloud-hosted network

Why MMDB

Designed for the environments where calling out to an API is not an option, or where every microsecond of latency matters.

Sub-millisecond lookups

Binary tree lookups directly from disk. p99 under 0.5ms on commodity hardware.

MaxMind-compatible

Drop-in replacement for any MaxMind reader. Same .mmdb format, same APIs.

Air-gapped friendly

Ships as a single file. No outbound calls, no telemetry, no licensing pings.

Weekly delivery

Signed bundle delivered every Monday via S3 presigned URL, GCS bucket, or your own object store.

Full NIO dataset

Threat score, attribution, ASN, geolocation, proxy and datacenter classification on-prem.

Sovereign cloud ready

Supported on AWS GovCloud, Azure Government, IL5 and IL6 environments.

Delivery

From our build pipeline to your servers in four steps.

01

Cron build

We rebuild the .mmdb every Monday at 00:00 UTC with the latest 7-day intel.

02

Signed bundle

GPG-signed tarball with checksum and changelog of indicator deltas.

03

Your endpoint

Pushed to your S3 / GCS / Azure bucket, or fetched via presigned URL.

04

Reload

Hot-swap the file. Most readers detect mtime and reload without restart.

Reader compatibility

Works out of the box with every mainstream MaxMind reader.

Pythonmaxminddb 2.x
Gooschwald/maxminddb-golang
Rustmaxminddb crate
Node@maxmind/mmdb-lib
Javacom.maxmind.db
Rubymaxmind/mmdb_db
Clibmaxminddb
PHPmaxmind-db/reader

Schema

Every field, the type, and what it means. Same shape as the API response.

intel.riskenumlow · medium · high · very high · critical
intel.scoreuint80–100 numeric risk score
intel.attributionstring?Threat actor or malware family, when known
intel.tor_nodeboolActive Tor exit node
intel.vpn_proxyboolCommercial VPN or proxy provider
intel.residential_proxyboolResidential proxy network membership
intel.is_blacklistedboolListed on threat intelligence feeds
intel.is_datacenterboolDatacenter or cloud-hosted network
intel.first_seeniso8601First observation of reported activity
intel.last_seeniso8601Most recent observation
identity.ispstringISP registered to the IP block
identity.orgstringNetwork operator name
identity.asnuint32Autonomous System Number
identity.connection_typeenumhosting · cellular · cable · fiber · dsl
location.country_codeiso2ISO 3166-1 alpha-2
location.citystringBest-effort city name
location.coordinatesfloat[2]Approximate GPS [lat, lon]

Ship the intel inside your perimeter.

Talk to us about MMDB delivery, sovereign cloud deployments, and air-gapped environments.

Talk to usSee pricing