internet data feed

RIOT Shield

An intelligence feed to categorize internet traffic.

Shield against unnecessary noise to focus on what matters most and provide analyst-friendly context.

What is Shield?

Contextualized categorization platform for the entire IPv4 space that does not rely on individual IP addresses. It’s a larger-scale view focusing on categorizing sources and destinations at organizational or ASN levels in an easy to digest format, such as an “ISP” or “cloud provider”.

What are the benefits of this approach over traditional threat intel?

Unlike IOCs, Shield does not rely on the “known-bad” approach, meaning it can identify suspicious patterns even if the source is known to be a bad one yet. It helps filter internet traffic into manageable patterns during investigations, for example excluding all domestic ISPs while investigating suspicious logons. It helps provide context of sources and destinations, such as “content delivery network” or “educational institution” to help improve alerting and enrich data for analyst investigations.

server room

Behind the scenes

Intelligent traffic categorization:

  • Basic source and destination classification examples:
    • ISP
    • Edu
    • Gov/Mil
    • Org/Biz
    • Infrastructure/Transit
  • Tailored source and destination classification examples:
    • CDN provider
    • Cloud provider (AWS, Azure, Google, etc.)
    • VPN provider
  • Network details examples:
    • Registry
    • CIDR ranges
    • ASN
  • Geolocation context examples:
    • Five Eyes alliance
    • European Union
    • US territory
  • Geo-matching of ASN and organizational IP blocks
  • Simplified global risk scoring based on:
    • Geolocation and geolocation context
    • Basic and tailored classification
    • Geo-matching and additional available details

Areas of Strength

Predictive approach based on larger scale categorization without reliance on “known bad” data

Data can be tailored to each organization to improve results, such as the difference between a domestic or international organization

Fairly static, IPv4 space categorization, even if routing details change, the categorizations mostly follow the original classifications (a perfect example is bulletproof hosting range changing geolocation or ASN)

Domestic threat detection to catch US-based VPNs, hosting, etc. leveraged by adversaries

Excellent for Threat Ops for larger-scale monitoring efforts with a variety of clients

Custom analytics based on context combined with other data sources and available details

data tags

Current Tags

  • Registry
  • AS Number
  • AS Name
  • AS Country
  • ASN Alliance/Territory
  • CIDR Range
  • Organization ID
  • Organization Name
  • Organization Country
  • Organization Alliance/Territory
  • Geographical Context
  • Risk Determination
  • Basic Classification
  • Tailored Classification

Sample Use Cases


Global Authentication Patterns

Filter authentication sources with human context of what those sources are (e.g., ISP, business, etc.)

Domestic Threat Patterns

Gain insight into logins from domestic infrastructure sources that are not typically leveraged by an employee (e.g., hosting, cloud provider, VPN, etc.)

Traffic Anomalies

Catch adversaries based on routing anomalies or unusual use of cloud infrastructure

Enrichment-ready log sources

  • Firewall traffic (network)
  • Proxy traffic (network)
  • IDS/IPS traffic (network)
  • VPN (authentication)
  • Azure/AWS (authentication)
  • Windows (authentication)
Chris, one of BTB's founders smiling

Your Data

Our all-in-one service for managed detection and response helps keep your organization secure.

Request a Demo