ET Intelligence – Actionable Threat Intelligence & Global Context

Proofpoint ET Intelligence™ is the industry’s most timely and accurate source of threat intelligence. Combining actionable up-to-the-minute IP and Domain reputation feeds with a database of globally observed threats and malware analysis, ET Intelligence gives the security professional the tools to proactively stop malicious attacks and provide the context needed to investigate them. 

Why Proofpoint ET Intelligence?

Today, advanced cyber attack campaigns are perpetrated with increasing frequency by a variety of actors with motives ranging from profit to espionage. While the basic tools used to execute these attacks have common elements and are often derived from fewer than 20 known exploit kits, each campaign is unique in its use of bot nets, proxies, attack vectors, and command and control systems. Given the dynamic nature of these campaigns, it has become nearly impossible for enterprises to keep pace with the changing threat landscape. That’s where Proofpoint comes in.

The team of dedicated threat researchers and analytics systems at Proofpoint ET Labs do the work so you don’t have to. The result is 100% originally sourced threat intelligence on IP addresses, domains, malware samples and exploit kits from direct observation. Built upon a proprietary process that leverages one of the world’s largest active malware exchanges, victim emulation at massive scale, original detection technology and a global sensor network, Proofpoint ET Intelligence is updated in real-time to provide organizations with the tools to combat today’s emerging threats.ThreatIntel_Process

ET Labs Threat Intelligence Methodology

Proofpoint ET Intelligence, comprised of domain and IP address reputation feeds and the global threat database, provides both actionable threat intelligence and a valuable source of context for incident investigation and threat research.

Dynamic IP and Domain Reputation

ET Intelligence provides actionable threat intelligence feeds for ingestion into firewalls, intrusion detection/protection systems (IDS/IPS), log and event management systems (SIEMs), and authentication systems. These dynamic feeds identify IPs and domains involved in suspicious and malicious activity as observed directly by Proofpoint’s ET Labs.

  • Separate lists for IP addresses and domains.
  • IP and domains are classified into over 40 different categories and assigned a confidence score (from 0 to 127) for each category.
  • Scores indicate recent activity levels and are aggressively aged to reflect current conditions.
  • Lists are updated hourly.
  • Available in multiple formats including TXT, CSV, JSON, and compressed.

Global Threat Database

Organizations have learned that it is not enough to simply know what types of threats exist, but in order to prevent attacks and reduce risk, they must also understand the historical context of where they originated, who is behind them, when have they attacked, what methods they used, and why. Proofpoint ET Intelligence gives users on-demand access to current and historical metadata on IPs, domains, and other related threat intelligence to assist with incident investigation and threat research.

[insert image / screenshots]

  • On-demand access to both current and historic threat intelligence. Searchable by IP address, domain, malware MD5, ET signature ID, and message text.
  • Search results provide related info for pivot and drill down, providing forensic data trail, accelerating incident investigation.
  • Over 5 years of observed threat activity.
  • Data is updated continuously.
  • Dashboard with view of current global threat posture on command and control and active exploit kits.

Enhance Existing Data and Tools

Threat intelligence is typically used by an organization to compliment or enhance existing solutions. Application that can benefit from threat intelligence include:

Using Reputation Feeds

  • Block connections to bad IP addresses in Firewall, NGFW, IPS/IDS.
  • Drop traffic from bad IP addresses in IPS.
  • Increase factors for suspect IP addresses with authentication system.
  • Enrich event and log data in SIEM.

Using Global Threat Database

  • Investigate incidents.
  • Search and view attacks and actors in motion all over the world.
  • Research malware with views into the network traffic produced when a malware sample executes.
  • Integrate into SEIM for ‘right click’ drill down context.


  • Keep pace with dynamic threat landscape using continuously updated intelligence.
  • Enrich existing log data with global perspective on suspect IP addresses and domains.
  • Enforce custom security policies based on reputation categories and score thresholds that matter to your organization.
  • Improve fidelity and reduce false positives from existing intrusion detection / prevention systems and next generation firewalls.
  • Accelerate incident investigation with global threat context.

To find out more about Emerging Threats products and solutions, please contact us.