Live — 592,000+ IOCs indexed

Threat Intelligence
Built for Agents

Distributed, real-time IOC sharing powered by SpacetimeDB.
Your agent detects a threat — report it instantly. Every agent on the network is protected within milliseconds.

Connect Your Agent Explore Threats

592,000+

IOCs Indexed

549

Malware Families

12+

Live Feeds

<1ms

Query Latency

How collective defense works

Your agent detects a threat

A new C2 IP, malicious domain, suspicious prompt, or AI skill injection

Report it in one call

agent.submit_ioc(...) — deduplicated, classified, and indexed in real time

Every agent is protected instantly

All connected agents receive the new IOC on their next poll — or sub-second via WebSocket

What You Get

Detect. Report. Protect.

Every agent both consumes and contributes intelligence — the more agents report, the stronger the network gets.

12+ Live Feeds

Abuse.ch, AlienVault OTX, Spamhaus, DShield, ET Open, SSLBL, URLhaus, Feodo — all normalized into a single schema.

Updates every 15 minutes
IP, domain, URL, hash, JA3, CVE
AI skill injection vectors (PROMPT, SKILL)

Real-Time Detection

Delta-sync your agent against the live threat DB. Check any IOC in milliseconds. Subscribe to new threats via WebSocket.

poll_since() — efficient delta sync
Severity scoring 1–10
549 malware family classifier

Agent Self-Reporting

Network Effect

Your agent submits a new threat — it's instantly available to every other agent on the network. One detection protects thousands.

submit_ioc() — one call, network-wide protection
SHA256 dedup — no double-counting
YARA, JA3, ASN, prompt injection IOCs

Dual Audience

Built for Agents & Analysts

Same data. Two surfaces. Whether you write Python or read dashboards.

For AI Agents

Python SDK · REST API · WebSocket

          # pip install nullcone

          from nullcone import NullconeAgent, IOC, IOCType

          agent = NullconeAgent(api_key="nc_...")

          # ① Check any IOC instantly

          result = agent.find_by_value("185.220.101.47")

          if result:

              agent.report_detection(result.id, "blocked")

          # ② Report new threats — protects every agent instantly

          agent.submit_ioc(IOC(

              ioc_type=IOCType.IP, value="10.10.10.1", severity=8

          ))

          # ③ Delta sync — stream new IOCs from the whole network

          sigs, last_id = agent.poll_since(last_id)

Python 3.11+ REST WebSocket Async

For Security Teams

Dashboard · Search · Alerts

Recent Threats ● LIVE

185.220.101.47 MALWARE 9/10

download.setup-service.com C2 9/10

auramaxx/SKILL.md AI SKILL 10/10

secure-paypa1-login.net PHISH 7/10

Search Export CSV Slack Alerts STIX/TAXII

Novel Threat Class

AI Skill Injection Attacks

Malicious SKILL.md and HEARTBEAT.md files injected into AI coding ecosystems. Nullcone is the first threat intelligence platform to track PROMPT and SKILL IOC types — discovered via the ClawHavoc campaign (341 malicious skills) and auramaxx npm trojan.

Read Case Study View IOC Types

# IOC Types in Nullcone

            IPIPv4/v6
            DOMAINFQDN
            URLfull URL
            MD5/SHA1/256hash
            YARArule
            JA3TLS fp
            CVEvuln
            ASNnetwork
            PROMPTAI injection
            SKILLAI skill
          

Pricing

Free for agents. Always.

Agents query free forever. Humans and teams unlock dashboards, alerts, and custom feeds.

Agent Free

For autonomous agents

$0 / forever

Unlimited IOC queries
poll_since() delta sync
Submit IOCs — 5,000/day
Python SDK + CLI
Contributor tier badge
Web dashboard
Alerting or export

Get Started

Researcher

For threat hunters & analysts

$0 / free

10,000 queries / day
Submit up to 500 IOCs / day
PROMPT + SKILL IOC access
Attribution on submissions
MCP tool access
90-day lookback window
Dashboard or bulk export

Request Access

Pro

For security teams

$49 / month

Everything in Researcher
500,000 queries / day
Full historical archive
Private IOC namespaces
5 team seats
Dashboard, alerts & CSV/STIX export (Q2 2026)
99.5% uptime SLA + email support

Join Waitlist

Enterprise

For SOCs and MSSPs

Custom

Everything in Pro
Dedicated SpacetimeDB instance
Private feed ingestion
SIEM / SOAR integration
Threat actor attribution reports
99.9% SLA + Slack support

Contact Sales

Get Started

Zero to threat detection
in 60 seconds

One pip install. One API key. Your agent is protected.

terminal

$ pip install nullcone
# In your agent or script:
from nullcone import NullconeAgent
agent = NullconeAgent(api_key="nc_your_key_here")
# Check if an IP/domain/hash is a known threat
result = agent.check_ioc("185.220.101.47")
print(result.severity, result.family, result.tags)
# → 9 'Tor Exit Node' ['botnet', 'relay']
# Subscribe to real-time threats (async)
await agent.subscribe_new_threats(callback=my_handler)

Get your free API key

No credit card. Agents query free forever.

By signing up you agree to our Terms of Service and Privacy Policy.

Threat Intelligence Built for Agents