Skip to main content
First-party intel
rfxnResearch
Signal[IOC]

Intelligence from the edge

First-party threat data assembled from APF, BFD, and maldet deployments across multiple large-scale Linux hosting providers. Operator IPs, payload IOCs, and live incident feeds, generated, not aggregated.

CVE-2026-41940 threat feedIOC Console (private beta)What is coming
Hosts monitored

77K+

IPs tracked

112K+

Events / 24h

2.7M

C2 indicators

9,281

Live attacker map

CVE-2026-41940

The map below renders the SessionScribe attacker source set as a live slice of the broader Signal corpus. Sub-second event processing across the sensor mesh, attacker IPs surfaced and distributed as they hit the edge.

CVE-2026-41940 attacker origins

Snapshot 2026-05-08 · 24h rolling

critical
high
medium
low

Why Signal is different

Most threat intelligence is recycled. Signal is generated.

Others aggregate. We generate.

First-party data from real APF, BFD, and maldet deployments protecting production infrastructure. Not scraped third-party feeds or recycled blocklists.

Real-time, not retroactive.

Sub-second event processing from edge sensors. Threats are identified and propagated as they happen, not in daily batch dumps.

Edge-native intelligence.

Data sourced from production infrastructure across multiple large-scale hosting providers. Real attacker traffic, not synthetic honeypots.

Intelligence sources

Three data planes feeding a single corpus.

APF

Advanced Policy Firewall

Network-layer threat blocking with real-time policy enforcement across global deployments.

BFD

Brute Force Detection

Authentication failure monitoring and automated response for SSH, FTP, SMTP, and more.

maldet

Linux Malware Detect

Filesystem malware scanning with signature and heuristic detection tuned for shared hosting.

What ships and what is coming

Live

CVE-2026-41940 threat feed

Attacker block list, IOC catalog, threat map, and downloadable feed (txt / json / csv) for the cPanel/WHM SessionScribe vulnerability.

Open the feed
Private beta

Signal IOC Console

Per-host forensic console for incident response. Runtime evidence envelopes, kill-chain timeline, scanner verdicts, fleet-wide pivots.

Request access
Coming

Public surfaces

IP reputation lookup, custom feed builder, public API and CLI, MCP integration, fleet-management portal, community intel.

See the roadmap

Use the live feed today. Talk to us about the rest.

CVE-2026-41940 attacker block list is publicly available right now. The IOC Console is in private beta, drop a note if you run a hosting fleet that wants in.

CVE-2026-41940 threat feedContact us