Skip to main content
First-party intel
rfxnResearch
Signal[IOC]
[IOC]Roadmap · Public surfaces

What is coming next

The CVE-2026-41940 threat feed is live today. The wider Signal ecosystem ships in stages. Below are the surfaces in flight, with rendered preview teasers from the working prototype.

CVE-2026-41940 (live)Get early access

IP reputation lookup

Q3 2026

Public IP / CIDR / domain lookup against the Signal corpus. Threat scoring, classification tags, MITRE ATT&CK mapping, related infrastructure, feed cross-references, and a zero-friction free tier.

signal.rfxn.com/lookup/80.75.212.14
Preview
94/ 100
Malicious80.75.212.14First Colo GmbH · DE

Risk factors

Known Tor exit nodeCritical
Active brute force sourceHigh
Listed in 12+ threat feedsHigh
Port scanning activityMedium

MITRE ATT&CK

T1190T1110T1595T1499

Classifications

Brute forcePattern XListed in 12 feedsOperator A

Fleet dashboard & intel

Q4 2026

Per-fleet activity, ranked attacker view, and the live event stream rolled into a single view. AI-assisted triage queue attached to each block.

signal.rfxn.com/dashboard
Preview

24h activity · stacked by category

BruteWebMalwareScan
00:0006:0012:0018:0023:00
signal.rfxn.com/intel
Preview

Top attackers · 24h rolling

412K events
#IPCountryEventsKind
180.75.212.14🇩🇪DE412Pattern X badpass
294.231.206.39🇷🇺RU287Pattern X badpass
3142.93.43.26🇺🇸US256Pattern X badpass
445.82.78.104🇧🇬BG198Websocket Shell
5206.189.2.13🇺🇸US145Scanner (leakix)
6157.245.204.205🇺🇸US132Scanner (leakix)

Custom threat feeds

Q3 2026

Build per-organisation block lists from 18 threat categories. Confidence tiers, geo / ASN filters, refresh cadence, .txt / .json / .csv / STIX output, drop-in for APF, iptables, ipset, pfSense, fail2ban.

signal.rfxn.com/feeds/builder
Preview

Build a custom block list · 18 categories

3 selected · 218,621 IPs
SSH brute force142,847high
Web exploiters67,231high
Malware C28,943high
Tor exit nodes7,219medium
Scanners234,512medium
SQLi attempts67,089high
Credential stuffing45,612high
Cryptominers3,887high
$ curl -s https://signal.rfxn.com/feed/v1/custom/f7a2e9c1d4b8.txt >> /etc/apf/deny_hosts.rules && apf -r

CLI & API

Q3 2026

Single binary for terminal-native lookup, feed sync, and APF / iptables rule generation. REST + JSONL streaming endpoints. MCP server for Claude Code, Cursor, and other AI agents.

signal.rfxn.com/cli
Preview
signal-cli
$ signal lookup 80.75.212.14
ip:        80.75.212.14
score:     94 / 100  MALICIOUS
country:   DE  asn: AS44066 (First Colo GmbH)
classes:   brute force, Pattern X, listed-in-12-feeds
mitre:     T1190 T1110 T1595 T1499
firstSeen: 2025-08-12T03:14:00Z
lastSeen:  2 minutes ago

$ signal feed sync apf --tag cve-2026-41940
fetched:   34 indicators · 0 stale · 0 errors
applied:   /etc/apf/deny_hosts.rules
reload:    apf -r  (ok)

Roadmap at a glance

Eight surfaces, three release waves. Tell us which one you need first.

IP reputation lookupQ3 2026
Custom threat feedsQ3 2026
Fleet security dashboardQ4 2026
Fleet management portalQ4 2026
Public REST APIQ3 2026
Signal CLIQ3 2026
MCP integrationQ3 2026
Community intelQ4 2026

Want any of this sooner?

Drop us a note. We are onboarding small cohorts as each surface ships, and the priority queue is set by who is actively waiting on what.

Request early accessIOC Console (private beta)