Check an IP
Live attack origins
How it works
1
Sense
A worldwide field of sacrificial honeypot sensors — many providers, six continents, fresh IPs — records every unsolicited connection an attacker makes.
2
Correlate
Every hit is enriched and cross-referenced at home. An IP that independently hits many sensors across different providers is, with high confidence, an indiscriminate mass-scanner — the breadth is the proof.
3
Act
The highest-confidence set is published as a clean, low-false-positive blocklist + live feed for your firewall, CrowdSec, or edge.
By the numbers
Top source countries
Top targeted ports
Top attack types
Top source networks (ASN)
Time-to-first-attack by provider
Sensor fleet by continent
Private beta
Get the blocklist feed
The high-confidence mass-scanner set as a drop-in blocklist for your firewall / CrowdSec / edge — subscribers pull it from
https://hexfield.io/feed/<token>/blocklist.txt. We're refining quality before opening it up.