Resource created as part of Grace Chi & the Pulsedive Threat Research team’s TI Essentials article: “ASN Data for Threat Detection: A Defender's Guide” | Published June 18, 2026 | feedly.com/ti-essentials/
Effectively leverage Autonomous System Number (ASN) data into threat detections tailored for your organization. This guide outlines a three-step process:

Review public intelligence reporting from security vendors and government reports about threats to collect IoCs and specific ASNs of concern.
Assign reputation scores to the ASN list previously generated
Use the following tools to gain more insights into the ASNs from a scoring perspective.
| Tool | Description |
|---|---|
| IPinfo | Online database of information about IP addresses and ASes. |
| ASRank | Ranks ASes by their customer cone size. |
| CleanTalk | Tracks IP addresses used within spam messages. This information is used to assign a spam rate to each ASN. |
| URLHaus | Database of URLs used to distribute malware. Malware sites are correlated with IP addresses assigned to the ASN used. This resource also tracks the average time the provider takes to action takedown requests. |
| risk-db | A GitHub project that tracks different attack reports by ASN. |
| Spamhaus | Spamhaus provides an ASN drop list in JSON format. |
| Fraudguard | Provides details on anonymous and malicious IP addresses from a specific ASN. |
The curated output from step 1 should be compared with incident data to determine whether any of the ASNs have been observed in incidents or security investigations. In addition to reviewing against incidents, the list should be compared against network traffic in an organization to identify if any traffic from the ASN is observed.
Any observations should be investigated to determine if an incident was missed.
If the observed traffic was benign and served a legitimate purpose, that ASN should be removed to reduce false positives.
Once blocklists or detections using the ASN list from step 2 are created, the ASN list used should be actively monitored for false positives or any new additions. If additions are required, this cycle can be repeated on a regular cadence.