Resource created as part of Grace Chi & the Pulsedive Threat Research team’s TI Essentials article: “ASN Data for Threat Detection: A Defender's Guide” | Published June 18, 2026 | feedly.com/ti-essentials/


Effectively leverage Autonomous System Number (ASN) data into threat detections tailored for your organization. This guide outlines a three-step process:

  1. Create a high-confidence list of malicious ASNs
  2. Evaluate your organization's network traffic against this list
  3. Regularly review the findings to ensure accuracy

image.png

Step 1: Create a high-confidence list of malicious ASNs

Use the following tools to gain more insights into the ASNs from a scoring perspective.

Tool Description
IPinfo Online database of information about IP addresses and ASes.
ASRank Ranks ASes by their customer cone size.
CleanTalk Tracks IP addresses used within spam messages. This information is used to assign a spam rate to each ASN.
URLHaus Database of URLs used to distribute malware. Malware sites are correlated with IP addresses assigned to the ASN used. This resource also tracks the average time the provider takes to action takedown requests.
risk-db A GitHub project that tracks different attack reports by ASN.
Spamhaus Spamhaus provides an ASN drop list in JSON format.
Fraudguard Provides details on anonymous and malicious IP addresses from a specific ASN.

Step 2: Evaluate your organization's network traffic against the list of ASes identified in step 1

The curated output from step 1 should be compared with incident data to determine whether any of the ASNs have been observed in incidents or security investigations. In addition to reviewing against incidents, the list should be compared against network traffic in an organization to identify if any traffic from the ASN is observed.

Step 3: Regularly review findings to determine if the ASN list needs to be modified

Once blocklists or detections using the ASN list from step 2 are created, the ASN list used should be actively monitored for false positives or any new additions. If additions are required, this cycle can be repeated on a regular cadence.