Prioritizing 600K Firewall Blocks with STIX/TAXII Feeds

The problem

The security team operates edge firewalls with a hard limit of roughly 600,000 blocked IP addresses. Free blocklists and manual curation could not keep pace with evolving C2 and botnet infrastructure. Analysts needed a way to prioritize which malicious IPs to block within that capacity — not just more data, but ranked, feed-ready intelligence they could automate.

Client stack

• Two self-hosted OpenCTI instances (v6.9+)
• STIX/TAXII 2.1 ingestion from isMalicious
• Automated TXT blocklist export to edge firewalls
• Hourly refresh pipeline with change detection
• Internal SOC review queue for team-reported indicators

Solution

The team subscribed to the Enterprise Firewall Feed tier and connected both OpenCTI instances to isMalicious TAXII collections — primarily `malicious-ips` and `c2-indicators` — using OpenCTI-compatible Basic Auth. Full-feed pulls omit date filters; pagination runs until `X-TAXII-Has-More` is false. Approved org-scoped indicators sync to `org-reported-*` collections. A downstream automation job exports prioritized TXT blocklists consumed by firewalls on an hourly schedule, staying within the 600K retrieval budget spread across the refresh window.

Impact

• Replaced manual blocklist curation with automated hourly refresh
• Prioritized high-confidence malicious IPs within fixed firewall capacity
• Unified team-approved indicators with global feed data in OpenCTI
• POC evaluation converted to production without reprovisioning

What's next

Expand collection coverage to ransomware and phishing indicators, tune OpenCTI `TAXII2_URL_QUERY_LIMIT`, and add on-demand enrichment via the OpenCTI connector for analyst-driven investigations.