ELLIO expands with 10 new recon and scanner IP feeds

ELLIO Threat Intelligence & Blocklist Automation has been updated with 10 new scanner and recon IP address feeds. This improves detection and control of scanning activity at the network perimeter, enabling more accurate allow and block rules without manual IP range management.

ELLIO RECON IP Lists dashboard showing scanner IP counts from various security tools including Censys (600,784), Cortex Xpanse (4,611), BinaryEdge (2,279), and others with trend visualizations

Expanded coverage of internet-wide scanning infrastructure

10 additional scanner/recon IP address feeds have been added to ELLIO Blocklist Automation. This update expands coverage of known internet-wide scanning infrastructure, improving classification of reconnaissance traffic and strengthening perimeter policy enforcement. All IP feeds are continuously curated and automatically updated.

All Recon & Scanner IP feeds available in ELLIO (May 6, 2026):

BufferOver Scanner IPs (new)
Internet Census Scanner IPs (new)
InternetTL Scanner IPs (new)
LeakIX Scanner IPs (new)
NetScout Scanner IPs (new)
Nokia Deepfield Scanner IPs (new)
Rapid7 Scanner IPs (new)
Shadowserver Scanner IPs (new)
Stretchoid Scanner IPs (new)
Censys Scanner IPs
Palo Alto Cortex Xpanse scanner IPs
Shodan Scanner IPs
BinaryEdge Scanner IPs
Driffnet Scanner IPs

Not all scanners are bad

Not all scanning activity is malicious. Many scanners are operated by security vendors, research organizations, and internet measurement projects to identify exposed assets and improve overall ecosystem visibility.

The challenge is not blocking scanning entirely, but distinguishing between expected, legitimate scanning and activity that indicates reconnaissance, abuse, or pre-attack enumeration. Effective perimeter policy requires this context to avoid over-blocking and maintain normal service availability.

ELLIO Blocklist Automation for precise control of scanning and recon traffic

ELLIO Blocklist Automation provides continuously updated IP threat intelligence focused on known and active scanning and reconnaissance activity, which can be directly applied to perimeter allow/deny decisions. It enables both broad and granular filtering of scanner traffic, allowing teams to explicitly block, allow, or segment known reconnaissance sources based on policy requirements.

This improves detection accuracy for reconnaissance activity while reducing manual rule maintenance and operational overhead, lowering false positives, and minimizing configuration drift across firewall and detection systems.

Get started

Access the ELLIO Platform to review the new threat intelligence feeds and integrate them directly into your firewall and detection workflows.

About ELLIO

ELLIO is a research-driven cybersecurity lab with a strong focus on mass exploitation and reconnaissance activity. ELLIO delivers IP-based threat intelligence, network fingerprints, and highly dynamic feeds for event prioritization and data enrichment across existing SIEM, SOAR, and other security tools. Beyond intelligence, ELLIO provides ultimate IP blocking for next-gen firewalls, a platform for centrally managing all multi-vendor blocklists and whitelists, and additional services such as network masking against scanners and eBPF-based filters that combine IP intelligence with modern network fingerprints to protect against active malicious and overly curious (promiscuous) traffic.

Enter the ELLIO Threat Platform and see mass exploitation and reconnaissance activity as they happen: https://platform.ellio.tech

Written by

ELLIO Product Team

A team of product specialists and innovative engineers building solutions that turn ELLIO’s research and intelligence on mass exploitation and network reconnaissance into real-world tools.