A CTAC Seat - Virtual Access To All Our Cyber Intelligence Data Sets!

A Cyber Threat Analysis Center (CTAC) seat includes our OpenSearch Dashboards, which allow you to work with our data and/or bring in yours. OpenSearch Dashboards offer an open REST API for integration with as many other systems as neededThese tools provide low learning curves and large user bases.

CTAC single-user license  (OpenSearch Dashboards) includes all historical and nine (9) data sets.

CTAC is offered as a proprietary service. For a demo, pricing, and options, please contact Jim McKee at jmckee@redskyaliance.com

  • There are 9 cybersecurity datasets available. Discover the data you need. Understand it at a glance. Follow keyloggers, malicious emails. Query within and across all datasets, if you subscribe to our CTAC seat.

  • Description
    Botnets are often used to steal data, commit distributed denial of service (DDoS) attacks, send malicious emails, or simply as a proxy for malicious internet traffic. If an IP address is found in the botnet tracker, it was seen in communication with a malicious endpoint. This does not automatically indicate a malware infection as there are several reasons why two IP addresses might communicate, but it typically indicates suspicious/malicious activity. Additionally, publicly accessible web proxies (designated as a proxy_ip in our collection) are often used by attackers and state-sponsored cyber criminals, such as Chinese, Russian, Iran and North Korean to anonymously probe a target network, prior to an attack or perform credential stuffing attacks.

    This data can be used for any/all sector prevention and investigations including critical infrastructure and key resources.

    Data can be sourced by:

    botnet data:

    historical data (2018-Jan 2020):

    Victim IP




    postal code

    Geo coordinates

    Malware attribution

    C2 IP or domain

    recent data (Jan. 2020-now):

    arbitrary CIDR block

    Botnet Use Cases

    1.) Identify IPs that are communicating with botnets

    2.) Identify IPs that are hosting open web proxies

    3.) Add suspicious IPs to your network defense block lists to reduce the risk of credential stuffing attacks and network probes

    Monthly $8,000.00
    Annual $88,000.00

  • Description
    The Data Breach Research set comprises information obtained from both private sources and public database leaks. The leaked databases can contain a range of exposed information, ranging from email addresses to username and password combinations, as well as other personally identifiable details.

    The dataset consists of indexed raw breach data, making it convenient to identify the type of exposed data. It can be analyzed using commercially available applications. This dataset allows for searches on various identifiable domains, including, but not limited to, those in Russia, China, Iran, North Korea, Africa, and Southeast Asia. We have been gathering data from these locations since 2012.

    It's crucial to recognize that some investigators wrongly perceive the disclosure of "old" or historical passwords as low risk. However, attackers often exploit old passwords to conduct brute force or predict current passwords. Additionally, old passwords can be utilized in fraud and phishing attacks to build trust.

    The versatility of this dataset allows it to be beneficial for investigations, as well as for both defensive and offensive research for any interested party. It can be employed across all industry segments for investigation purposes, including critical infrastructure, government defense industrial base cleared contractors, and all commercial segments in any country.

    Data can be sourced by:

    breach data:

    Account username

    domain, if included in the account username

    Breach Use Cases

    1.) Search for leaked account credentials for your organization.

    2.) Identify partners that have leaked account credentials.

    3.) Penetration testing.

    Monthly $6,000.00
    Annual $66,000.00

  • Description
    This data set includes keylogger indicators that reveal malicious intent inside a government agency or a cleared contractor. These indicators provide a compromised domain or an IP address appearing in various keylogger output files. This could mean one of the following things:

    1.) Keylogger malware is running on a network.

    2.) A username and password belonging to an employee was captured by a keylogger.

    3.) An email address was observed in clipboard data on an infected computer.

    For example, a user, infected with keylogger malware, cut & paste an email address belonging to an organization. The raw source data can be investigated to determine the best course of action.

    This data set can be used for any/all government or private sector prevention or investigation to provide information in criminal intrusion.

    Data can be sourced by:

    keylogger data:

    victim source ip




    postal code

    geo coordinates

    whois data

    account username

    URL of service for keylogged credentials

    keylogger malware

    Keylogger Action Items

    1.) Identify credentials that have been exposed via a keylogger infection

    2.) Identify computers that have been infected with a keylogger

    Monthly $6,000.00
    Annual $66,000.00

  • Description
    This dataset contains a ten (10+) year-old collection of indicators, such as an IP address or domain, extracted from the headers of emails containing known malicious attachments. These records include the malware detected and a number of detections, geolocation information where applicable, the sending and receiving domains, and subject lines.

    These indicators are valuable sources of information to monitor current trends to watch for in malicious email campaigns. These indicators can also be used to proactively protect a network from malware intrusion. The data set can also be used in better and currently relevant phishing training for government and clear contractor employees.

    Data can be sourced by:

    Malicious email data:

    email subject line

    sender field (full name + email address)

    sender email address

    sender domain




    postal code

    geo coordinates

    sending domain




    postal code

    geo coordinates

    cc domain (derived from carbon-copied email addresses)




    postal code

    geo coordinates

    return path email address

    sending IP




    postal code

    geo coordinates

    recipient email address

    receiving domain




    postal code

    geo coordinates

    receiving ip




    postal code

    geo coordinates

    to domain




    postal code

    geo coordinates

    Data can be sourced by:

    Malicious Emails Use Cases

    1.) Identify organizations that are being targeted for malware delivered via an infected email attachment.

    2.) Identify organizations that are being impersonated via the Sender field or in an email subject line to lure potential victims to open malware-infected email attachments.

    3.) Identify and block connections from IPs that are used to originate malware-infected emails.

    4.) Educate users on observed email subject lines that are being used to deliver emails with malware-infected attachments.

    5.) Perform trending analysis of malware-infected emails.

    6.) Add email addresses that are sending out malware-infected emails to your network defense block lists.

    Monthly $6,000.00
    Annual $66,000.00

  • Description
    This data set provides Sinkhole indicators. Sinkholing is a technique for manipulating data flow in a network, redirecting traffic from its intended destination to the server of your choosing. It can be used maliciously to steer legitimate traffic away from its intended recipient. Security professionals more commonly use sinkholing as a tool to research and react to attacks. A sinkhole "hit" (indicator) means an IP was observed in weblogs from our proprietary sinkhole server. Similar to our botnet tracker data, Sinkhole indicators shows that communication to a malicious domain was observed. The nature of that communication needs to be examined from our raw sinkhole record. If the sinkhole indicator is a result of a malware infection, then the information should be referred to incident responders.

    Sinkhole data can be used for any/all industry segment and government investigations including critical infrastructure, all commercial segments and sixteen (16) Critical Infrastructure/Key Resource (CI/KR), to include any country’s Defense Industrial Base Sector and all cleared commercial segments.

    Data can be sourced by:

    sinkhole data:

    source IP (IP connecting to our sinkhole; indicator field)


    whois data




    postal code

    geo coordinates

    malware attribution

    Sinkhole Data Use Cases

    1.) Identify IP addresses that are attempting to communicate with domains that are known to have been associated with malware command and control infrastructure.

    2.) Add suspicious IPs to your network defense block lists.

    3.) Perform trending analysis of malware activity.

    Monthly $6,000.00
    Annual $66,000.00

  • Description
    The Identified Phishing Domain data set contains intelligence regarding phishing activity associated with a company. This service includes primary, open-source indicators from dozens of sources. Each indicator from this collection should be individually analyzed as each source has a different context. Phishing attacks account for more than 80% of reported security incidents. Reputational damage aside, $17,700 is lost every minute due to a phishing attack.

    This data can be used for any/all government or cleared industry segment assessment or investigation including all sector critical infrastructure, Defense Industrial Base Sector and all commercial segments.

    Data can be sourced by:

    phishing data:

    suspicious or malicious IP addresses:




    postal code

    geo coordinates

    Phishing Data Use Cases

    1.) Add malicious phishing IP and domains to your organization’s firewall, web proxy, IDS, or IPS block list.

    Monthly $6,000.00
    Annual $66,000.00

  • Description
    The data product at hand is a compilation of exposed sensitive secrets retrieved from popular source code hubs like GitHub, Gitlab, and Bitbucket. The dataset captures authentication keys, usernames, passwords, API keys, and other secure credentials unintentionally revealed due to improperly configured open-source repositories. Geopolitically, this information is invaluable, as it provides insights into potential vulnerabilities that, if exploited, can jeopardize the security apparatus of nations.

    The negligent exposure of such sensitive information suggests potential oversights in the development and security practices of government contractors and companies. Such breaches can open avenues for cyber espionage, interference in electoral processes, manipulation of infrastructure, and the theft of national secrets. From a socio-political perspective, it highlights the need for stringent cyber hygiene practices to protect the integrity of digital systems and databases. In essence, this data product is paramount for understanding national vulnerabilities in the cyber domain.

    Data can be sourced by:

    Source code secret data:

    repository site: github.com, gitlab.com, bitbucket.org

    repository account name

    repository name

    Source Code Use Cases

    1.) Discover if an organization has sensitive information posted in publicly readable source code repositories.

    2.) Search for sensitive information that can be used by attackers to breach networks embed malicious code into software repositories or cause software outages.

    Monthly $8,000.00
    Annual $88,000.00

  • Description
    The proprietary dataset offers a deep dive into the shadowy corners of the Tor network, encapsulating marketplaces, forums, and blogs linked with ransomware activities. It is an expansive repository of information chronicling the actions, discussions, and exchanges of threat actors on the Dark Web. Specifically, the data product spans domains such as cyber threats, illicit online trade, and the overall clandestine ecosystem of the dark web. From a national security standpoint, insights drawn from this dataset can unveil key patterns in cyber threats, potential vulnerabilities across industries, and prevailing strategies of malicious actors.

    The geopolitical implications of this dataset are significant. The insights offer visibility into the evolving tactics of cyber adversaries who potentially target critical US assets. Recognizing these trends early can bolster defense mechanisms, mitigating potential economic and infrastructure disruptions. Furthermore, the socio-political undercurrents highlighted by the dataset can guide the formulation of strategic responses to counteract the proliferation of illicit online trade, thereby safeguarding national security.

    Data can be sourced by:

    Dark Web data:

    tor site name

    post author

    free text search of post content

    dark web ransomware

    ransomware site name

    victim domain

    victim name

    free text search of post content

    dark web marketplace

    marketplace name

    item vendor name

    item category

    free text search of item description

    Dark Web Use Cases

    1.) Discover if particular organizations have be subjected to or targeted for a ransomware attack.

    2.) Search for your data or other organizations’ data is for sale on the dark web. What type of data and at what price point?

    3.) Search for access to your organization or any other organization to see if access is for sale.

    4.) Track vendor activity across multiple dark marketplaces.

    5.) Discover user credentials leaked on dark web sites (credentials found here are not included in our breach data collection).

    Monthly $4,000.00
    Annual $44,000.00

  • Description
    This includes various sources such as paste websites, forums, and other sites where malicious activity may take place. Is one of your employee email addresses listed in an Anonymous targeting operation? Is someone running vulnerability scans against your networks and posting the results publicly? Find out by searching through the REDXRAY OSINT collection.

    Data can be sourced by:

    Pastebin data:


    Paste Storage Sites Use Cases

    1.) Discover if an organization has sensitive information posted in publicly on temporary online locations.

    2.) Search for sensitive information that can be used by attackers to breach networks or cause software outages.

    3.) Has the privacy of your stored code been changed so it is open to all users?

    4.) Locate and remove old code that has been forgotten and still available or dangerous if used by cyber threat actors.


Cyber Threat Analysis Center (CTAC) Video


  • CTAC single user license (OpenSearch Dashboards) 10,000 searches/queries a day.

  • API only/raw data feed, 10,000 queries per day, with a max of 10,000 results (over 10,000 results can be obtained using additional paginated queries).

  • OpenSearch dashboard and analytics platform using our full data sets.

  • Customer can craft your own custom Elastic search queries (querying multiple data bases at once). Full 10+ years of our historical data


  • Cost savings for a large corporation or cyber security analysis

  • Save on analytical manpower (one analyst v. three analysts)

  • Access to indicators in minutes v. hours of manual collection

  • A full access and analytical tool/service

  • Proprietary data

Click on Image to download CTAC product Sheet



Q. Can I access CTAC via an API?

Click Image to download Cyber Threat Whitepaper 03282024 (CTAC)

A. Yes. CTAC users can access our threat intelligence using their own scripts through our REST API. Almost any function which is available in the user interface (GUI) is available through the Red Sky Alliance CTAC API as well.

Q. What is the difference between Red Sky Alliance and a threat intelligence feed?

A. Red Sky Alliance collects data from numerous high-value sources and has access to unique data which, in some cases, cannot be found elsewhere. We collect and aggregate data from numerous public/private feeds and store them in a central database so analysts can access intelligence from Red Sky Alliance and numerous other threat feeds from a single CTAC dashboard.

Q. What is an indicator of compromise?

A. An indicator of compromise (IoC) is an artifact indicating malicious activity on a network or host device. Indicators can range from IP addresses and domains to email addresses and more. Users can search through CTAC for IP addresses, domains, and keywords to find specific cyber threats. Users can also use IoC’s found in CTAC to create blacklists and protect their network from future attacks.

Q. Which platforms make Red Sky Alliance intelligence available?

A. Red Sky Alliance intelligence is accessible through the CTAC platform, but our data is also available in other platforms such as Anomali Threat Stream and Snowflake. Users looking to integrate their own log data with CTAC threat intelligence for correlation analysis can also use the Elysium Analytics platform to enhance current security operations.

Q. Why do I need threat intelligence?

A. Threat intelligence is a critical piece of any good cybersecurity policy. Threat intelligence often indicates malicious activity long before it shows up on an internal system such as an intrusion prevention system (IPS) or SIEM (Security Information Event Management). Internal monitoring is very important, but it is equally important to look at threats outside of a company network (“beyond the gateway”) that may lead to significant attacks/damage in the future.