Data Model


Companies and users

Account Features

  • The list of features available vary from a company account to the next. The list of features is managed by the entity that provisioned the company, i.e. ThreatSTOP or one of its partners.


The ThreatSTOP platform provides the ability to assign policies to devices. The policy is loaded on the device when it blocks connections from and to malicious IP addresses, or prevent DNS lookups of malicious DNS records.


  • Devices identify the device in the customer’s network that is enforcing the policy. It can be one of the Firewalls, Routers, DNS Servers or Desktop/Laptop supported by ThreatSTOP.

  • Devices have one of three available types:

    • IP Defense: devices able to block traffic based on source or destination IP addresses
    • DNS Defense: DNS servers
    • Roaming Defense: Desktops and laptops
  • Devices are organized into manufacturers and models.

  • Device entries are configured to identify the device (for access to the service and reporting), assign a policy. The policy type must match the device.

  • Device models that support ThreatSTOP’s Web Automation integration features can be entirely configured from the portal or using the API. The devices not compatible with Web Automation require manual configuration of the device agent.


  • Policies have a type: IP Policies can be assigned to IP devices while DNS Policies can be assigned to DNS devices or Roaming devices. DNS policies can contain both domains and IP addresses, while IP Policies only contain IP addresses and subnets.

  • ThreatSTOP provides a set of pre-defined policies, as well as the ability to create custom policies.

  • Policies include one block list and one allow list.

  • Both the block list and the allow list are built using:

    • targets: targets are the atomic building block of a policy, typically identify malicious IPs and domains based on the Threat Type associated with them. The content of targets is managed by ThreatSTOP and updated continously throughout the day.
    • bundles: bundles are groups of targets that are predefined by ThreatSTOP.
    • user-defined lists: lists of IP addresses or domains to block or whitelist, managed by the customer through the portal or API.
  • For most DNS devices, DNS Policies are implemented using the DNS RPZ filtering mechanism. ThreatSTOP’s platform provides the ability to customize the behavior of the DNS server through custom RPZ Behaviors.

Analysis and reporting


If enabled, customer devices upload log files containing log entries for the events generated while enforcing the ThreatSTOP Policy.

Logs are matched against ThreatSTOP’s Threat Intelligence database to identify which IOCs and targets are associated with the event.

Note: The API doesn’t provide access to log data upload or log data retrieval services, but allows checking on the status of logs uploaded by the device. Access to reporting services using the API is restricted; please check with your sales representative if you are interested in them.


CheckIOC is ThreatSTOP’s application to retrieve information about an IP address or domain name - which targets currently contain the IOC, or contained it in the past, as well as metadata.

SIEM Integration

The API allows configuring ThreatSTOP’s SIEM integration features, such as Threatlist and STIX/TAXII.