Beyond the known
Our team works tirelessly to enable you to stay ahead of emerging cyber threats with cutting-edge tools and intelligence.
We'll notify you when your membership is ready.
What is TLP:Black?
TLP (Traffic Light Protocol) is used in cybersecurity to control information sharing. Color codes show how widely the information can be distributed.
TLP:Green
Information classified as TLP:Green can be shared within the community but not publicly.
TLP:Amber
Information classified as TLP:Amber should only be shared with specific individuals within an organization, not for public distribution.
TLP:Red
Information classified as TLP:Red is highly sensitive and should not be shared further after it is received, even within the organization.
TLP:Black
Information classified as TLP:Black has never existed. Nobody has ever heard of it, there is no TLP:Black class. Move along.
Our Team
People behind TLPBLACK
Costin Raiu
@craiu
Costin Raiu is a cyber paleontologist and researcher specializing in advanced persistent threats and high-level malware attacks, with over 30 years of experience in infosec.
He shaped and led the legendary Global Research & Analysis Team (GReAT), which investigated threats like Stuxnet, Flame, Equation Group, Turla, and Lazarus.
Outside of work, he enjoys chess, photography, science fiction, and holds a black belt in Taekwondo.
Kurt Baumgartner
@k_sec
Kurt Baumgartner is a veteran APT researcher with over 20 years of experience. As a Principal Security Researcher in the USA GReAT for nearly 15 years, he authored multiple studies on threats such as RedOctober, BlackEnergy, Darkhotel, Sofacy, Naikon, and Turla.
He was the first employee at ThreatFire, contributed to SonicWall's security services team, and was awarded a patent for host-based behavioral analysis.
Dan Demeter
@_xdanx
Dan Demeter is a security researcher with over a decade of experience in engineering systems tailored for threat intelligence analysts.
Previously at GReAT, he developed APT Intelligence Reporting, Data Feeds, and a distributed malware collection scanner. A frequent speaker at global conferences, he is passionate about advanced OPSEC, information influence operations, honeypots, networking.
Outside of cybersecurity, he is a fan of board games and snowboarding.
Advisory Board
Our wisdom and guidance comes from the best in the field
Juan Andrés Guerrero-Saade
@juanandres_gs
Juan Andrés Guerrero-Saade is Senior Technical Fellow (Research & Innovation) at SentinelOne and an Adjunct Professor at Johns Hopkins SAIS Alperovitch Institute. 'JAGS' was Chronicle Security's Research Tsar, co-founder of Stairwell, Principal Security Researcher at GReAT, and worked as a Senior Security Advisor to the Government of Ecuador. His joint work on Moonlight Maze is now featured in the International Spy Museum's permanent exhibit in Washington, DC.
Ryan Naraine
@ryanaraine
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
Vitaly Kamluk
@vkamluk
Vitaly Kamluk spent 20+ years in infosec and is the founder of TitanHex in Singapore. He previously served as Director of the APAC GReAT, worked as a cybersecurity expert at INTERPOL, authored the open-source forensic toolkit Bitscout, and holds a patent for a malware similarity search algorithm. A frequent speaker, coach, and review board member at major infosec events, he is passionate about malware analysis, forensics, cryptography, privacy, and hardware hacking.
Marco Preuss
@marco_preuss
Marco Preuß is a cybersecurity strategist with more than two decades of experience in infosec. He spent 18+ years in the antimalware industry, stepping up his career up to Director of the European GReAT.
Marco’s interests lie in the study of Darknet ecosystems, password vulnerabilities, IoT security, and OSINT, as well as in deploying honeypots to track and analyze cybercrime.
Solutions
Our platform provides a comprehensive suite of tools for cybersecurity research, response, and proactive hunting.
Passive DNS
Our comprehensive Passive DNS database provides historical and carefully tagged records for threat intelligence. Our competitive advantage is the focus on malicious domains and networks, ensuring our data is relevant and actionable.
app.tlpblack.net
Indicators of Compromise
Access a rich database of network indicators of compromise. Ingest into your SIEM or SOAR for proactive threat detection and response.
YARA Quality Lab
Develop, test, and refine your YARA rules in a secure virtual lab environment with access to a wide range of malware samples. Boost your threat detection capabilities.
bad.yara
good.yara
rule bad_rule { condition: hash.md5(0, filesize) == "deadbeefdeadbeefdeadbeefdeadbeef" or hash.md5(0, filesize) == "00c0ffeec0ffeec0ffeec0ffeec0ffee" or hash.md5(0, filesize) == "3af647e56fa15e3ef2894856e9a4c58e" }
rule unk_liblzma_ed448key { meta: description = "liblzma backdoor, attacker ed448 public key" hash = "cbeef92e67bf41ca9c015557d81f39adaba67ca9fb3574139754999030b83537" ... strings: $a1 = { 0a 31 fd 3b 2f 1f c6 92 92 68 32 52 c8 c1 ac 28 34 d1 f2 c9 75 c4 76 5e b1 f6 88 58 88 93 3e 48 } ... condition: (uint32be(0) == 0x7F454C46) and (filesize < 5MB) and (any of them) }
Feeds
Bring our threat intelligence to your security systems and workflows.
Network IOCs
Automatically generated latest network indicators of compromise (IOCs) feed, consisting of tagged malicious IPs and domains. Easily ingest into your SIEM, SOAR, or threat intelligence platform for enhanced detection and response.
IP Range Reputation
A curated IP range reputation feed, providing insights into the trustworthiness of IP blocks. Integrate this data into your security systems to enhance threat detection and risk assessment.
YARA Rules
Our in-house developed YARA rules for threat detection. Created by expert researchers to identify and classify malware effectively, tested against a wide range of samples and clean files for false positive minimization.
TLPBLACK.yara
|Facts & Figures
We take pride in the technology we create and the infrastructure we support.
Trainings
Enhance your skills with our expert-led cybersecurity trainings.
Malware Analysis
In this course, you'll explore both dynamic and static approaches to dissecting malware, and learn the tools and platforms used for deep malware inspection. At the core of the training we have placed reverse-engineering, which is essential for a thorough understanding of malicious intent and various conditions.
Course duration: 2-4 days
Technical Level: ●●●●●
Minimum Audience: 10 pax
YARA Threat Hunting
Learn to write effective YARA rules for threat hunting. This training covers YARA syntax, best practices, and advanced techniques for creating robust rules to identify and classify malware.
Course duration: 2 days
Technical Level: ●●●○○
Minimum Audience: 10 pax
iOS Forensics
This course focuses on the challenge of examining Apple's proprietary iOS ecosystem, a common target for sophisticated, high-stakes cyberattacks. You'll learn foundational iOS security principles, the practical constraints forensic investigators face, and the step-by-step methods and tools for extracting data in fully authorized forensic engagements.
Course duration: 2 days
Technical Level: ●●●○○
Minimum Audience: 10 pax
OPSEC for High-Risk Targets
This is a comprehensive hands-on training tailored for VIP clients, targeted individuals and government personnel operating in high-risk environments. Participants will learn about enhanced cybersecurity protocols of various complexity levels, from fundamental safeguards to advanced protection strategies. The curriculum develops thorough security awareness and implementable countermeasures across digital infrastructure, physical environments, and behavioral domains - including defense against psychological operations (PsyOps) campaigns.
Course duration: 2 days
Technical Level: ●●●○○
Minimum Audience: 10 pax
Remote Forensics
In this segment, you'll get hands-on with our state-of-the-art remote digital forensics platform—already deployed across countless law-enforcement cases and private-sector threat-intelligence projects. Engineered for lightning-fast performance and rich functionality by hundreds of open-source cyberforensics contributors, this free toolkit still requires expert mentorship to unlock its full potential. Who better to guide you than the very developers behind it?
Course duration: 2-4 days
Technical Level: ●●●●●
Minimum Audience: 10 pax
Frequently Asked Questions
Services
Our expert services to support your cybersecurity needs.
Dark Markets Monitoring
We process hundreds of gigabytes of new compromised credentials available on the underground markets and help you identify those which are linked to your organization.
Document Viewer
Investigation Support
Our expert analysts provide comprehensive support for cyberattack investigations, including malware analysis, threat actor attribution, and incident response guidance.
Strategic Advisory
We offer high-level advisory and consulting services to help organizations develop and implement effective cybersecurity strategies tailored to their unique needs and risk profiles.
Our Mission
To redefine threat intelligence for the next generation — where machines accelerate discovery and humans guarantee quality.
Ready to try something new?
Get started with our platform today and get access to the TLPBLACK information.
