{
  "$schema": "https://rayvelabs.com/api-registry/schema.json",
  "name": "RayveLabs API Registry",
  "description": "Curated catalog of free, public cybersecurity data files for academic research and teaching.",
  "version": "1.1",
  "updated": "2026-06-03",
  "maintainer": "Rayve Malhotra · rayvemalhotra@gmail.com",
  "license_of_registry": "CC BY 4.0",
  "categories": [
    {
      "id": "vuln",
      "name": "Vulnerability Catalogues",
      "summary": "Authoritative CVE feeds, exploited-vulnerability lists, exploit-likelihood scores, and ecosystem advisory databases."
    },
    {
      "id": "mitre",
      "name": "MITRE Frameworks",
      "summary": "ATT&CK adversary behaviour, CAPEC attack patterns, CWE weakness taxonomy, and D3FEND defensive countermeasures."
    },
    {
      "id": "ti",
      "name": "Threat Intelligence (abuse.ch & friends)",
      "summary": "URLs, IPs, file hashes, and C2 infrastructure tied to active malware, phishing, and botnet campaigns."
    },
    {
      "id": "blocklist",
      "name": "Blocklists & Reputation Lists",
      "summary": "Address ranges and host indicators flagged for abuse, spam, anonymisation, or phishing."
    },
    {
      "id": "honeypot",
      "name": "Honeypot & Sensor Telemetry",
      "summary": "Real-world attack telemetry collected by distributed honeypots and ISP-scale sensors."
    },
    {
      "id": "breach",
      "name": "Breach & Credential Data",
      "summary": "Verified breach catalogues and k-anonymised password leak lookups."
    },
    {
      "id": "compliance",
      "name": "Compliance & Control Catalogues",
      "summary": "Government and industry control frameworks in machine-readable form."
    },
    {
      "id": "research",
      "name": "Research Datasets (replayable PCAP/CSV)",
      "summary": "Pre-captured attack datasets published for academic reproducibility."
    }
  ],
  "entries": [
    {
      "id": "cisa-kev",
      "category": "vuln",
      "title": "CISA Known Exploited Vulnerabilities",
      "publisher": "Cybersecurity and Infrastructure Security Agency (U.S.)",
      "filename": "known_exploited_vulnerabilities.json",
      "url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
      "format": "JSON",
      "size_est": "~3 MB",
      "cadence": "Daily",
      "auth": "none",
      "license": "U.S. Government work — public domain",
      "description": "Every CVE that CISA has confirmed exploited in the wild. Each record includes vendor, product, vulnerability name, ransomware-use flag, and the federal patch-by-date.",
      "schema_url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities_schema.json",
      "curl": "curl -O https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
      "citation": "CISA. Known Exploited Vulnerabilities Catalog. Retrieved {DATE} from https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
      "why_it_matters": "Vulnerabilities in this catalog aren't theoretical — CISA has confirmed they are being actively exploited in the wild. The U.S. government mandates federal agencies patch them within a defined window, making it the closest thing to an emergency list in cybersecurity.",
      "use_it_for": "Lab exercises on vulnerability prioritization (compare CVSS score vs. KEV inclusion), historical analysis of which vendors and products appear most often, joining against your own scan output to flag urgent findings, and time-series studies of how quickly CVEs move from disclosure to exploitation."
    },
    {
      "id": "nvd-cve",
      "category": "vuln",
      "title": "NVD CVE 2.0 — yearly JSON feed",
      "publisher": "U.S. National Institute of Standards and Technology",
      "filename": "nvdcve-2.0-2026.json.gz",
      "url": "https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-2026.json.gz",
      "format": "JSON (gzip)",
      "size_est": "~50 MB / year (gzipped)",
      "cadence": "Year files refresh nightly · modified.json.gz updates hourly",
      "auth": "none for files · free API key for live REST",
      "license": "U.S. Government work — public domain",
      "description": "Authoritative CVE record set in NIST's CVE 2.0 schema, partitioned by publication year (2002 → current). Includes CVSS v2 + v3.1 vectors, CPE applicability, references, and CWE links. The companion modified.json.gz file at the same path carries every CVE updated in the last eight days. For CPE-Match lookups use the live REST API at services.nvd.nist.gov/rest/json/cpematch/2.0/ — NIST deprecated the bulk match file in 2024.",
      "curl": "for y in $(seq 2002 $(date +%Y)); do curl -O https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-$y.json.gz; done",
      "api_docs": "https://nvd.nist.gov/developers/vulnerabilities",
      "citation": "NIST. National Vulnerability Database CVE Feed (CVE 2.0). Retrieved {DATE} from https://nvd.nist.gov/vuln/data-feeds",
      "why_it_matters": "The authoritative source-of-truth for every assigned CVE in the United States. Every commercial vulnerability database (Snyk, Sonatype, vendor advisories, scanner output) is downstream from NVD. If you want to build something on top of CVEs, this is the canonical input.",
      "use_it_for": "Building your own vulnerability scanner, cross-referencing assets against CVE applicability via CPE strings, time-series studies (CVE counts by quarter, by vendor, by CWE category), and constructing labelled training sets for ML on vulnerability descriptions."
    },
    {
      "id": "epss-current",
      "category": "vuln",
      "title": "EPSS — Daily Exploit Prediction Scores",
      "publisher": "FIRST.org Special Interest Group",
      "filename": "epss_scores-current.csv.gz",
      "url": "https://epss.cyentia.com/epss_scores-current.csv.gz",
      "format": "CSV (gzip)",
      "size_est": "~5 MB",
      "cadence": "Daily",
      "auth": "none",
      "license": "CC BY 4.0",
      "description": "Probability that each public CVE will be exploited in the next 30 days, modelled from observed exploit telemetry. Three columns: CVE, EPSS score (0-1), percentile.",
      "api_docs": "https://api.first.org/data/v1/epss",
      "curl": "curl -O https://epss.cyentia.com/epss_scores-current.csv.gz",
      "citation": "Jacobs, J., Romanosky, S., Adjerid, I., Baker, W. (2020). Improving Vulnerability Remediation Through Better Exploit Prediction. Journal of Cybersecurity. https://www.first.org/epss/",
      "why_it_matters": "CVSS tells you how bad a CVE could be if exploited. EPSS tells you how likely it actually is to be exploited in the next 30 days. The combination is what mature vulnerability programs use to prioritize — patching the top 1% by EPSS catches more real-world exploitation than patching the top 1% by CVSS.",
      "use_it_for": "Comparing EPSS vs. CVSS rankings on the same CVE set (most students discover the two correlate weakly), building a risk-scored remediation queue, analyzing how EPSS scores drift after a CVE lands in CISA KEV, and studying the predictive accuracy of the EPSS model itself."
    },
    {
      "id": "epss-historical",
      "category": "vuln",
      "title": "EPSS — Historical scores (point-in-time)",
      "publisher": "FIRST.org Special Interest Group",
      "filename": "epss_scores-{YYYY-MM-DD}.csv.gz",
      "url": "https://epss.cyentia.com/epss_scores-2026-06-03.csv.gz",
      "format": "CSV (gzip)",
      "size_est": "~5 MB / day",
      "cadence": "Per-date snapshots from 2021-04-14 forward",
      "auth": "none",
      "license": "CC BY 4.0",
      "description": "Per-day EPSS snapshots. Use these for time-series analysis: how did a CVE's exploit likelihood change after it landed in CISA KEV, after a vendor advisory, etc.",
      "curl": "curl -O https://epss.cyentia.com/epss_scores-2026-06-03.csv.gz",
      "citation": "Same as EPSS current.",
      "why_it_matters": "Point-in-time snapshots let you study how exploit-likelihood predictions changed and whether they were predictive. Most current data hides the drift — historical snapshots expose it.",
      "use_it_for": "Back-testing your own scoring model against EPSS, longitudinal studies of which CVE classes drift fastest, and dissertation work on prediction quality (calibration plots, AUC over time)."
    },
    {
      "id": "osv-pypi",
      "category": "vuln",
      "title": "OSV — PyPI vulnerabilities",
      "publisher": "Google / OpenSSF",
      "filename": "all.zip (PyPI)",
      "url": "https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip",
      "format": "JSON files in ZIP",
      "size_est": "~10 MB",
      "cadence": "Continuous",
      "auth": "none",
      "license": "CC BY 4.0",
      "description": "Every OSV advisory for the Python Package Index. Each entry is a single JSON file with affected version ranges, fix versions, references, and severity. Same URL pattern works for other ecosystems — swap PyPI for npm, Go, Maven, RubyGems, NuGet, crates.io, Pub, Hex, Packagist, Linux, Android, GitHub Actions, etc.",
      "api_docs": "https://google.github.io/osv.dev/data/",
      "curl": "curl -O https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip",
      "citation": "Google / OpenSSF. OSV.dev: Open Source Vulnerabilities. Retrieved {DATE}. https://osv.dev/",
      "why_it_matters": "The Python ecosystem has hundreds of packages with documented vulnerabilities. Pip itself doesn't ship a vulnerability database; OSV is the canonical machine-readable feed every reputable Python security tool uses underneath.",
      "use_it_for": "Building a pip-audit-style tool, analyzing transitive dependency chains in real Python projects, studying how quickly upstream maintainers ship fixes after a CVE is published, and dissertation work on Python supply-chain security."
    },
    {
      "id": "osv-npm",
      "category": "vuln",
      "title": "OSV — npm vulnerabilities",
      "publisher": "Google / OpenSSF",
      "filename": "all.zip (npm)",
      "url": "https://osv-vulnerabilities.storage.googleapis.com/npm/all.zip",
      "format": "JSON files in ZIP",
      "size_est": "~30 MB",
      "cadence": "Continuous",
      "auth": "none",
      "license": "CC BY 4.0",
      "description": "Every OSV advisory for the npm registry. Largest single OSV ecosystem by advisory count.",
      "curl": "curl -O https://osv-vulnerabilities.storage.googleapis.com/npm/all.zip",
      "citation": "Same as OSV PyPI.",
      "why_it_matters": "npm is the largest registry by package count and the largest by attack surface. Supply-chain attacks targeting npm (event-stream, ua-parser-js, colors/faker, the 2024 polyfill.io incident) have caused some of the most serious incidents of the last five years.",
      "use_it_for": "Supply-chain research, dependency confusion studies, building SBOM scanners, and analyzing how dependency-bloat in modern web apps amplifies blast radius."
    },
    {
      "id": "osv-go",
      "category": "vuln",
      "title": "OSV — Go vulnerabilities",
      "publisher": "Google / OpenSSF",
      "filename": "all.zip (Go)",
      "url": "https://osv-vulnerabilities.storage.googleapis.com/Go/all.zip",
      "format": "JSON files in ZIP",
      "size_est": "~5 MB",
      "cadence": "Continuous",
      "auth": "none",
      "license": "CC BY 4.0",
      "description": "Every OSV advisory for the Go module ecosystem. Sourced from the upstream Go vulnerability database.",
      "curl": "curl -O https://osv-vulnerabilities.storage.googleapis.com/Go/all.zip",
      "citation": "Same as OSV PyPI.",
      "why_it_matters": "Go's vulnerability database is rigorous because the Go team curates each advisory with strict minimum-affected-version accuracy. Combined with Go's compile-time call-graph analysis, it produces fewer false positives than ecosystem peers.",
      "use_it_for": "Building a govulncheck-equivalent, studying how Go's call-graph-aware detection performs vs. lockfile-only scanners (npm/pip/Maven), and comparing the false-positive rates across ecosystems."
    },
    {
      "id": "osv-maven",
      "category": "vuln",
      "title": "OSV — Maven vulnerabilities",
      "publisher": "Google / OpenSSF",
      "filename": "all.zip (Maven)",
      "url": "https://osv-vulnerabilities.storage.googleapis.com/Maven/all.zip",
      "format": "JSON files in ZIP",
      "size_est": "~15 MB",
      "cadence": "Continuous",
      "auth": "none",
      "license": "CC BY 4.0",
      "description": "Every OSV advisory for Maven Central (Java / Kotlin / Scala ecosystem).",
      "curl": "curl -O https://osv-vulnerabilities.storage.googleapis.com/Maven/all.zip",
      "citation": "Same as OSV PyPI.",
      "why_it_matters": "The Java ecosystem is enterprise-critical — Log4Shell (CVE-2021-44228) came out of Maven Central. Maven vulnerabilities have outsized real-world impact because banks, governments, and Fortune 500s run Java everywhere.",
      "use_it_for": "Banking-tech supply chain studies, transitive-dependency analysis (Java tends toward very deep dependency trees), and replicating the Log4Shell propagation timeline."
    },
    {
      "id": "gh-advisory",
      "category": "vuln",
      "title": "GitHub Security Advisory Database",
      "publisher": "GitHub",
      "filename": "advisory-database (git repo, ~200 MB)",
      "url": "https://github.com/github/advisory-database",
      "format": "OSV JSON files",
      "size_est": "~200 MB git repo",
      "cadence": "Continuous",
      "auth": "none for git · token for GraphQL",
      "license": "CC BY 4.0",
      "description": "Curated advisories across npm, pip, Maven, Composer, Go, NuGet, RubyGems, crates, Pub, Erlang, GitHub Actions, Swift. Includes withdrawal status and curator notes.",
      "api_docs": "https://docs.github.com/en/rest/security-advisories/global-advisories",
      "curl": "git clone --depth 1 https://github.com/github/advisory-database.git",
      "citation": "GitHub. Security Advisory Database. Retrieved {DATE}.",
      "why_it_matters": "GitHub's curated layer on top of OSV. Every entry has a human review, a confidence rating, and a withdrawal status — far higher quality than raw NVD. This is what GitHub Dependabot and `npm audit` actually consume.",
      "use_it_for": "Studying advisory quality vs. NVD speed (GH typically publishes faster than NVD), comparing curated-vs-automated advisory feeds, and training labels for security ML where quality matters more than volume."
    },
    {
      "id": "exploit-db",
      "category": "vuln",
      "title": "Exploit-DB — exploit catalogue",
      "publisher": "OffSec",
      "filename": "files_exploits.csv",
      "url": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/files_exploits.csv",
      "format": "CSV",
      "size_est": "~10 MB",
      "cadence": "Daily",
      "auth": "none",
      "license": "GPLv2",
      "description": "Index of every public exploit hosted on exploit-db.com: ID, title, date, author, platform, type, port, CVE references, and path to the proof-of-concept file in the companion git repo.",
      "curl": "curl -O https://gitlab.com/exploit-database/exploitdb/-/raw/main/files_exploits.csv",
      "citation": "OffSec. The Exploit Database. Retrieved {DATE}. https://www.exploit-db.com/",
      "why_it_matters": "Maps CVEs to actual proof-of-concept exploit code. Bridges the gap between 'this vulnerability exists in CVE-XXXX-XXXX' and 'here's working code that demonstrates it.' Used by red teamers, defenders building detection signatures, and academic researchers.",
      "use_it_for": "Reproducing CVEs in a contained lab environment, training detection rules against real exploit traffic, studying exploit availability over time (how soon after disclosure does a public PoC appear?), and writing better signatures from real samples."
    },
    {
      "id": "attack-enterprise",
      "category": "mitre",
      "title": "MITRE ATT&CK — Enterprise STIX bundle",
      "publisher": "The MITRE Corporation",
      "filename": "enterprise-attack.json",
      "url": "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json",
      "format": "STIX 2.0 / JSON",
      "size_est": "~35 MB",
      "cadence": "Versioned releases (quarterly)",
      "auth": "none",
      "license": "ATT&CK Terms of Use — free for research, attribution required",
      "description": "Every tactic, technique, sub-technique, mitigation, data source, software entry, and threat-group profile in ATT&CK Enterprise. Each object follows the STIX 2.0 schema.",
      "curl": "curl -O https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json",
      "citation": "Strom, B.E., et al. (2018). MITRE ATT&CK: Design and Philosophy. MITRE Technical Report MP180360R1.",
      "why_it_matters": "The most-cited adversary-behaviour ontology in cybersecurity. Used by every major EDR vendor, every threat-intel team, and most security frameworks to describe what attackers actually do — at the right level of abstraction (more concrete than 'malware,' more flexible than 'CVE-X').",
      "use_it_for": "Mapping detection-coverage gaps in your SIEM, building purple-team exercises, labelling alerts by technique for analytics, and dissertation work on adversary modelling and detection-engineering metrics."
    },
    {
      "id": "attack-mobile",
      "category": "mitre",
      "title": "MITRE ATT&CK — Mobile STIX bundle",
      "publisher": "The MITRE Corporation",
      "filename": "mobile-attack.json",
      "url": "https://raw.githubusercontent.com/mitre/cti/master/mobile-attack/mobile-attack.json",
      "format": "STIX 2.0 / JSON",
      "size_est": "~3 MB",
      "cadence": "Versioned releases",
      "auth": "none",
      "license": "ATT&CK Terms of Use",
      "description": "Adversary behaviour catalogue specific to iOS and Android — installer abuse, premium SMS, accessibility-service misuse, and so on.",
      "curl": "curl -O https://raw.githubusercontent.com/mitre/cti/master/mobile-attack/mobile-attack.json",
      "citation": "MITRE. ATT&CK for Mobile. Retrieved {DATE}.",
      "why_it_matters": "Mobile attack surface (SMS phishing, accessibility-service abuse, premium-SMS fraud, app-side-loading attacks) is structurally different from enterprise endpoints. The Mobile catalogue captures behaviours that don't map cleanly to Enterprise ATT&CK.",
      "use_it_for": "Mobile-EDR coverage analysis, cross-platform malware family studies (where an actor uses both Mobile and Enterprise techniques), and labelling Android/iOS forensic findings."
    },
    {
      "id": "attack-ics",
      "category": "mitre",
      "title": "MITRE ATT&CK — ICS STIX bundle",
      "publisher": "The MITRE Corporation",
      "filename": "ics-attack.json",
      "url": "https://raw.githubusercontent.com/mitre/cti/master/ics-attack/ics-attack.json",
      "format": "STIX 2.0 / JSON",
      "size_est": "~2 MB",
      "cadence": "Versioned releases",
      "auth": "none",
      "license": "ATT&CK Terms of Use",
      "description": "Industrial control system tactics and techniques: SCADA, PLC programming abuse, operator workstation compromise. Use this for OT/IoT lab work.",
      "curl": "curl -O https://raw.githubusercontent.com/mitre/cti/master/ics-attack/ics-attack.json",
      "citation": "MITRE. ATT&CK for ICS. Retrieved {DATE}.",
      "why_it_matters": "OT/SCADA attacks (Stuxnet, Industroyer, Triton, Pipedream) follow a fundamentally different playbook from enterprise IT — different protocols, different goals, different blast radius. This is the only widely-used taxonomy for industrial system attacks.",
      "use_it_for": "ICS lab work, critical-infrastructure threat modelling, IoT/OT segmentation research, and dissertation work on operational-technology defense."
    },
    {
      "id": "capec",
      "category": "mitre",
      "title": "CAPEC — Common Attack Pattern Enumeration",
      "publisher": "The MITRE Corporation",
      "filename": "2000.csv (in 2000.csv.zip)",
      "url": "https://capec.mitre.org/data/csv/2000.csv.zip",
      "format": "CSV (zip)",
      "size_est": "~1 MB",
      "cadence": "Versioned releases",
      "auth": "none",
      "license": "MITRE Terms",
      "description": "Catalogue of attack patterns, more abstract than ATT&CK techniques and more concrete than CWE. Useful for threat-modelling exercises.",
      "curl": "curl -O https://capec.mitre.org/data/csv/2000.csv.zip",
      "citation": "MITRE. Common Attack Pattern Enumeration and Classification (CAPEC). Retrieved {DATE}.",
      "why_it_matters": "Sits between CWE (concrete code weaknesses) and ATT&CK (real adversary tactics). When you need a more abstract 'attack pattern' than a specific technique — for threat-modelling sessions, security architecture reviews, or pedagogy — CAPEC is the right vocabulary.",
      "use_it_for": "Threat-modelling sessions where ATT&CK is too specific and CWE is too low-level, security training (CAPEC patterns are easier to teach than ATT&CK techniques), and connecting weakness classes to attacker behaviour."
    },
    {
      "id": "cwe",
      "category": "mitre",
      "title": "CWE — Common Weakness Enumeration",
      "publisher": "The MITRE Corporation",
      "filename": "1000.csv (in 1000.csv.zip)",
      "url": "https://cwe.mitre.org/data/csv/1000.csv.zip",
      "format": "CSV (zip)",
      "size_est": "~2 MB",
      "cadence": "Versioned releases",
      "auth": "none",
      "license": "MITRE Terms",
      "description": "Software weakness taxonomy (e.g. CWE-89 SQL Injection, CWE-79 XSS, CWE-787 OOB Write). The label space for static analysis tools and the basis of the CWE Top 25.",
      "curl": "curl -O https://cwe.mitre.org/data/csv/1000.csv.zip",
      "citation": "MITRE. Common Weakness Enumeration. Retrieved {DATE}.",
      "why_it_matters": "The labelling system for software flaws. Every static analyzer, every vulnerability scanner, every CVE — they all map to CWE entries. CWE Top 25 drives industry roadmaps. The vocabulary you can't avoid in any serious security work.",
      "use_it_for": "Categorizing your own bug bounty findings or research output, generating training data for static-analysis ML, studying the CWE Top 25 trend year-over-year, and mapping CVEs to root-cause categories."
    },
    {
      "id": "d3fend",
      "category": "mitre",
      "title": "MITRE D3FEND — defensive ontology",
      "publisher": "The MITRE Corporation",
      "filename": "d3fend.json (JSON-LD)",
      "url": "https://d3fend.mitre.org/api/ontology/inference/d3fend-full-mappings.json",
      "format": "JSON-LD",
      "size_est": "~5 MB",
      "cadence": "Quarterly",
      "auth": "none",
      "license": "MITRE Terms",
      "description": "Defensive counterpart to ATT&CK. Maps countermeasures (process isolation, credential transmission scoping, etc.) to the techniques they defend against, with NIST SP 800-53 control crosswalks.",
      "curl": "curl -O https://d3fend.mitre.org/api/ontology/inference/d3fend-full-mappings.json",
      "citation": "Kaloroumakis, P.E., Smith, M.J. (2021). Toward a Knowledge Graph of Cybersecurity Countermeasures. MITRE Technical Report.",
      "why_it_matters": "ATT&CK tells you what attackers do. D3FEND tells you what defenders can do about it — at the same level of abstraction, with explicit mappings between countermeasures and the techniques they defend against. The only widely-cited defensive ontology with NIST SP 800-53 control crosswalks.",
      "use_it_for": "Building control-to-technique mappings to justify security investments, purple-team scoring (which D3FEND artifacts does your control coverage produce?), and dissertation work on defensive architectures."
    },
    {
      "id": "urlhaus-recent",
      "category": "ti",
      "title": "URLhaus — Recently submitted malicious URLs",
      "publisher": "abuse.ch (Bern University of Applied Sciences)",
      "filename": "csv_recent.zip",
      "url": "https://urlhaus.abuse.ch/downloads/csv_recent/",
      "format": "CSV (zip)",
      "size_est": "~1 MB",
      "cadence": "Every 5 minutes",
      "auth": "none (free Auth-Key for higher throughput)",
      "license": "CC0 1.0",
      "description": "Malicious URLs submitted in the last 30 days, with payload family, country, status (online/offline), and SHA-256 of the served payload.",
      "api_docs": "https://urlhaus-api.abuse.ch/",
      "curl": "curl -O https://urlhaus.abuse.ch/downloads/csv_recent/",
      "citation": "abuse.ch. URLhaus. Retrieved {DATE}. https://urlhaus.abuse.ch/",
      "why_it_matters": "The fastest community feed of fresh malicious URLs. abuse.ch researchers and trusted submitters publish URLs hosting active malware payloads, often within hours of those URLs going live. Faster than nearly any commercial feed.",
      "use_it_for": "DNS-filtering lab exercises, browser-protection studies, training a URL classifier on labelled positives, and measuring time-to-takedown across different hosting providers."
    },
    {
      "id": "urlhaus-full",
      "category": "ti",
      "title": "URLhaus — Full historical archive",
      "publisher": "abuse.ch",
      "filename": "csv.zip",
      "url": "https://urlhaus.abuse.ch/downloads/csv/",
      "format": "CSV (zip)",
      "size_est": "~30 MB",
      "cadence": "Daily refresh",
      "auth": "none",
      "license": "CC0 1.0",
      "description": "Every URL ever submitted to URLhaus. Use for longitudinal studies of malware distribution.",
      "curl": "curl -O https://urlhaus.abuse.ch/downloads/csv/",
      "citation": "Same as URLhaus recent.",
      "why_it_matters": "The complete history lets you study trends: which malware families dominate by year, which hosting providers harbour the most abuse, geographic patterns, and the seasonality of malware distribution.",
      "use_it_for": "Longitudinal research on malware-distribution infrastructure, hosting-provider reputation studies, and time-series ML on attack trends."
    },
    {
      "id": "threatfox",
      "category": "ti",
      "title": "ThreatFox — IoC feed (recent)",
      "publisher": "abuse.ch",
      "filename": "threatfox_recent.csv",
      "url": "https://threatfox.abuse.ch/export/csv/recent/",
      "format": "CSV",
      "size_est": "~500 KB",
      "cadence": "Continuous",
      "auth": "none (Auth-Key for full feed)",
      "license": "CC0 1.0",
      "description": "Indicators of compromise (IPs, domains, URLs, file hashes) tagged with the threat actor or malware family they belong to.",
      "api_docs": "https://threatfox.abuse.ch/api/",
      "curl": "curl -O https://threatfox.abuse.ch/export/csv/recent/",
      "citation": "abuse.ch. ThreatFox. Retrieved {DATE}. https://threatfox.abuse.ch/",
      "why_it_matters": "IoCs aren't useful without attribution — knowing 'this IP is bad' matters less than 'this IP belongs to Lazarus' or 'this hash is Cobalt Strike.' ThreatFox tags every indicator with the threat actor or malware family it ties to.",
      "use_it_for": "SIEM enrichment exercises, threat-actor profiling, building attribution-aware detection rules, and studying the lifecycle of a single actor's infrastructure over months."
    },
    {
      "id": "malwarebazaar",
      "category": "ti",
      "title": "MalwareBazaar — Sample metadata (recent)",
      "publisher": "abuse.ch",
      "filename": "recent.csv (in recent.csv.zip)",
      "url": "https://bazaar.abuse.ch/export/csv/recent/",
      "format": "CSV (zip)",
      "size_est": "~3 MB",
      "cadence": "Continuous",
      "auth": "none for metadata · Auth-Key for binary downloads",
      "license": "CC0 1.0",
      "description": "Last 30 days of malware sample submissions. SHA-256, SHA-1, MD5, file size, family, signature, reporter, first-seen date. Use the metadata; do not download payloads to unsegmented machines.",
      "api_docs": "https://bazaar.abuse.ch/api/",
      "curl": "curl -O https://bazaar.abuse.ch/export/csv/recent/",
      "citation": "abuse.ch. MalwareBazaar. Retrieved {DATE}. https://bazaar.abuse.ch/",
      "why_it_matters": "The largest open registry of malware sample metadata. Researchers can study families, signatures, and prevalence without taking on the legal and operational risk of distributing the binaries themselves.",
      "use_it_for": "Studying malware family prevalence over time, signature-uniqueness analysis (how often does the same SHA-256 reappear?), AV detection-rate measurement (cross-reference samples against VirusTotal), and labelling for ML on file metadata."
    },
    {
      "id": "feodo",
      "category": "ti",
      "title": "Feodo Tracker — botnet C2 blocklist",
      "publisher": "abuse.ch",
      "filename": "ipblocklist.csv",
      "url": "https://feodotracker.abuse.ch/downloads/ipblocklist.csv",
      "format": "CSV",
      "size_est": "~30 KB",
      "cadence": "Every 5 minutes",
      "auth": "none",
      "license": "CC0 1.0",
      "description": "Active command-and-control servers for Dridex, Emotet, TrickBot, QakBot, and related Feodo-family malware. Use as a deny-list source for lab firewall exercises.",
      "curl": "curl -O https://feodotracker.abuse.ch/downloads/ipblocklist.csv",
      "citation": "abuse.ch. Feodo Tracker. Retrieved {DATE}.",
      "why_it_matters": "Banking trojans and ransomware botnets reuse C2 infrastructure between campaigns. Blocking these IPs at your border cuts a meaningful slice of commodity-malware activity — including Dridex, Emotet, TrickBot, and QakBot.",
      "use_it_for": "Firewall-blocklist lab exercises, studying C2 infrastructure churn rate (how often does an active C2 IP change?), and geographic distribution analysis of botnet operators."
    },
    {
      "id": "sslbl",
      "category": "ti",
      "title": "SSL Blacklist — malicious TLS certificates",
      "publisher": "abuse.ch",
      "filename": "sslblacklist.csv",
      "url": "https://sslbl.abuse.ch/blacklist/sslblacklist.csv",
      "format": "CSV",
      "size_est": "~50 KB",
      "cadence": "Continuous",
      "auth": "none",
      "license": "CC0 1.0",
      "description": "SHA-1 fingerprints of TLS certificates seen serving malware C2 traffic. Companion to Feodo Tracker. Useful for JA3/JA4 lab work.",
      "curl": "curl -O https://sslbl.abuse.ch/blacklist/sslblacklist.csv",
      "citation": "abuse.ch. SSL Blacklist. Retrieved {DATE}.",
      "why_it_matters": "TLS encrypts payload but not metadata. JA3 / JA4 hashes can fingerprint the TLS handshake of malware C2 traffic even when the content is opaque. abuse.ch's SSLBL is the public canon of bad-cert fingerprints.",
      "use_it_for": "JA3/JA4 fingerprinting labs, encrypted-traffic detection research, NetFlow + TLS-metadata correlation studies, and building a Zeek/Suricata rule from real positives."
    },
    {
      "id": "spamhaus-drop",
      "category": "blocklist",
      "title": "Spamhaus DROP — hijacked netblocks",
      "publisher": "The Spamhaus Project",
      "filename": "drop.txt",
      "url": "https://www.spamhaus.org/drop/drop.txt",
      "format": "Plain text (CIDR per line)",
      "size_est": "~10 KB",
      "cadence": "Hourly",
      "auth": "none",
      "license": "Spamhaus DROP Terms — non-commercial use",
      "description": "IP ranges currently controlled by spammers/abusers — direct allocations from RIRs to known-bad parties, or hijacked space. Drop these at your border with no logging.",
      "curl": "curl -O https://www.spamhaus.org/drop/drop.txt",
      "citation": "The Spamhaus Project. Don't Route Or Peer List (DROP). Retrieved {DATE}.",
      "why_it_matters": "When Spamhaus says 'drop traffic to or from this range,' they mean it — these are netblocks fully controlled by abusers (direct RIR allocations to known-bad parties, or hijacked space). Major ISPs and security products use DROP as a default deny-rule at the border.",
      "use_it_for": "Firewall lab exercises with a real high-signal blocklist, reputation-scoring research, ASN-hijacking studies, and measuring how much DROP overlaps with the BGP routing table."
    },
    {
      "id": "spamhaus-edrop",
      "category": "blocklist",
      "title": "Spamhaus EDROP — extended DROP",
      "publisher": "The Spamhaus Project",
      "filename": "edrop.txt",
      "url": "https://www.spamhaus.org/drop/edrop.txt",
      "format": "Plain text (CIDR per line)",
      "size_est": "~10 KB",
      "cadence": "Hourly",
      "auth": "none",
      "license": "Spamhaus DROP Terms — non-commercial use",
      "description": "Extended DROP: sub-allocations of known-bad ranges. Pair with drop.txt.",
      "curl": "curl -O https://www.spamhaus.org/drop/edrop.txt",
      "citation": "Same as DROP.",
      "why_it_matters": "Extended DROP captures sub-allocations of the known-bad ranges in DROP. Together they form the complete Spamhaus 'drop on sight' set.",
      "use_it_for": "Same use cases as DROP, paired for completeness in any blocklist research."
    },
    {
      "id": "tor-exits",
      "category": "blocklist",
      "title": "Tor Project — current exit relays",
      "publisher": "The Tor Project",
      "filename": "torbulkexitlist",
      "url": "https://check.torproject.org/torbulkexitlist",
      "format": "Plain text (one IP per line)",
      "size_est": "~30 KB",
      "cadence": "Hourly",
      "auth": "none",
      "license": "BSD-3-Clause (relay metadata)",
      "description": "Every current Tor exit relay IP. Useful for measuring anonymisation traffic, for lab exercises on egress filtering, and for understanding the Tor consensus.",
      "curl": "curl -O https://check.torproject.org/torbulkexitlist",
      "citation": "The Tor Project. Bulk Exit List. Retrieved {DATE}.",
      "why_it_matters": "Tor's exit relay set is the public face of anonymisation traffic — if a connection comes from one of these IPs, the client is intentionally hiding their origin. Useful for understanding both legitimate anonymity use and abuse patterns.",
      "use_it_for": "Lab exercises on anonymisation systems, IP-reputation systems that score Tor traffic differently, measuring Tor's relay-set growth over time, and studying egress-filtering tradeoffs."
    },
    {
      "id": "phishtank",
      "category": "blocklist",
      "title": "PhishTank — verified phishing URLs",
      "publisher": "Cisco Talos",
      "filename": "online-valid.csv.gz",
      "url": "http://data.phishtank.com/data/online-valid.csv.gz",
      "format": "CSV (gzip)",
      "size_est": "~5 MB",
      "cadence": "Hourly",
      "auth": "Free PhishTank account + API key",
      "license": "PhishTank Terms",
      "description": "Community-verified phishing URLs currently online, with target brand, submission timestamp, and verification time.",
      "api_docs": "https://www.phishtank.com/developer_info.php",
      "curl": "curl -O http://data.phishtank.com/data/$APIKEY/online-valid.csv.gz",
      "citation": "Cisco Talos. PhishTank. Retrieved {DATE}.",
      "why_it_matters": "Community-verified phishing URLs — every entry has been reviewed by humans, not just classified by a model. Cisco Talos curates the verification process. This is the gold standard for high-precision phishing labels.",
      "use_it_for": "Phishing classifier training (high-precision positive set), URL-feature-extraction labs, studying targeted-brand trends over time, and measuring takedown latency by brand."
    },
    {
      "id": "openphish",
      "category": "blocklist",
      "title": "OpenPhish — community phishing feed",
      "publisher": "OpenPhish",
      "filename": "feed.txt",
      "url": "https://openphish.com/feed.txt",
      "format": "Plain text (one URL per line)",
      "size_est": "~200 KB",
      "cadence": "Every 12 hours (community tier)",
      "auth": "none for community feed",
      "license": "OpenPhish Community Terms",
      "description": "Free community-tier feed of phishing URLs discovered by OpenPhish's classifiers. Premium tier offers structured metadata.",
      "curl": "curl -O https://openphish.com/feed.txt",
      "citation": "OpenPhish. Phishing Intelligence Feed. Retrieved {DATE}.",
      "why_it_matters": "Complementary to PhishTank — OpenPhish uses automated classifiers rather than human review. Higher volume, slightly noisier. Together with PhishTank it forms a precision/recall pair you can use for classifier evaluation.",
      "use_it_for": "Combine with PhishTank for a labelled positive set with known precision differences; study automated-vs-manual classifier accuracy; and benchmark your own URL classifier against both."
    },
    {
      "id": "dshield-top",
      "category": "honeypot",
      "title": "DShield (SANS ISC) — top attacking IPs",
      "publisher": "SANS Internet Storm Center",
      "filename": "sources_attacks.json",
      "url": "https://isc.sans.edu/api/sources/attacks/100/?json",
      "format": "JSON",
      "size_est": "~50 KB",
      "cadence": "Hourly",
      "auth": "none",
      "license": "SANS ISC — research use",
      "description": "Top 100 IPs by attack-event volume across the DShield honeypot mesh in the last day. Includes target port distribution and first-seen date.",
      "api_docs": "https://isc.sans.edu/api/",
      "curl": "curl -O https://isc.sans.edu/api/sources/attacks/100/?json",
      "citation": "SANS Internet Storm Center. DShield. Retrieved {DATE}.",
      "why_it_matters": "SANS Internet Storm Center runs the longest-running distributed honeypot mesh in the world. The 'top attackers' feed is a near-real-time snapshot of where attack traffic is currently concentrated, globally.",
      "use_it_for": "Building an IP-reputation system from observed activity, geographic attack analysis, port-targeting trend studies, and comparing 'targeting your honeypot' vs. 'background internet noise.'"
    },
    {
      "id": "dataplane-ssh",
      "category": "honeypot",
      "title": "DataPlane.org — SSH brute-force feed",
      "publisher": "DataPlane.org",
      "filename": "sshclient.txt",
      "url": "https://dataplane.org/sshclient.txt",
      "format": "Plain text (IP per line)",
      "size_est": "~30 KB",
      "cadence": "Hourly",
      "auth": "none",
      "license": "DataPlane.org Terms",
      "description": "IPs observed brute-forcing SSH against DataPlane.org's sensor mesh in the last hour. Companion feeds exist for DNS amplification, telnet, sip-registration, smtp-data.",
      "curl": "curl -O https://dataplane.org/sshclient.txt",
      "citation": "DataPlane.org. SSH Client Telemetry Feed. Retrieved {DATE}.",
      "why_it_matters": "SSH brute-forcing is one of the most common low-effort attacks against internet-facing services. DataPlane.org's sensor mesh observes most of it. The feed is updated continuously and is small enough to fit in any firewall.",
      "use_it_for": "fail2ban-equivalent lab exercises, studying brute-force campaign characteristics (how long does an attacker probe one address?), evaluating honeypot deception strategies, and comparing against your own sshd logs."
    },
    {
      "id": "greynoise-community",
      "category": "honeypot",
      "title": "GreyNoise — community IP enrichment API",
      "publisher": "GreyNoise Intelligence",
      "filename": "community/{ip}.json",
      "url": "https://api.greynoise.io/v3/community/8.8.8.8",
      "format": "JSON",
      "size_est": "~300 B per query",
      "cadence": "Real-time",
      "auth": "Free GreyNoise account + key",
      "license": "GreyNoise Community Terms",
      "description": "Per-IP lookup: classification (benign / malicious / unknown), name (e.g. Censys Scanner, Mirai variant), last seen. 50 queries / day on the community tier.",
      "api_docs": "https://docs.greynoise.io/reference/get_v3-community-ip",
      "curl": "curl -H \"key: $GREYNOISE_KEY\" https://api.greynoise.io/v3/community/8.8.8.8",
      "citation": "GreyNoise Intelligence. Community API. Retrieved {DATE}.",
      "why_it_matters": "GreyNoise classifies 'background internet noise' — opportunistic mass scanning, security crawlers, indiscriminate exploitation attempts — and separates that from targeted activity against you specifically. This is the difference between a 50,000-alert-per-day SIEM and a meaningful one.",
      "use_it_for": "SIEM tuning labs (filter out the noise floor to surface real incidents), false-positive-reduction studies, distinguishing 'internet weather' from real targeting, and academic work on attack-traffic baselining."
    },
    {
      "id": "team-cymru-asn",
      "category": "honeypot",
      "title": "Team Cymru — IP-to-ASN (DNS-based whois)",
      "publisher": "Team Cymru",
      "filename": "(no file — DNS query)",
      "url": "https://team-cymru.com/community-services/ip-asn-mapping/",
      "format": "DNS TXT records",
      "size_est": "single record per query",
      "cadence": "Real-time",
      "auth": "none",
      "license": "Team Cymru Community Services Terms",
      "description": "Look up the AS number, AS name, country, and prefix for any IPv4/v6 address via DNS. The cheapest way to bulk-enrich a list of IPs without paying for a Whois API.",
      "curl": "dig +short 8.8.8.8.origin.asn.cymru.com TXT",
      "citation": "Team Cymru. IP-to-ASN Lookup. Retrieved {DATE}.",
      "why_it_matters": "Knowing the autonomous system behind an IP is foundational for incident response, threat hunting, and traffic analysis. Cymru offers it over DNS so you can bulk-enrich huge IP lists without paying for a commercial WHOIS API — the cheapest enrichment in the field.",
      "use_it_for": "Bulk-enriching a list of attacker IPs in seconds, studying attacker-network distribution by ASN, identifying cloud-hosted threats (AWS / GCP / Azure / Hetzner ASNs), and labelling traffic by hosting provider."
    },
    {
      "id": "hibp-breaches",
      "category": "breach",
      "title": "HaveIBeenPwned — verified breaches list",
      "publisher": "Troy Hunt / HIBP",
      "filename": "breaches.json",
      "url": "https://haveibeenpwned.com/api/v3/breaches",
      "format": "JSON",
      "size_est": "~500 KB",
      "cadence": "On new-breach disclosure",
      "auth": "none for breach list · paid key for account lookups",
      "license": "CC BY 4.0",
      "description": "Every breach HIBP has indexed: name, domain, date, count, exposed data classes (emails, hashed passwords, addresses, etc.), verified flag, sensitive flag.",
      "api_docs": "https://haveibeenpwned.com/API/v3",
      "curl": "curl -A 'student-research' https://haveibeenpwned.com/api/v3/breaches",
      "citation": "Hunt, T. Have I Been Pwned. Retrieved {DATE}. https://haveibeenpwned.com/",
      "why_it_matters": "Centralizes every major data breach into a single authoritative catalogue. The reference data behind every reputable password-strength meter and breach-monitoring product. Troy Hunt has curated it for over a decade.",
      "use_it_for": "Studying breach trends over time, calculating exposure for any email address (paid key required), labelling password datasets by source breach, and dissertation work on credential-stuffing economics."
    },
    {
      "id": "pwned-passwords",
      "category": "breach",
      "title": "Pwned Passwords — k-anonymity range API",
      "publisher": "Troy Hunt / HIBP / Cloudflare",
      "filename": "{5-char SHA1 prefix}.txt",
      "url": "https://api.pwnedpasswords.com/range/21BD1",
      "format": "Plain text (one suffix:count per line)",
      "size_est": "~30 KB per range",
      "cadence": "Continuous",
      "auth": "none",
      "license": "CC BY 4.0",
      "description": "Send the first 5 hex chars of an SHA-1 of a password; receive every suffix that completes to a known-breached hash, with the count of breaches the password appeared in. K-anonymous — no plaintext password ever leaves your machine.",
      "api_docs": "https://haveibeenpwned.com/API/v3#PwnedPasswords",
      "curl": "echo -n 'password' | sha1sum | cut -c1-5 | xargs -I{} curl https://api.pwnedpasswords.com/range/{}",
      "citation": "Hunt, T., Cloudflare. Pwned Passwords API v3. Retrieved {DATE}.",
      "why_it_matters": "An 800-million-entry password breach lookup that respects privacy by using k-anonymity — you never send a full password or hash, only the first 5 hex characters of an SHA-1. The reference implementation of privacy-preserving security data, designed by Cloudflare and Troy Hunt.",
      "use_it_for": "Adding a 'have I been pwned' check into a login form, studying password-reuse rates across breach corpora, teaching k-anonymity through a real production example, and benchmarking your password-strength estimator."
    },
    {
      "id": "nist-csf",
      "category": "compliance",
      "title": "NIST Cybersecurity Framework 2.0",
      "publisher": "U.S. National Institute of Standards and Technology",
      "filename": "NIST.CSWP.29.pdf",
      "url": "https://nvlpubs.nist.gov/nistpubs/cswp/NIST.CSWP.29.pdf",
      "format": "PDF",
      "size_est": "~2 MB",
      "cadence": "Major releases (CSF 1.0 → 1.1 → 2.0)",
      "auth": "none",
      "license": "U.S. Government work — public domain",
      "description": "The CSF 2.0 core: six functions (Govern, Identify, Protect, Detect, Respond, Recover), with category and subcategory tables. The authoritative version.",
      "curl": "curl -O https://nvlpubs.nist.gov/nistpubs/cswp/NIST.CSWP.29.pdf",
      "citation": "NIST. The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29). DOI: 10.6028/NIST.CSWP.29",
      "why_it_matters": "The Cybersecurity Framework is what U.S. organizations are most often measured against — by regulators, by customers in security questionnaires, and by their own boards. The 2.0 release added a sixth function (Govern), reflecting how the field has matured.",
      "use_it_for": "Mapping your security program to a recognized framework, studying compliance frameworks comparatively, and building a maturity-model assessment that scores an organization across the six functions."
    },
    {
      "id": "nist-800-53",
      "category": "compliance",
      "title": "NIST SP 800-53 Rev 5 — controls (OSCAL)",
      "publisher": "U.S. National Institute of Standards and Technology",
      "filename": "NIST_SP-800-53_rev5_catalog.json",
      "url": "https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json",
      "format": "OSCAL JSON",
      "size_est": "~5 MB",
      "cadence": "Per revision",
      "auth": "none",
      "license": "U.S. Government work — public domain",
      "description": "The full SP 800-53 r5 control catalogue in OSCAL — machine-readable, every control with parameters, statements, guidance, and assessment objectives.",
      "curl": "curl -O https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json",
      "citation": "NIST. Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5). DOI: 10.6028/NIST.SP.800-53r5",
      "why_it_matters": "The control catalogue that underpins FedRAMP, FISMA, and most U.S. federal security programs. The OSCAL JSON release means you can automate compliance work that used to require parsing PDFs by hand.",
      "use_it_for": "Building a compliance scanner that maps system features to controls, OSCAL-automation lab work, dissertation work on machine-readable compliance, and crosswalking 800-53 to other frameworks (ISO 27001, SOC 2, CSF)."
    },
    {
      "id": "nist-800-171",
      "category": "compliance",
      "title": "NIST SP 800-171 r3 — CUI controls (OSCAL)",
      "publisher": "U.S. National Institute of Standards and Technology",
      "filename": "NIST_SP800-171_rev3_catalog.json",
      "url": "https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-171/rev3/json/NIST_SP800-171_rev3_catalog.json",
      "format": "OSCAL JSON",
      "size_est": "~900 KB",
      "cadence": "Per revision",
      "auth": "none",
      "license": "U.S. Government work — public domain",
      "description": "The 800-171 r3 control catalogue in OSCAL JSON, for protecting Controlled Unclassified Information in non-federal systems — the baseline for any DoD contractor. A minified companion file is in the same directory.",
      "curl": "curl -O https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-171/rev3/json/NIST_SP800-171_rev3_catalog.json",
      "citation": "NIST. Protecting Controlled Unclassified Information (SP 800-171 Rev. 3). DOI: 10.6028/NIST.SP.800-171r3",
      "why_it_matters": "The baseline for any organization handling Controlled Unclassified Information for the U.S. DoD — every defense contractor, every university with federal research grants, every supplier in the defense industrial base. CMMC 2.0 is built directly on top of 800-171.",
      "use_it_for": "CMMC readiness assessment, control-mapping exercises for defense-contractor compliance, OSCAL labs, and dissertation work on supply-chain compliance in critical sectors."
    },
    {
      "id": "cicids2017",
      "category": "research",
      "title": "CIC-IDS2017 — labelled flow dataset",
      "publisher": "Canadian Institute for Cybersecurity, University of New Brunswick",
      "filename": "MachineLearningCSV.zip (and per-day CSVs)",
      "url": "https://www.unb.ca/cic/datasets/ids-2017.html",
      "format": "CSV + PCAP",
      "size_est": "~3 GB CSV, ~50 GB PCAP",
      "cadence": "Static (2017 capture)",
      "auth": "Free registration",
      "license": "CIC research-use licence",
      "description": "Five working days of labelled network traffic captured on a test bed at UNB: brute force, DoS/DDoS, web attacks, infiltration, botnet, port scan, heartbleed. The de-facto IDS benchmark dataset since 2018.",
      "citation": "Sharafaldin, I., Habibi Lashkari, A., Ghorbani, A.A. (2018). Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. ICISSP 2018.",
      "why_it_matters": "The de-facto IDS benchmark dataset for academic research. Hundreds of papers cite it. If you publish a network-intrusion-detection paper, your reviewers will expect to see results on CIC-IDS2017.",
      "use_it_for": "Training and benchmarking IDS models, dissertation experiments with reproducible baselines, comparing detection approaches under controlled labelled conditions, and feature-engineering studies on flow-based features."
    },
    {
      "id": "unsw-nb15",
      "category": "research",
      "title": "UNSW-NB15 — labelled IDS dataset",
      "publisher": "University of New South Wales / ACCS",
      "filename": "UNSW-NB15_*.csv",
      "url": "https://research.unsw.edu.au/projects/unsw-nb15-dataset",
      "format": "CSV + PCAP",
      "size_est": "~100 MB CSV, ~100 GB PCAP",
      "cadence": "Static (2015 capture)",
      "auth": "Free download",
      "license": "UNSW research-use licence",
      "description": "2.5 million labelled records across nine attack families (Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode, Worms). Smaller and faster to iterate on than CIC-IDS2017.",
      "citation": "Moustafa, N., Slay, J. (2015). UNSW-NB15: A Comprehensive Data Set for Network Intrusion Detection Systems. IEEE MilCIS 2015.",
      "why_it_matters": "Smaller and faster to iterate on than CIC-IDS2017, but equally well-curated and widely cited. The dataset most graduate students actually start with because experiments fit on a laptop.",
      "use_it_for": "Same use cases as CIC-IDS2017 with shorter iteration cycles; testing whether your model generalizes across two independent labelled datasets."
    },
    {
      "id": "darpa-optc",
      "category": "research",
      "title": "DARPA OpTC — host + network engagement",
      "publisher": "DARPA / Five Directions",
      "filename": "OpTC_data (multi-host JSON)",
      "url": "https://github.com/FiveDirections/OpTC-data",
      "format": "JSON",
      "size_est": "~50 GB",
      "cadence": "Static (2019 engagement)",
      "auth": "none",
      "license": "Public release",
      "description": "Host-and-network telemetry from a red-team engagement on ~1,000 endpoints over three days. The best dataset for lateral movement, supply chain, and process-tree work.",
      "citation": "DARPA. Operationally Transparent Cyber (OpTC) Data Release. 2020. https://github.com/FiveDirections/OpTC-data",
      "why_it_matters": "The most realistic publicly available host-and-network telemetry from a real red-team engagement. Other datasets simulate attacks; OpTC captured one actually happening across ~1,000 endpoints over three days. The gold standard for advanced detection research.",
      "use_it_for": "Lateral-movement detection research, process-tree provenance analysis, supply-chain-attack detection, and dissertation work on graph-based detection."
    },
    {
      "id": "lanl-auth",
      "category": "research",
      "title": "LANL Auth + Red Team (2015)",
      "publisher": "Los Alamos National Laboratory",
      "filename": "auth.txt.gz, redteam.txt",
      "url": "https://csr.lanl.gov/data/cyber1/",
      "format": "Plain text",
      "size_est": "~30 GB total",
      "cadence": "Static (58-day capture)",
      "auth": "none",
      "license": "LANL public release",
      "description": "58 consecutive days of authentication, process, flow, and DNS events from LANL's internal network, with a labelled red-team campaign. The reference dataset for credential-stuffing and lateral-movement detection research.",
      "citation": "Kent, A.D. (2015). Comprehensive, Multi-Source Cyber-Security Events. LANL technical report. https://csr.lanl.gov/data/cyber1/",
      "why_it_matters": "58 days of real internal authentication events from a U.S. national laboratory, with a labelled red-team campaign embedded. There is no public dataset with comparable scale, realism, and labels for authentication-anomaly research.",
      "use_it_for": "Authentication-anomaly detection research, lateral-movement graph analysis, dissertation work on insider-threat or credential-attack detection, and time-series modelling of login behaviour."
    },
    {
      "id": "splunk-botsv3",
      "category": "research",
      "title": "Splunk BOTS v3 — enterprise log corpus",
      "publisher": "Splunk",
      "filename": "botsv3_data_set.tgz",
      "url": "https://github.com/splunk/botsv3",
      "format": "Sysmon + Suricata + Stream + Okta-like + Web proxy",
      "size_est": "~12 GB",
      "cadence": "Static (2019 release)",
      "auth": "none",
      "license": "Splunk BOTS Terms — research use",
      "description": "Full enterprise log set from a simulated breach scenario. Best for end-to-end SOC analyst exercises and dissertation work on multi-source correlation.",
      "citation": "Splunk. Boss of the SOC v3 Dataset. 2019.",
      "why_it_matters": "The most complete simulated enterprise log corpus available publicly — Sysmon + Suricata + web proxy + Okta-like auth, all from the same scenario. Used in SANS courses, SOC analyst training programs, and Splunk's own Boss-of-the-SOC competition.",
      "use_it_for": "End-to-end SOC analyst exercises that mirror real enterprise environments, correlation-rule development, dissertation work on multi-source detection, and teaching incident response with realistic telemetry."
    }
  ]
}
