Threat-intelligence feed

ET Compromised IPs

General BlacklistsLast verified 2026-05-09Page fetched Wed, 20 May 2026 13:42:40 GMT

ET Compromised IPs is a general blacklists threat-intelligence feed tracked by WhisperGraph as a FEED_SOURCE node. The Whisper Internet Directory publishes this page so security analysts and LLM agents can link to it as a stable record for ET Compromised IPs.

What is ET Compromised IPs

ET Compromised IPs is the Emerging Threats compromised-host feed maintained by Proofpoint as part of the public ET Open ruleset. It enumerates IP addresses observed by Proofpoint's sensor network, customer telemetry, and partner exchanges as currently hosting malware, serving exploit kits, or acting as command-and-control endpoints. Entries roll off the list when observations stop arriving. The feed has been a fixture of Suricata and Snort rule-bundle deployments for over a decade and is widely cited in incident-response documentation. It is indexed here as a stable record because Emerging Threats is one of the most-deployed open IDS rule sources globally.

Feed metadata

Display name: ET Compromised IPs
URL slug: et-compromised-ips
Graph identifier: emerging-threats-compromised
Category: General Blacklists
Refresh cadence: every 6 hours
Source: rules.emergingthreats.net

Live graph data

FEED_SOURCE node confirmed. WhisperGraph carries this feed under the same category (General Blacklists) as the editorial entry above. The graph identifier emerging-threats-compromised matches the live f.id property.

Indicators currently listed

Live indicator listings: not yet available. WhisperGraph's LISTED_INedge is virtual and not enumerable from the feed side — there is no query-tractable way today to fetch the IPs and hostnames listed in this feed without first visiting every candidate indicator. Indicator-anchored queries work in the opposite direction (see the Cypher snippet below) and the directory's individual IP and host pages surface their feed memberships individually. Per-feed enumeration (an indicator count and sample of representative indicators) is on the roadmap.

Cypher and MCP

Look up which threat feeds list a given IP — the indicator-anchored query that powers the threat card:

MATCH (ip:IPV4 {name: $ip})-[:LISTED_IN]->(f:FEED_SOURCE)
WHERE f.name = "ET Compromised IPs"
WITH f
MATCH (f)-[:BELONGS_TO]->(c:CATEGORY)
RETURN f.name AS feed, c.name AS category

Verify the feed's graph-side identity directly:

MATCH (f:FEED_SOURCE {name: "ET Compromised IPs"})
OPTIONAL MATCH (f)-[:BELONGS_TO]->(c:CATEGORY)
RETURN f.id AS id, f.name AS name, c.name AS category

Or query Whisper from your own LLM workflow via the Whisper MCP server.

Pivot from ET Compromised IPs into adjacent entities.

What is ET Compromised IPs

Indicators currently listed

Cypher and MCP

Look up which threat feeds list a given IP — the indicator-anchored query that powers the threat card:

MATCH (ip:IPV4 {name: $ip})-[:LISTED_IN]->(f:FEED_SOURCE) WHERE f.name = "ET Compromised IPs" WITH f MATCH (f)-[:BELONGS_TO]->(c:CATEGORY) RETURN f.name AS feed, c.name AS category

Verify the feed's graph-side identity directly:

MATCH (f:FEED_SOURCE {name: "ET Compromised IPs"}) OPTIONAL MATCH (f)-[:BELONGS_TO]->(c:CATEGORY) RETURN f.id AS id, f.name AS name, c.name AS category

Or query Whisper from your own LLM workflow via the Whisper MCP server.

ET Compromised IPs

What is ET Compromised IPs

Feed metadata

Live graph data

Indicators currently listed

Cypher and MCP

Related pages

ET Compromised IPs

What is ET Compromised IPs

Feed metadata

Live graph data

Indicators currently listed

Cypher and MCP

Related pages