Admin manually adds IPs/domains

Manual (iptables, ufw, nftables)

Error-prone, outdated lists

Low (few IPs manageable)

High – every change must be made by admin

Rarely consistent

Small office/home networks

General practice (traditional network admin)

Local logs (SSH, Apache, etc.)

Regex-based log monitoring; blocks via firewall rules

Detects brute-force attempts; limited to known patterns

Moderate (limited to log-monitored services)

Low once configured

Yes (log-based)

Protects servers from brute-force attacks

Community-driven threat intelligence (IP reputation sharing)

Real-time collaborative banning, agent-based

Crowd-sourced intelligence improves accuracy

High (scales across distributed systems)

Low (after deployment)

Centralized dashboards & logs

Enterprise, cloud, distributed environments

[CrowdSec Research, 2021]

Public blocklists (FireHOL, Spamhaus, etc.)

Static/dynamic firewall blocklists

Depends on quality of feed, false positives possible

High (handles large lists)

Low (cron automation possible)

Limited logging

Large-scale enterprises, ISPs

Vendor-provided curated feeds

Automated API integration with firewalls/SIEMs

High accuracy, low false positives (vendor tuned)

Very High (enterprise-grade)

Minimal

Extensive dashboards, compliance-ready

Government, finance, SOCs

[Gartner TIP Market Guide, 2023]

Open-source threat intelligence feeds (AbuseIPDB, AlienVault OTX, FireHOL, Spamhaus)

Automated firewall rule updates (cron/daemon, iptables, ufw, nftables)

Valid IP filtering, duplicate removal, risk-level filtering

High (thousands of IPs/domains handled automatically)

Zero-touch (fully automated)

Timestamped logs, auditable

Defence, military, enterprises, SOCs, critical infrastructure (SCADA, energy, finance)

Proposed in current work