Skip to content
All posts
Threat Intelligence

Monthly Threat Report: Your Own CrowdStrike Intelligence

7 min read

Companies pay $50,000 to $100,000 per year for threat intelligence reports. A consulting firm collects data, analyzes trends, and delivers a PDF every month. The report is useful. The data is usually two weeks old by the time you read it. And it is based on their clients' data, not yours.

Inner Warden generates this report automatically. From your own data. Every month. It includes everything a CISO needs: executive summary, attacker rankings, campaign detection, MITRE ATT&CK heatmaps, geographic distribution, honeypot intelligence, and mesh network insights. It is publishable at your domain.

The executive summary

The first page of the report gives leadership the numbers that matter. No technical jargon. Just facts:

Mock executive summary, March 2026
March 2026 Threat Report
innerwarden.yourcompany.com
847,291
Total events
1,247
Incidents created
892
IPs blocked
341
Unique attackers
47
Countries
12
Campaigns detected
Summary: SSH brute-force remains the dominant attack vector (68% of incidents). Credential stuffing increased 23% from February. Three coordinated campaigns identified from Eastern Europe, targeting SSH and web application endpoints. One firmware anomaly detected and resolved. Zero successful compromises.

A CISO can read that in 30 seconds and know whether the security posture improved or degraded. That is the point. The rest of the report provides the depth for the team that wants to dig in.

Top 20 attackers ranked by risk score

Each attacker gets a composite risk score based on: number of attempts, diversity of attack types, persistence (how many days they returned), success proximity (how close they got to a valid credential), and whether they appear in external threat feeds (AbuseIPDB, CrowdSec).

Sample attacker ranking
IPCountryScoreTechniques
185.220.101.xxDE94T1110, T1078, T1021
45.148.10.xxRU91T1110, T1046, T1190
103.148.73.xxVN87T1110, T1078
218.92.0.xxCN85T1110, T1595, T1046
141.98.11.xxNL82T1110, T1190, T1059

The full report includes 20 entries with additional columns: first seen, last seen, total attempts, attack categories, AbuseIPDB confidence score, and whether the IP belongs to a detected campaign. The list is sorted by composite risk score, not just volume. A low-volume attacker who tried valid usernames ranks higher than a bot that tried "admin" 10,000 times.

Campaign detection: which IPs work together

Individual IP blocking is table stakes. The real intelligence is knowing which IPs are part of the same campaign. Inner Warden's Behavioral DNA module identifies campaigns by clustering attackers who share behavioral fingerprints: same credential lists, same timing patterns, same tool signatures, same target selection.

Detected campaign: Eastern Europe SSH botnet

47 IPs across 8 countries (RU, UA, RO, BG, MD, PL, CZ, DE)

Shared behavior: identical credential list (2,847 username/password pairs), 3-second interval between attempts, same SSH client version string

Activity window: 02:00-06:00 UTC daily, consistent with automated scheduling

Status: all 47 IPs blocked within 4 minutes of first detection via mesh network propagation

This is intelligence you cannot buy from a commercial threat feed. It is specific to your infrastructure. The attackers targeted your servers, used specific credentials against your services, and the campaign structure was detected from your telemetry. That context does not exist in a generic threat report.

MITRE ATT&CK heatmap

Every incident is mapped to MITRE ATT&CK techniques. The monthly report aggregates these into a heatmap showing which techniques were used against your infrastructure this month, compared to last month:

T1110 - Brute Force847 incidents+12% from Feb
T1078 - Valid Accounts203 incidents+23% from Feb
T1046 - Network Service Scan156 incidents-8% from Feb
T1190 - Exploit Public App89 incidents+45% from Feb
T1595 - Active Scanning67 incidentsNew this month
T1059 - Command Execution34 incidents-15% from Feb
T1021 - Remote Services28 incidents+5% from Feb

A 45% increase in T1190 (Exploit Public-Facing Application) tells the security team to review exposed services. A new technique appearing (T1595) suggests reconnaissance activity that was not present before. These trends drive prioritization.

Geographic distribution

GeoIP enrichment maps every attacker IP to a country. The monthly report shows the top source countries with trend data. This is not about blaming countries. It is about identifying shifts. If attacks from a new region spike suddenly, it often correlates with a new botnet or a newly compromised hosting provider in that region.

The geographic section also includes ASN (Autonomous System Number) data. Knowing that 40% of attacks come from three hosting providers is more actionable than knowing they come from a country. You can block an ASN. You cannot block a country.

Honeypot intelligence

The honeypot section reveals what attackers actually do when they think they have access. This is the most valuable section of the report because it shows attacker intent, not just attacker presence.

Top credentials attempted
root:1234562,847 attempts
admin:admin1,923 attempts
ubuntu:ubuntu1,456 attempts
postgres:postgres891 attempts
deploy:deploy123634 attempts
Top commands after "successful" login
uname -aFirst command for 89% of sessions
cat /etc/passwdCredential enumeration
wget http://.../minerCrypto miner deployment
crontab -ePersistence installation
/tmp/.x/botBotnet agent execution

Knowing that 89% of attackers run uname -a first tells you they are fingerprinting the system before deciding what payload to deploy. Knowing the top payloads (crypto miners, botnet agents) tells you what the attackers are after. This intelligence shapes your detection rules and your hardening priorities.

Mesh network summary

If you run multiple Inner Warden nodes (or participate in the mesh network), the report includes a collaborative intelligence section: how many block signals you received from peers, how many you contributed, which peers have the highest trust scores, and global attack trends across the mesh.

This turns your monthly report from a single-server view into a network-wide threat landscape. An attacker blocked by a peer in Germany before they reached your server in the US shows up in your report as a preemptive block. You see the attack that never happened.

Weekly trends: W1 through W4

The report breaks down the month into four weekly windows. Each week shows event volume, incident count, and notable changes. This helps identify patterns like "attacks spike on weekends" or "credential stuffing drops during business hours" that monthly aggregates would hide.

W1 (Mar 1-7)198K events287 incidentsBaseline week
W2 (Mar 8-14)224K events334 incidentsNew SSH botnet detected
W3 (Mar 15-21)267K events412 incidentsCampaign peak, 47 IPs clustered
W4 (Mar 22-28)158K events214 incidentsPost-block drop, mesh propagation effective

W3 saw a 34% spike driven by the Eastern European botnet campaign. W4 dropped 41% after the mesh network propagated blocks across all peers. That is the story of the month in four data points.

$100K reports from your own data

Consulting firms charge $50,000 to $100,000 per year for monthly threat reports. Those reports are based on aggregated data from their client base, anonymized and generalized. They tell you what is happening in the industry. They do not tell you what is happening to you.

Inner Warden's monthly report is generated from your actual telemetry. Your attackers. Your attack patterns. Your honeypot captures. Your mesh network intelligence. It is specific to your infrastructure, delivered automatically, and it costs nothing beyond running the binary.

For security leaders who need to report to the board, for compliance teams that need evidence of monitoring, and for CISOs who want to track threat trends over time, this report is the deliverable that used to require a team and a budget.

What to do next