Most people will never know they were protected.
That’s the point. The Global Defender Exchange is a mission-driven, trusted community where global defenders coordinate threat intelligence sharing for global defense. A hospital that stays online. A school district that keeps teaching. A family that keeps its savings. Quiet, continuous global protection across 143+ countries.
This is what trusted, community-driven global defense looks like, in operation, every day.
No defender wins alone.
Cybercrime moves across borders in minutes. The only way to stay ahead of a coordinated adversary is to be more coordinated than they are.
Threat actors share infrastructure. They reuse code. They trade tactics in private channels and refine them faster than any single defender can keep up with. A team working in isolation is always one step behind.
The Global Defender Exchange exists to flip that math. When defenders share signal, every observation becomes everyone’s awareness. A pattern flagged in Singapore at 2am protects a hospital in Berlin by morning. An indicator surfaced by a researcher in Brazil blocks a phishing wave before it reaches a school district in Ohio. Community-driven by design, operationally credible because it has to be.
Most of this work is invisible. The compromise that didn’t happen leaves no headline. The win looks like nothing happening at all. That’s the work. That’s the exchange.
When ransomware targets a critical care system, the exchange catches the early signal so patients keep getting treated.
When a phishing wavehits a district, defenders inside the exchange see it comin and shut the doors before students lose a day.
When a fraud operations pins up, the exchange traces infrastructure across continents so law enforcement can stop it before the next family is targeted.
HOW IT OPERATES
The Global Defender Exchange (GDX) operates as a community-driven system. Every defender both contributes to and benefits from collective threat intelligence sharing. The exchange is bi-directional, not one-way distribution. That’s how global defense scales.
Defenders flag what they see.
Something doesn’t look right. A defender notices, and their observation becomes the exchange’s awareness. Multiplied across 143+countries, that’s how patterns surface beforethey become breaches.
The exchange notices first.
When ransomware targets a hospital, a phishing wave hits a school district, a botnet probes a power grid, defenders inside the exchange seethe early signal and act on it together. Calibrated to their environment. Operationalized inside the tools they already use.
Threats stop before they land.
Every attack the exchange catches is one fewer person who has to learn what “compromised”feels like. Most people will never know they were protected. That’s the point. That’s the work. That’s the exchange.
Continuous threat exchange, made visible.
The Threat Matrix is a real-time read of the global defense exchange. As global defenders contribute signal across the system, correlated threat intensity is published back to every defender connected to it. Analyst-grade. High-confidence. Signal over noise.
1.2
M
Threats/Day
847
Active IOCs
99.7
%
Confidence
The Global Defender Exchange runs because thousands of vetted defenders show up every day to do work that protects everyone else. Not visible. Not trying to be. But always there.
Watching the signals.
When patterns shift inside the noise, they’re the first to know. Calibrating, correlating, deciding what matters. Often at 3am. Often before anyone else has noticed anything is wrong.
Tracing across continents.
Mapping the adversary’s moves. Following infrastructure from one shell company to the next, one hop to the next, until the picture is clear enough to give law enforcement atarget.
Coordinating when minutes matter.
Running response across timezones, languages, borders. Holding the line while infrastructure is contained, evidence is preserved, and the people they protect keep doing their work uninterrupted.
Building defense at scale.
Writing the quiet code that runs in the background. Tools and pipelines that turn raw signal into protection for millions of people who’ll never see a single line of it.
These are the people inside the exchange. The ones who make global defense something that actually happens, not just something that gets talked about.
Join Their Ranks →Threat Intelligence Tools
These aren’t products in a catalog. They’re the operational threat intelligence tools defenders inside the exchange use to make global defense real for ISPs, CSIRTs, hosting providers, and the people who depend on them.
Every tool here exists because a defender needed it, built it, and contributed it back to the community. That’s how the work gets done.
Bogon, UTRS, Nimbus, MHR. Production-grade, community-driven threat intelligence tools, open to the global defender community. Same infrastructure powering 180+ CSIRT teams across 143+ countries. The point is to make the exchange operationally usable for any defender, at any scale.
Bogon Networks
Continuously updated bogon reference defenders use to filter invalid IP space from network traffic. Used by ISPs, enterprises, and CSIRT teams worldwide as a baseline hygiene control.
UTRS 2.0
The Unwanted Traffic Removal Service connects 900+ cooperating networks for coordinated, defender-driven DDoS mitigation. Bi-directional by design, operationally simple.
Nimbus
Near-real-time threat detection for ISPs and hosting providers. Correlates your network flows with 7M+ IP reputation indicators continuously updated by the exchange.
MHR API
The Malware Hash Registry validates samples against 30+ AV databases plus the exchange’s own analysis engine. Integrated directly into defender tooling via REST API.
Built on the same Pure Signal™ infrastructure that powers Team Cymru’s commercial products. Operating inside the Global Defender Exchange for the global defender community.
Traffic Light Protocol RED is the highest tier of trust in the defender community. Information shared at TLP:RED stays inside the room it was shared in. No further distribution. No exceptions. Twenty years operating at this designation means we’ve built the discretion required to be trusted with what nobody else gets to see.
Intelligence shared at TLP:RED never leaves the room.
Never repackaged into commercial products. Never publicly attributed without explicit clearance. Never surfaced in marketing material or case studies. The designation is the contract, and the contract is non-negotiable.
TLP:RED operations don’t become press releases.
We don’t ride the publicity of operations that didn’t end in public action. We don’t talk about cases that closed quietly. The work is the work, and most of it stays where it happened. By design.
National CSIRTs share with us what they can’t share publicly.
Investigators bring us active cases before charges drop. Disclosure laws prevent the same intelligence from reaching commercial vendors. That access is earned by twenty years of holding the line on what TLP:RED actually requires.
If your work depends on knowing your intelligence won’t surface in someone else’s marketing deck, you’re in the right exchange. The Global Defender Exchange operates at TLP:RED because the work that matters most can’t happen anywhere else.
WHEN RESPONSE IS THE ONLY THING THAT MATTERS
National response teams. Critical infrastructure defenders. Sector-specific CSIRTs. CAP is how vetted response teams enter the Global Defender Exchange at full participation, with premium intelligence access, dedicated researcher support, and a direct line into 180+ teams across 143+ countries when the situation calls for it.
A national CSIRT has twelve hours to contain a ransomware operation before public services start to fail.
A critical infrastructure team needs to know which IPs to block right now, not inthe next intelligence drop.
An investigator needs attribution before a window with international lawenforcement closes.
01
Full access to enterprise-grade threat feeds and original Team Cymru research, calibrated for incident response work.
02
Direct line to threat researchers for complex investigations and case-specific guidance from the exchange.
03
When a major incident hits, the exchange mobilizes. Direct research erengagement, coordinated investigation, no commercial overhead.
04
Connect with fellow defenders worldwide for coordinated investigation, shared signal, and trusted exchange of intelligence.
180
+
CSIRT TEAMS IN EXCHANGE
143
+
Countries Connected
The Standing Commitment
We can’t make broad promises about what we’ll do for free, and we won’t pretend otherwise. But we can tell you what’s been true for twenty years: when threats put real people at risk, Team Cymru shows up. We share what we have. We coordinate where we can. We stand alongside the defenders carrying the weight, regardless of whether there’s a contract attached.

When ransomware hits hospitals or pediatric care systems, we coordinate with the response teams handling them. Signal moves fast. Decisions get made in the same hour. The patients on the otherside of the network never need to know the .

Journalists. Human rights workers. The sources who trust them. Surveillance and disruption attempts against this work get our attention because the stakes aren’t theoretical. The exchange helps trace, attribute, and disrupt operations targeting people who don’t have institutional protection.

When small CSIRTs in under-resourced regions facenation-state-grade threats, we don’t tell them to come back when they have a budget. We do what we can. Quietly, and now. The exchange exists for exactly these moments.
This isn’t charity. It’s purpose. The Global Defender Exchange exists because someone has to be the layer that doesn’t ask for paperwork before sharing what
matters. We’ve decided to be one of those someones.
Real-World Impact
Every metric below is a real-world consequence avoided. A scam not completed. A network not breached. A family that kept what was theirs. This is global defense, measured in the harm that didn’t happen.
Cumulative Exchange Output
What collective defense looks like.
Every figure here is the result of intelligence exchanged across the Global Defender Exchange and translated into coordinated action with global law enforcement.
25K
+
Adversary Servers Down
900
+
Arrests Supported
$50
M+
Stolen From Victims, Returned
95
+
Nations in Coordination
Aisuru, KimWolf, JackSkid, and Mossad, the largest IoT DDoS botnets on record, dismantled across the U.S., Canada, Germany, and the Netherlands. Attacks peaked near 30 terabits per second and targeted the U.S. Department of Defense network.
Three million hijacked cameras, routers, and DVRs, rented out to attack anyone for a fee. The exchange helped map the infrastructure. The C2 went dark. The attacks stopped.
3M+
+
devices freed
4
+
botnets down
30
+
TBPS peak attack
The first cyber operation of its scale coordinated by INTERPOL in the MENA region. Phishing-as-a-service platforms, malware infrastructure, and investment scams disrupted across 13 countries, with 3,867 victims identified.
One raid uncovered 15 scam workers who turned out to be trafficking victims themselves, coerced into the scheme. Taking down this infrastructure freed people on both ends of it.
201
+
Arrested
53
+
servers seized
13
+
countries
Investment scams, mobile money fraud, and fake loan apps dismantled across Africa. Network telemetry exposed infrastructure tied to over $45M in fraud losses.
The people running these scams targeted families with empty bank accounts andworse promises. The exchange helped trace them. 651 arrests. The money cameback.
651
+
Arrested
1,442
+
IPS Down
$4.3M
+
Recovered
Rhadamanthys infostealer, VenomRAT, and Elysium botnet dismantled incoordinated action across 11 European locations. VenomRAT’s main operator arrested in Greece.
Stealer malware quietly drains people. Bank logins. Crypto wallets. Personal data sold downstream. 1,025 servers offline means 1,025 fewer pipes for that to flow through.
1,025
+
Servers Down
20
+
Domains Seized
11
+
Locations
Exchange defenders mapped DanaBot’s multi-tier C2 architecture across 40+countries. The botnet had been weaponized in DDoS attacks against Ukraine’s Ministry of Defence.
A botnet weaponized against a nation at war is a botnet that endangers civilians. The exchange mapped it. Charges followed. The infrastructure came down.
16
+
Charged
150
+
C2 Servers
40+
+
Countries
The largest coordinated takedown of cybercrime servers ever recorded. Phishing infrastructure, information stealers, and ransomware operations dismantled across nearly half the world’s nations.
Every server taken down is a campaign that doesn’t reach an inbox. Aransomware operation that doesn’t hit a hospital. A phishing page that doesn’ttake a paycheck.
22K+
+
Servers
41
+
Arrested
95
+
Nations
From Inside the Exchange
Threat research, investigation walkthroughs, and technical analysis from the defenders doing the work.
Authored by the threat researchers and analysts inside the exchange. The work, documented.
Authored by the threat researchers and analysts inside the exchange. The work, documented.
Where operations break first. Every takedown, on the public record. Updated as news breaks.
Where Defenders Trade What Actually matters
RISE and Underground Economy. Where global defenders connect face-to-face, exchange intelligence, and coordinate response. No vendors. No pitches. Chatham House Rule.
19
+
Years of UE
700+
+
Vetted Defenders Annually
40+
+
Rise Cities Worldwide
120+
+
Law Enforcement Agencies
Regional gatherings of the Global Defender Exchange. Twelve cities. One trusted room each. Where the exchange operates face-to-face.
Regional gatherings · Single-day intensive
12+ globally · Sydney, Frankfurt, Chicago, NYC, more
CISOs, threat intel leads, critical infrastructure defenders, law enforcement
Chatham House Rule · No vendors · No pitches
Free to invited defenders
The world’s most trusted defender exchange. 19 years of lawenforcement, threat intel, and analyst defenders workingoperational threats inside the community.
7–10 September 2026 · 4 days
Council of Europe · Strasbourg, France
Council of Europe
1,500+ vetted defenders annually · law enforcement ·policy makers
Closed-door · Practitioner-led · Cryptocurrency tracing
Free to vetted applicants
Four cities. Open registration. More coming throughout 2026.
Between Events
Curated cyber threat intelligence, two ways. A weekly podcast breaking down critical vulnerabilities and active attack campaigns, plus a free daily email digest of threat news, research, and incidents.
Podcast hosted by Team Cymru’s Eli Woodward & Will Baxter. Newsletter curated by Team Cymru's research experts.
Authored by the threat researchers and analysts inside the exchange. The work, documented.
Exchange Origins
Since 2005, the Global Defender Exchange has been operated by people who do the work. The same practitioners the exchange exists to support.
“The signal moves freely between defenders. That has always been the point.”
In 2005, defenders needed a way to share signal without commercial intermediaries getting in the way. So they built one.
Twenty years later, the Global Defender Exchange is the largest community-driven threat intelligence sharing system in cybersecurity. 180+ CSIRT teams. 143+ countries. 440 million flows across 50 data types every day. Operated by the same kind of practitioners who started it, joined by hundreds more who came in to do the same work.
The exchange grew because defenders trusted defenders. The model held because we never compromised on the principle that runs through everything we ship: the signal moves freely between defenders, and the system gets stronger everytime it does.
The Executive Team
Joe Sander
Chief Executive Officer
Richard Dufty
Chief Commercial Officer
Tiffany Coletti
Chief Marketing Officer
Eric Carlson
Chief Financial Officer
Tim Jones
Chief Technology Officer
The Global Defender Exchange is open to vetted practitioners. Contribute signal. Access intelligence. Strengthen global defense for everyone connected to it. Most people will never know they were protected. That’s the point. That’s why this exists.
Contribute Signal
·
Access Intelligence
·
Strengthen Defense