GLOBAL DEFENDER EXCHANGE · A TEAM CYMRU INITIATIVE

Most people will never know they were protected.

That’s the point. The Global Defender Exchange is a mission-driven, trusted community where global defenders coordinate threat intelligence sharing for global defense. A hospital that stays online. A school district that keeps teaching. A family that keeps its savings. Quiet, continuous global protection across 143+ countries.

This is what trusted, community-driven global defense looks like, in operation, every day.
Become a partner today

By the Numbers

180

+

CSIRT Teams in Exchange

143

+

Countries Connected

440

M

Telemetry points
Across 50 Data Types

40

+

Mapped Ransomware C2 Infrastructure

Why the Exchange Exists

No defender wins alone.

Cybercrime moves across borders in minutes. The only way to stay ahead of a coordinated adversary is to be more coordinated than they are.

Threat actors share infrastructure. They reuse code. They trade tactics in private channels and refine them faster than any single defender can keep up with. A team working in isolation is always one step behind.

The Global Defender Exchange exists to flip that math. When defenders share signal, every observation becomes everyone’s awareness. A pattern flagged in Singapore at 2am protects a hospital in Berlin by morning. An indicator surfaced by a researcher in Brazil blocks a phishing wave before it reaches a school district in Ohio. Community-driven by design, operationally credible because it has to be.

Most of this work is invisible. The compromise that didn’t happen leaves no headline. The win looks like nothing happening at all. That’s the work. That’s the exchange.

Protected

Hospitals stay online.

When ransomware targets a critical care system, the exchange catches the early signal so patients keep getting treated.

Protected

Schools keep teaching.

When a phishing wavehits a district, defenders inside the exchange see it comin and shut the doors before students lose a day.

Protected

Families keep their savings.

When a fraud operations pins up, the exchange traces infrastructure across continents so law enforcement can stop it before the next family is targeted.

HOW IT OPERATES

Three Actions.
Continuously running.
All the Time.

The Global Defender Exchange (GDX) operates as a community-driven system. Every defender both contributes to and benefits from collective threat intelligence sharing. The exchange is bi-directional, not one-way distribution. That’s how global defense scales.

01 / Contribute

Defenders flag what they see.

Something doesn’t look right. A defender notices, and their observation becomes the exchange’s awareness. Multiplied across 143+countries, that’s how patterns surface beforethey become breaches.

02 / Share & Access

The exchange notices first.

When ransomware targets a hospital, a phishing wave hits a school district, a botnet probes a power grid, defenders inside the exchange seethe early signal and act on it together. Calibrated to their environment. Operationalized inside the tools they already use.

03 / Strengthen

Threats stop before they land.

Every attack the exchange catches is one fewer person who has to learn what “compromised”feels like. Most people will never know they were protected. That’s the point. That’s the work. That’s the exchange.

Source GDX Telemetry | Cadence Continuous

The Exchange in Operation

Continuous threat exchange, made visible.

The Threat Matrix is a real-time read of the global defense exchange. As global defenders contribute signal across the system, correlated threat intensity is published back to every defender connected to it. Analyst-grade. High-confidence. Signal over noise.

1.2

M

Threats/Day

847

Active IOCs

99.7

%

Confidence

Who Runs the Exchange

Real people. Doing the quiet work.

The Global Defender Exchange runs because thousands of vetted defenders show up every day to do work that protects everyone else. Not visible. Not trying to be. But always there.

• Vetted

The Analyst

Watching the signals.

When patterns shift inside the noise, they’re the first to know. Calibrating, correlating, deciding what matters. Often at 3am. Often before anyone else has noticed anything is wrong.

  • Caught a malicious certificate before it could be deployed against a critical infrastructure provider.
• Vetted

The Investigator

Tracing across continents.

Mapping the adversary’s moves. Following infrastructure from one shell company to the next, one hop to the next, until the picture is clear enough to give law enforcement atarget.

  • Mapped the global command-and-control architecture of a ransomware operation across global internet infrastructure, contributing to coordinated indictments.
• Vetted

The CSIRT Lead

Coordinating when minutes matter.

Running response across timezones, languages, borders. Holding the line while infrastructure is contained, evidence is preserved, and the people they protect keep doing their work uninterrupted.

  • Coordinated containment of a national-level breach in under twelve hours, with zero downtime for citizens.
• Vetted

The Engineer

Building defense at scale.

Writing the quiet code that runs in the background. Tools and pipelines that turn raw signal into protection for millions of people who’ll never see a single line of it.

  • Shipped a detection pipeline that processed 94 million daily events across 50+ data types.

These are the people inside the exchange. The ones who make global defense something that actually happens, not just something that gets talked about.

Join Their Ranks

Threat Intelligence Tools

How the exchange shows up at scale.

These aren’t products in a catalog. They’re the operational threat intelligence tools defenders inside the exchange use to make global defense real for ISPs, CSIRTs, hosting providers, and the people who depend on them.

Every tool here exists because a defender needed it, built it, and contributed it back to the community. That’s how the work gets done.

Bogon, UTRS, Nimbus, MHR. Production-grade, community-driven threat intelligence tools, open to the global defender community. Same infrastructure powering 180+ CSIRT teams across 143+ countries. The point is to make the exchange operationally usable for any defender, at any scale.

OPEN ACCESS · PRODUCTION GRADE · IN OPERATION
Network Filter

Inside the Exchange

Bogon Networks

Continuously updated bogon reference defenders use to filter invalid IP space from network traffic. Used by ISPs, enterprises, and CSIRT teams worldwide as a baseline hygiene control.

  • Real-time updates as IP space is allocated
  • DNS, BGP, and routing registry options
  • Used by thousands of networks globally
Access Bogon Lists
DDOS Mitigation

Inside the Exchange

UTRS 2.0

The Unwanted Traffic Removal Service connects 900+ cooperating networks for coordinated, defender-driven DDoS mitigation. Bi-directional by design, operationally simple.

  • 900+ cooperating networks globally
  • FlowSpec, IPv6, carpet bombing defense
  • Coordinated defender response
Activate UTRS
Threat Monitor

Inside the Exchange

Nimbus

Near-real-time threat detection for ISPs and hosting providers. Correlates your network flows with 7M+ IP reputation indicators continuously updated by the exchange.

  • NetFlow v5/v7/v9, IPFIX, sFlow, jFlow
  • 10 preset Kibana dashboards
  • Continuous monitoring and alerting
Start Monitoring
Network Filter

Inside the Exchange

MHR API

The Malware Hash Registry validates samples against 30+ AV databases plus the exchange’s own analysis engine. Integrated directly into defender tooling via REST API.

  • 30+ AV databases cross-referenced
  • Web portal and REST API access
  • Used by researchers, hunters, IR teams
Get API Access

Built on the same Pure Signal™ infrastructure that powers Team Cymru’s commercial products. Operating inside the Global Defender Exchange for the global defender community.

TLP:RED · OPERATING DESIGNATION

Trust by designation.

Traffic Light Protocol RED is the highest tier of trust in the defender community. Information shared at TLP:RED stays inside the room it was shared in. No further distribution. No exceptions. Twenty years operating at this designation means we’ve built the discretion required to be trusted with what nobody else gets to see.

01 / Stays in the Room

Intelligence shared at TLP:RED never leaves the room.

Never repackaged into commercial products. Never publicly attributed without explicit clearance. Never surfaced in marketing material or case studies. The designation is the contract, and the contract is non-negotiable.

02 / Operational, Not Promotional

TLP:RED operations don’t become press releases.

We don’t ride the publicity of operations that didn’t end in public action. We don’t talk about cases that closed quietly. The work is the work, and most of it stays where it happened. By design.

03 / Discretion As Practice

National CSIRTs share with us what they can’t share publicly.

Investigators bring us active cases before charges drop. Disclosure laws prevent the same intelligence from reaching commercial vendors. That access is earned by twenty years of holding the line on what TLP:RED actually requires.

If your work depends on knowing your intelligence won’t surface in someone else’s marketing deck, you’re in the right exchange. The Global Defender Exchange operates at TLP:RED because the work that matters most can’t happen anywhere else.
CSIRT ASSISTANCE PROGRAM (CAP)

WHEN RESPONSE IS THE ONLY THING THAT MATTERS

When minutes decide outcomes.

National response teams. Critical infrastructure defenders. Sector-specific CSIRTs. CAP is how vetted response teams enter the Global Defender Exchange at full participation, with premium intelligence access, dedicated researcher support, and a direct line into 180+ teams across 143+ countries when the situation calls for it.

A national CSIRT has twelve hours to contain a ransomware operation before public services start to fail.

A critical infrastructure team needs to know which IPs to block right now, not inthe next intelligence drop.

An investigator needs attribution before a window with international lawenforcement closes.

01

Premium Intelligence Access

Full access to enterprise-grade threat feeds and original Team Cymru research, calibrated for incident response work.

02

Dedicated Analyst Support

Direct line to threat researchers for complex investigations and case-specific guidance from the exchange.

03

Operational Response

When a major incident hits, the exchange mobilizes. Direct research erengagement, coordinated investigation, no commercial overhead.

04

Trusted Defender Community

Connect with fellow defenders worldwide for coordinated investigation, shared signal, and trusted exchange of intelligence.

180

+

CSIRT TEAMS IN EXCHANGE

143

+

Countries Connected

Apply to Participate

The Standing Commitment

When lives are on the line, the math changes.

We can’t make broad promises about what we’ll do for free, and we won’t pretend otherwise. But we can tell you what’s been true for twenty years: when threats put real people at risk, Team Cymru shows up. We share what we have. We coordinate where we can. We stand alongside the defenders carrying the weight, regardless of whether there’s a contract attached.

Active Threats · Critical Care

When ransomware targets a hospital.

When ransomware hits hospitals or pediatric care systems, we coordinate with the response teams handling them. Signal moves fast. Decisions get made in the same hour. The patients on the otherside of the network never need to know the .

THREATS TO THE PEOPLE WHO HOLD POWER ACCOUNTABLE

When journalists and human rights workers are targeted.

Journalists. Human rights workers. The sources who trust them. Surveillance and disruption attempts against this work get our attention because the stakes aren’t theoretical. The exchange helps trace, attribute, and disrupt operations targeting people who don’t have institutional protection.

CRISES WITHOUT COORDINATION

When small CSIRTs face nation-state threats.

When small CSIRTs in under-resourced regions facenation-state-grade threats, we don’t tell them to come back when they have a budget. We do what we can. Quietly, and now. The exchange exists for exactly these moments.

This isn’t charity. It’s purpose. The Global Defender Exchange exists because someone has to be the layer that doesn’t ask for paperwork before sharing what
matters.
We’ve decided to be one of those someones.

Real-World Impact

Numbers behind quiet outcomes.

Every metric below is a real-world consequence avoided. A scam not completed. A network not breached. A family that kept what was theirs. This is global defense, measured in the harm that didn’t happen.

Cumulative Exchange Output

What collective defense looks like.

Every figure here is the result of intelligence exchanged across the Global Defender Exchange and translated into coordinated action with global law enforcement.

25K

+

Adversary Servers Down

900

+

Arrests Supported

$50

M+

Stolen From Victims, Returned

95

+

Nations in Coordination

• Latest
MAR 2026
U.S. DOJ · Europol PowerOFF · 4 Nations

IoT DDoS Botnet Disruption

Aisuru, KimWolf, JackSkid, and Mossad, the largest IoT DDoS botnets on record, dismantled across the U.S., Canada, Germany, and the Netherlands. Attacks peaked near 30 terabits per second and targeted the U.S. Department of Defense network.

Three million hijacked cameras, routers, and DVRs, rented out to attack anyone for a fee. The exchange helped map the infrastructure. The C2 went dark. The attacks stopped.

3M+

+

devices freed

4

+

botnets down

30

+

TBPS peak attack

interpol
OCT 2025 - FEB 2026
INTERPOL · 13 Countries

Operation Ramz

The first cyber operation of its scale coordinated by INTERPOL in the MENA region. Phishing-as-a-service platforms, malware infrastructure, and investment scams disrupted across 13 countries, with 3,867 victims identified.

One raid uncovered 15 scam workers who turned out to be trafficking victims themselves, coerced into the scheme. Taking down this infrastructure freed people on both ends of it.

201

+

Arrested

53

+

servers seized

13

+

countries

interpol
DEC 2025 – JAN 2026
INTERPOL · 16 NATIONS

Operation Red Card 2.0

Investment scams, mobile money fraud, and fake loan apps dismantled across Africa. Network telemetry exposed infrastructure tied to over $45M in fraud losses.

The people running these scams targeted families with empty bank accounts andworse promises. The exchange helped trace them. 651 arrests. The money cameback.

651

+

Arrested

1,442

+

IPS Down

$4.3M

+

Recovered

Europol
Nov 2025
EUROPOL · EUROJUST · 30+ PARTNERS

Operation Endgame III

Rhadamanthys infostealer, VenomRAT, and Elysium botnet dismantled incoordinated action across 11 European locations. VenomRAT’s main operator arrested in Greece.

Stealer malware quietly drains people. Bank logins. Crypto wallets. Personal data sold downstream. 1,025 servers offline means 1,025 fewer pipes for that to flow through.

1,025

+

Servers Down

20

+

Domains Seized

11

+

Locations

DOJ · FBI
MAY 2025
U.S. DOJ · FBI · EUROPOL

DanaBot Disruption

Exchange defenders mapped DanaBot’s multi-tier C2 architecture across 40+countries. The botnet had been weaponized in DDoS attacks against Ukraine’s Ministry of Defence.

A botnet weaponized against a nation at war is a botnet that endangers civilians. The exchange mapped it. Charges followed. The infrastructure came down.

16

+

Charged

150

+

C2 Servers

40+

+

Countries

Interpol
APR – AUG 2024
INTERPOL · 95 COUNTRIES

Operation Synergia II

The largest coordinated takedown of cybercrime servers ever recorded. Phishing infrastructure, information stealers, and ransomware operations dismantled across nearly half the world’s nations.

Every server taken down is a campaign that doesn’t reach an inbox. Aransomware operation that doesn’t hit a hospital. A phishing page that doesn’ttake a paycheck.

22K+

+

Servers

41

+

Arrested

95

+

Nations

Team Cymru Blog

June 29, 2026
Cybercrime Doesn't Reinvent Itself. It Optimizes.
4
May 27, 2026
The Unclosed Gap: Why the 2026 DBIR Proves the Decisive Battle Happens Before the First Internal Alert
3
April 29, 2026
Targeting the Defense Industrial Base: What Network Telemetry Reveals About Nation-State Pre-Positioning
5
Updated Weekly

From Inside the Exchange

Team Cymru Blog

Threat research, investigation walkthroughs, and technical analysis from the defenders doing the work.

Authored by the threat researchers and analysts inside the exchange. The work, documented.

Authored by the threat researchers and analysts inside the exchange. The work, documented.

• Live

From the Newsroom

Where operations break first. Every takedown, on the public record. Updated as news breaks.

Enter the Newsroom

Where Defenders Trade What Actually matters

Trusted rooms. Real conversations.

RISE and Underground Economy. Where global defenders connect face-to-face, exchange intelligence, and coordinate response. No vendors. No pitches. Chatham House Rule.

19

+

Years of UE

700+

+

Vetted Defenders Annually

40+

+

Rise Cities Worldwide

120+

+

Law Enforcement Agencies

REGIONAL SERIES · 2026

Regional Internet Security Events

Rise 2026

Regional gatherings of the Global Defender Exchange. Twelve cities. One trusted room each. Where the exchange operates face-to-face.

Format

Regional gatherings · Single-day intensive

Cities

12+ globally · Sydney, Frankfurt, Chicago, NYC, more

Defenders

CISOs, threat intel leads, critical infrastructure defenders, law enforcement

Rule

Chatham House Rule · No vendors · No pitches

Cost

Free to invited defenders

Invite-Only
• TLP:Red

19TH ANNUAL GLOBAL CONFERENCE

Underground Economy 2026

The world’s most trusted defender exchange. 19 years of lawenforcement, threat intel, and analyst defenders workingoperational threats inside the community.

Dates

7–10 September 2026 · 4 days

Venue

Council of Europe · Strasbourg, France

Co-Host

Council of Europe

Defenders

1,500+ vetted defenders annually · law enforcement ·policy makers

Format

Closed-door · Practitioner-led · Cryptocurrency tracing

Cost

Free to vetted applicants

Upcoming RISE Gatherings

Four cities. Open registration. More coming throughout 2026.

Registration Open

01

Nigeria

Abuja, Nigeria

9 - 10 December 2026

02

Coming Soon

03

Coming Soon

04

Coming Soon

Dragon News Bytes

New Episode Every Monday

Between Events

Dragon News Bytes

Curated cyber threat intelligence, two ways. A weekly podcast breaking down critical vulnerabilities and active attack campaigns, plus a free daily email digest of threat news, research, and incidents.

Podcast hosted by Team Cymru’s Eli Woodward & Will Baxter. Newsletter curated by Team Cymru's research experts.

Authored by the threat researchers and analysts inside the exchange. The work, documented.

Exchange Origins

Built by defenders.
Run by defenders.

Since 2005, the Global Defender Exchange has been operated by people who do the work. The same practitioners the exchange exists to support.

Operating Since 2005
“The signal moves freely between defenders. That has always been the point.”

One exchange. Twenty years.

In 2005, defenders needed a way to share signal without commercial intermediaries getting in the way. So they built one.

Twenty years later, the Global Defender Exchange is the largest community-driven threat intelligence sharing system in cybersecurity. 180+ CSIRT teams. 143+ countries. 440 million flows across 50 data types every day. Operated by the same kind of practitioners who started it, joined by hundreds more who came in to do the same work.

The exchange grew because defenders trusted defenders. The model held because we never compromised on the principle that runs through everything we ship: the signal moves freely between defenders, and the system gets stronger everytime it does.

The Executive Team

The defenders running the exchange.

JS

Joe Sander

Chief Executive Officer

RD

Richard Dufty

Chief Commercial Officer

TC

Tiffany Coletti

Chief Marketing Officer

EC

Eric Carlson

Chief Financial Officer

TJ

Tim Jones

Chief Technology Officer

20

+

Years Operating

500

+

Defenderes on Team

10K

+

Exchange Partners

100

M+

Threats Identified

Join the Exchange

Help protect the people who'll never know your name.

The Global Defender Exchange is open to vetted practitioners. Contribute signal. Access intelligence. Strengthen global defense for everyone connected to it. Most people will never know they were protected. That’s the point. That’s why this exists.

Contribute Signal

·

Access Intelligence

·

Strengthen Defense