Threat Detection.
Stop the spread.
Team Cymru operates Nimbus Threat Monitor for the ISPs and hosting providers carrying the internet’s backbone. Near-real-time detection that cross-references your network flowswith our global IP reputation intelligence and surfaces malicious activity before it spreads. Over 7 million indicators refreshed hourly. Operated for the community, not as a product.

Cyber threat detection through global flow correlation.
Nimbus Threat Monitor is a community-operated cyber threat detection service for ISPs and hosting providers. It cross-references your network flows with Team Cymru’s global IP reputation intelligence and surfaces malicious activity in near-real-time. Over 7 million indicators refreshed hourly, queried against your own traffic, surfaced through a -customizable dashboard your team already knows how to use.
Network Flow Correlation
Nimbus cross-references your NetFlow, IPFIX, sFlow, or jFlow exports with Team Cymru’s global IP reputation data. Threats that are invisible at your network edge become visible when matched against what we see worldwide.
Near-Real-Time Response
Threat indicators refresh hourly. Suspicious traffic surfaces in your dashboard as the activity emerges, not after the breach. Daily Incident Responder Reports help your team prioritize what matters most.
Operator-Driven Filters
18 alert filters and 31 network statistics filters, tunable to your traffic profile. Filter by threat type, address ranges, ASN paths, indicator confidence. You control the signal-to-noise ratio.
Kibana Dashboard
10 preset dashboard views, fully customizable. Built on Kibana, the visualization tool your SOC and NOC analysts already use. Multilingual interfaces in seven languages.
Nimbus Threat Monitor access.

Share your network metadata, receive near-real-time threat detection in return. Nimbus ingests your flow exports, correlates against 7M+ IP reputation indicators refreshed hourly, and surfaces malicious activity through a customizable Kibana dashboard. No appliance to deploy. No license to negotiate. Operated by Team Cymru for ISPs and hosting providers worldwide.
Why Nimbus
Team Cymru built Nimbus for the ISPs and hosting providers carrying the internet’s backbone. The networks that get attacked most aren’t the ones that can afford the most expensive threat detection. So we share what we see with the operators who keep the network running, and they share what their flows reveal with us. Everyone’s defense gets stronger.
“ Our Promise
Every ISP carrying internet traffic is a partner in defense.We share what we see, you share what your flows reveal, and the internet stays cleaner for everyone.”
Nimbus is free for qualifying ISPs and hosting providers. No premium tier. No usage caps. No upsell at the end of the trial. The exchange is your flow metadata for our intelligence, and the internet benefits both directions.
Nimbus is documented and supported in seven languages: Arabic, English, French, Japanese, Portuguese, Russian, and Spanish. Because the internet’s defenders don’t all speak English, and they shouldn’t have to.
Filters, dashboards, alert types, language support. Every capability in Nimbus came from an operator asking for it. ISPs in Latin America asked for Spanish docs. National CSIRTs asked for daily reports. We listen, we build, we ship.
Team Cymru has operated community infrastructure for 25 years. Thousands of networks across six continents already trust Nimbus to surface threats they can’t see alone. We’ll keep running it, refining it, and supporting it for the operators who depend on it.
In Practice
Same Nimbus, different operator. Here’s the workflow when the alert fires, what Nimbus does in the middle, and what the operator walks away with.
ISP NOCs · Service Providers
Customer endpoints quietly beaconing to known C2 infrastructure.
Pressure
Hidden malware traffic
Nimbus ACTION
Match flow to IP rep
Outcome
Compromised host flagged
Hosting Providers
A tenant VM has been compromised and is hosting malware infrastructure.
Pressure
Abuse reports incoming
NIMBUS Action
Surface offending IP
Outcome
Tenant isolated
National CSIRTs
Country-wide infrastructure threats need a single pane of glass.
Pressure
Fragmented telemetry
Nimbus ACTION
Aggregate ISP flows
Outcome
National view, one dash
Incident Responders
Triage queue is buried. Every minute spent triaging is a minute not responding.
Pressure
Alert overload
Nimbus Action
Daily Responder Report
Outcome
Prioritized action items
Every Nimbus capability came from an operator asking for it. Filter types, dashboard views, language support, daily reports. If your stack needs something we don’t currently offer, submit a request. The team that builds Nimbus reads every one.
Used Worldwide
ISPs, hosting providers, national CSIRTs, regional carriers, critical infrastructure operators. Nimbus is in production at the networks carrying the internet’s most consequential traffic, on six continents, supported in seven languages.
TIER-1 ISPS
NATIONAL CSIRTS
CLOUD PROVIDERS
HOSTING NETWORKS
CRITICAL INFRASTRUCTURE
Defense is Layered
Nimbus surfaces threats already in your flows. If your operational priority is filtering bogon routes, mitigating volumetric DDoS, triaging hash-based IOCs, or coordinating with the global CSIRT community, the Operational Marketplace hasthe right tool for the mission.
Bogon Networks
Reference data for unrouted, reserved, and unallocated IPv4 and IPv6 prefixes. Six access formats for filtering at the routing layer.
DDoS Mitigation UTRS
Real-time BGP-based DDoS mitigation, coordinated across 1,300+network operators worldwide. Stop volumetric attacks at the source.
MHR API
Programmatic malware hash lookups against an indexed sample corpus. Sub-second response, built for triage workflows.
CSIRT Assistance Program
Operational support for national and sector CSIRTs worldwide. Trust-network coordination and incident response.
GLOBAL DEFENDER EXCHANGE COMMUNITY
See what your flows can’t.
Apply for Nimbus.
Operated by Team Cymru for the ISPs and hosting providers carrying the internet’s backbone. Share your network metadata, receive near-real-time threat detection in return. Free for qualifying operators, supported in seven languages, in production at networks across six continents.