# How does it work

What is the ELLIO: Threat List and how does it function? Let's break it down.

At its core, ELLIO utilizes a vast array of sensors across the globe, monitoring scanning activities from a broad spectrum of actors. This includes research facilities, botnets, hackers and other threat actors. By gathering, tagging, and classifying this data with our ML-powered engine, we maintain a comprehensive understanding of in-the-wild attacks, whether they're variants of different botnets, or newly published exploits.

Our customers provide the IP addresses of their network perimeter with every deployment they create. With this information, we meticulously scan the perimeter to identify the list of services accessible from the internet.

For instance, if the IP address 1.1.1.1 was added to the deployment, our system would recognize that the perimeter includes services such as DNS on ports 53/UDP, 53/TCP, and HTTP/HTTPS on ports 80/TCP, 443/TCP, 8443/TCP (Please note, this is a simplified example).

With this information, we can customize and prioritize the Threat List. We position the predicted attackers that are a direct threat to specific services, combined with most aggressive general attackers.

As a result, our Threat List effectively filters traffic from a wide array of sources, such as infected IoT devices, botnets, and actors conducting mass exploitation campaigns.

While our system may not shield your perimeter from highly targeted attacks, it's well-equipped to detect and rapidly respond to widespread attempts to exploit newly available vulnerabilities across the entire IPv4 range (which includes your network).