Threat Intelligence Briefing

Global threat volume represents a significant deviation from baseline, spiking +158.3% vs previous period to over 250,000 events. This surge is primarily driven by reputation_low and reconnaissance activity, consistent with a large-scale scanning campaign. Nordic traffic patterns remained stable compared to their respective baselines, with Sweden (1374 events) and Finland (1029 events) showing normal background noise. The top threat IPs are concentrated in a US-based CIDR block (87.251.64.0/24) exhibiting coordinated SSH brute-force activity, indicating persistent infrastructure rather than a new threat. Consider temporary blocking or rate-limiting the 87.251.64.0/24 range and prioritizing alerts from this cluster. Deprioritize individual low-reputation IPs as they represent routine background noise.