RankShield
RANKSHIELD NETWORK Get started

Day one on the network: what a shared threat intelligence network already knows before your site is ever attacked

A new site has no attack history of its own, and attackers do not wait for it to build one. Here is first-party data on what joining a shared threat intelligence network actually buys you: 1,030,648 threat events recorded across the RankShield network in 28 days, from 11,691 networks, all of it knowledge a site inherits on its first request.

July 15, 2026 · 12 min read · shared threat intelligence network
Share

A site that went live this morning has no attack history. It has never seen a credential-stuffing run, never logged a scraper, never watched a subnet probe its login page. Every defense that learns from your own traffic starts at zero, and it stays near zero for as long as it takes to be attacked enough times to recognize a pattern. That is the gap a shared threat intelligence network is meant to close: instead of learning who the attackers are, you inherit the answer from everyone who already learned it. The question worth asking is whether that inheritance is real or just a line on a pricing page, so here is the measurement. In its first 28 days the RankShield network recorded 1,030,648 threat events from 11,691 distinct networks operating across 224 autonomous systems, and it is currently adding roughly 25,000 events a day. None of that had to be learned by any site that joins tomorrow. It is already there. This matters because attackers move faster than local learning does: Patchstack puts the weighted median time to first exploitation of a WordPress vulnerability at five hours (State of WordPress Security 2026). Below is the real data, what it means for WordPress, Shopify, and edge protection, and an honest account of what the network does and does not do with what it knows.

Why is a brand-new site attacked before anyone knows it exists?

Because nobody is looking for your site specifically. They are looking for every site. The automated layer of the internet does not browse; it enumerates, sweeping address ranges and known paths for anything that answers. OWASP catalogs this as its own class of abuse, OAT-014 Vulnerability Scanning, defined as crawling and probing an application for weaknesses (OWASP Automated Threats). Your launch announcement is irrelevant to this process. Your DNS record is the announcement. A site is discovered because it exists and responds, which means the interval between going live and being probed is not measured in weeks of marketing; it is measured in however long it takes a scanner already mid-sweep to reach your address.

The scale of that automated layer is why it finds everything. Imperva’s 2026 Bad Bot Report puts automated traffic at more than 53% of all web traffic in 2025, up from 51% the year before, with human traffic down to 47% (Imperva). Most requests on the internet are not people. Cloudflare, operating at a scale where the number means something, mitigated 6.2% of all global traffic across its network in 2025, with 3.3% mitigated as DDoS or by managed rules (Cloudflare Radar 2025 Year in Review). A meaningful share of everything crossing the internet is hostile, running constantly, and indifferent to whether you have customers yet.

That is the traffic the RankShield network exists to recognize, and here is exactly what it has recognized so far. Every figure below is first-party, pulled from the network’s own ledger, and every one of them is knowledge a site inherits on its first request rather than earns by being attacked.

THE RANKSHIELD NETWORK, RIGHT NOW

What the network already knows

MeasureValue
Threat events on our own network (28 days)1,030,648
Attacking networks11,691 across 224 ASNs
Networks that hit 2 or more different products1,829 (143 hit three, two hit four)
High severity / critical569,307 / 2,141
Growth~25,000 events per day

Source: RankShield mesh, 2026-06-17 to 2026-07-15. Own network only: excludes 643,887 AbuseIPDB reputation records we pull from that public blacklist (1,674,535 total mesh records including them). These are confirmed detections, not a claim that every one was refused. See the enforcement section below.

Why can’t a site just learn to defend itself?

It can, eventually, and eventually is the problem. Learning locally requires a sample: the site has to be attacked, log it, correlate it, and act. That loop is not free and it is not fast, and the attacker’s clock is faster. Patchstack found the weighted median time to first exploitation of a WordPress vulnerability is five hours, and that 46% of vulnerabilities in the ecosystem had no patch available at the time they were publicly disclosed (State of WordPress Security 2026). Read those two together and the situation is plain: for nearly half of disclosed vulnerabilities, the window opens with no fix, and mass exploitation arrives within hours. A defense that begins learning when the attack begins has already lost the race it is running.

The volume behind that clock keeps rising. Patchstack counted 11,334 new vulnerabilities across the WordPress ecosystem in 2025, a 42% increase over 2024, with 91% of them in plugins rather than core (Patchstack). No individual site owner is tracking 11,334 vulnerabilities. No individual site sees enough traffic to distinguish a targeted probe from noise. This is precisely the reasoning behind collective defense in the public sector too: CISA runs Automated Indicator Sharing so that participants can exchange machine-readable threat indicators in real time and benefit from the collective knowledge of every other participant, rather than each organization rediscovering the same adversary independently (CISA). The logic is identical at web scale. The attacker reuses infrastructure across thousands of targets; the defense should reuse knowledge across thousands of sites.

THE DAY-ONE GAP

Learning alone vs. joining a network

Site defends aloneSite joins the network
Knowledge of attacker infrastructure on day one None. Starts empty.1,030,648 threat events, 11,691 networks
How a new attacker is recognized After it attacks you enough timesOn its first request, if it hit anyone else
Time to first correct decision However long local learning takesImmediate, on inherited signal
Attacker cost to reset Attack a different site on your stackRebuild infrastructure the network hasn’t seen
Cross-product visibility Your one surface only1,829 networks already seen on 2+ products

What does the network actually know after 28 days?

Here is the measured answer, from our own production ledger rather than a projection. Since the network began collecting on June 17, 2026, it has recorded 1,030,648 threat events from 11,691 distinct networks operating across 224 autonomous systems. Every one of those is a confirmed detection published to the shared ledger by one of the protected surfaces, scored and corroborated before it lands. The pace is not slowing: the network is currently adding roughly 25,000 events per day, from around 1,400 distinct networks daily.

The composition matters as much as the total. 569,307 of those events are high severity and 2,141 are critical, so this is not a pile of ambient crawler noise inflated to look impressive. By type it splits almost evenly between 514,274 web attacks and 505,194 SEO attacks, the two dominant pressures on a commercial site, followed by 8,483 agent-spoofing events where automated traffic impersonated a legitimate crawler, and 2,597 ad-fraud events. A site joining tomorrow does not have to survive any of that to benefit from it. The recognition already exists.

One number we will state precisely rather than fold in quietly. The mesh holds 1,674,535 records in total, but 643,887 of those are reputation data we pull down from the AbuseIPDB blacklist to corroborate our own findings. That is somebody else’s intelligence, not attacks on our network, so it is excluded from the 1,030,648 figure above and from every claim on this page. We would rather publish the smaller number that is entirely ours.

DOWNLOADABLE INFOGRAPHIC

What a site inherits on day one

RANKSHIELD // DAY ONE ON THE NETWORK What you inherit before you are attacked 1,030,648 threat events in the first 28 days from 11,691 networks across 224 autonomous systems. EVERY SURFACE FEEDS ONE LEDGER 509,968WordPress 62,415Small business sites 10,790Shopify 3,618Browser 987Devices 838Honeypots THE NETWORK EFFECT, MEASURED 1,829 networks have attacked 2 or more different products. 143 hit three. Two hit four. Caught once, known everywhere. NOT AMBIENT NOISE 569,307high severity 2,141critical ~25,000per day SOURCE: RANKSHIELD MESH, 2026-06-17 TO 2026-07-15. EXCLUDES THIRD-PARTY REPUTATION IMPORTS. RANKSHIELD.CO
First-party RankShield mesh data, 2026-06-17 to 2026-07-15. Free to share with attribution.

How do you know the network effect is real and not marketing?

Because it leaves a fingerprint in the data, and we can count it. If shared intelligence were theatre, every attacking network would show up on exactly one product and the sharing would buy nobody anything. That is not what the ledger says. 1,829 distinct networks have attacked two or more different RankShield products. 143 have hit three. Two have hit four. Those are adversaries that a single-surface defense would have had to discover independently on every platform it protects, and that the network discovered once.

That is the whole mechanism in one number. An attacker that a WordPress site catches sweeping sitemaps is the same attacker that turns up at a Shopify storefront a week later, and because the first detection was published to a shared ledger rather than kept in one site’s logs, the second surface already recognizes it. The reason 9,862 networks appear on only one product is mostly that they have not gotten around to the others yet: the network is 28 days old. The cross-product number is the one to watch, because it grows as the network does, and it is the part no single site can ever produce for itself.

CROSS-PRODUCT ATTACKERS

Networks seen attacking more than one product

Products attackedNetworksWhat it means
Four different products2A broad adversary the whole network now recognizes
Three different products143Caught on one surface, known on the other two
Two different products1,684The network effect doing its job
One product so far9,862Known to everyone the moment they try a second

Source: RankShield mesh, 2026-06-17 to 2026-07-15, excluding third-party reputation imports. 1,829 networks have already crossed products in the network’s first 28 days.

What does the network see that a single site cannot?

Shape, and the infrastructure behind it. A single site sees requests; a network sees the operation. Those 11,691 attacking networks resolve to just 224 autonomous systems, which is what rented attack infrastructure looks like from above. An attacker does not own 11,691 networks. It has accounts with a small number of hosting providers and it rotates address space inside what it rents, which is why the unit of reputation has to be the network block rather than the individual address: an address is disposable and re-rentable in seconds, while the surrounding block costs real money to replace. That is the established approach to abuse at internet scale, the same principle behind Spamhaus and the routing-hygiene norms tracked by MANRS.

From inside one site, a coordinated operation spread across nine subnets over three days looks like nine unremarkable visitors. From the network, it is one adversary with a fingerprint. We publish the underlying source-network breakdown separately in where automated attacks actually come from, which maps this infrastructure to the hosting providers it is rented from, and the concentration there is the same story told from the other end. You can also watch the shape of the automated layer at internet scale on Cloudflare Radar’s bot traffic view.

NETWORK VISIBILITY

From a million events down to 224 hosting networks

Threat events (28 days) 1030648
High severity 569307
Attacking networks 11691
Cross-product attackers 1829
Autonomous systems 224

RankShield mesh, 2026-06-17 to 2026-07-15. Over a million events resolve to 11,691 networks and only 224 autonomous systems. That funnel is the work a single site cannot do alone.

How does this work on WordPress?

WordPress is the network’s largest contributor by a wide margin, which is unsurprising given it is the most-attacked surface on the web. It has published 509,968 threat events from 7,626 distinct networks, roughly half of everything the network knows. That volume is what makes WordPress the engine of the whole system: the intelligence protecting a Shopify store or an edge-defended marketing site is disproportionately populated by attacks a WordPress site met first and shared.

The reason it matters more on WordPress than anywhere else is the patch gap. With 91% of the ecosystem’s 11,334 disclosed 2025 vulnerabilities living in plugins and 46% of vulnerabilities unpatched at disclosure (Patchstack), a WordPress site regularly spends hours or days exposed to a known bug with no fix available. Network-level recognition is what covers that window, because the infrastructure running the mass exploitation attempt is usually the same infrastructure that already tried it somewhere else on the network. Wordfence maintains the public vulnerability database that tracks this ecosystem in detail (Wordfence Intelligence). Full product detail is on the WordPress security plugin page.

How does this work on Shopify?

The Shopify app is a detection-tier product and we would rather say that plainly than imply a parity that does not exist. It scores sessions for bot behavior, checks agent traffic for spoofing, and surfaces fraud signals against your store. What it does not do is hold an enforcement path of its own: it identifies hostile traffic rather than stopping it at the door. If you need requests refused before they reach your storefront, that is not what this app is today.

What it does do is participate, in both directions, and that is worth more than it sounds. Shopify stores have published 10,790 threat events into the shared ledger, so what your store sees becomes knowledge every other surface holds. In return your store inherits the whole network: an address first caught sweeping a WordPress site is an address your storefront already recognizes on its first request, without your store ever having met it. Scraping and credential attacks against storefronts are well-catalogued abuse classes (OWASP OAT-011 and OAT-007), and recognizing them accurately and early is genuinely useful. Details are on the Shopify fraud protection app page.

How does this work at the edge?

The edge is structurally the most valuable place to apply network intelligence, because it is the only place where acting on a hostile request costs your server nothing. A plugin evaluates an attacker after your host has already accepted the connection, run PHP, and touched the database. The edge evaluates it before any of that happens, which means the intelligence is not only protecting your content, it is protecting your capacity. It is the same architectural logic Cloudflare operates at internet scale when it mitigates 6.2% of global traffic before it reaches an origin (Cloudflare Radar), applied to the specific set of networks that have attacked sites like yours.

It is also where our honesty about enforcement matters most, so here it is in full. The edge runs in observe mode by default. It scores every request against the network’s knowledge and records what it would have done, and for most traffic it then serves the page anyway. Only a curated, false-positive-gated list is a hard refusal today: 7,829 decisions where a network had been independently corroborated as hostile across multiple sites. That is a deliberate posture, not an accident, and we adopted it after a July false-positive incident in which over-eager enforcement caught legitimate crawlers. A defense that blocks your customers is worse than one that watches. Product detail lives on the edge protection page.

What are the honest limits of a shared threat intelligence network?

Four, and you should weigh all four before believing the numbers above mean more than they do. First, detection is not enforcement, and we will not blur them. The million-event figure is what the network recognizes, not what it refused. Most of the edge observes rather than blocks by design, and the hard-block list is deliberately small. If you read "1,030,648 threat events" as "1,030,648 attacks stopped," that is our failure to write clearly, so we are saying it twice instead.

Second, age and size. The network is 28 days old and it protects tens of sites, not millions. It is not Cloudflare and we are not going to imply it is. What the data does show is that the mechanism works at this size already, which is the thing the size argument is ultimately about. Third, shelf life. Attacker infrastructure rotates, so intelligence decays, and a network that never forgets eventually flags addresses that have been legitimately re-leased to someone else. Reputation has to expire on purpose.

Fourth, and most seriously, false positives. Acting on inherited signal means acting on traffic your site has never personally seen misbehave, and if the network is wrong you have turned away a real customer on someone else’s evidence. This is not hypothetical; it is the central risk of the entire model, and it is exactly why our default posture is to observe rather than enforce until the evidence justifies enforcement, and why enforcement stays reversible. Anyone selling shared blocking without discussing false positives is not describing the system honestly. And scope: this network reduces and contains automated attacks; it does not eliminate them, and it does nothing about a determined human adversary, a leaked password, or a vulnerability in your own code. Google’s spam policies treat hacked content, scraped content, and link spam as ranking harms it acts on independently (Google Search Central), a reminder that recognizing bots is one control among several, not a strategy on its own.

DAY-ONE EXPOSURE CHECK

How exposed is your site on its own?

  1. If a network that attacked ten other sites hit yours right now, would you recognize it?
  2. How fast can you recognize a mass-exploitation attempt on an unpatched plugin?
  3. Do your defenses reason about networks or single IP addresses?
  4. Would you know if the same adversary hit your site and your store?
  5. Where does hostile traffic get evaluated for you?

What does joining actually change for a new site?

On the first request. There is no training period, no baseline window, and no threshold to cross, because the recognition is not being computed from your traffic. It already exists. A site that connects today inherits 1,030,648 threat events, 11,691 known attacking networks, 224 mapped autonomous systems, and the 1,829 cross-product fingerprints that took every other surface on the network 28 days of being attacked to produce. It contributes back from its first hostile visitor, which is what makes the next site’s inheritance larger than yours was.

That is a different proposition from a product that gets better over time. Getting better over time is a promise about the future that costs you the interval. Inheritance is a transfer that happens at connection. And the pool is filling faster than it is being drawn down: the network is adding roughly 25,000 events a day from around 1,400 distinct networks, which means the thing you inherit tomorrow is materially larger than the thing described on this page today. You can read the pricing page to see what joining it costs.

FREQUENTLY ASKED

Questions, answered.

RankShieldAssistant · online

What is a shared threat intelligence network?

It is a system where every protected site contributes what it learns about hostile traffic to a common ledger, and every site draws on that ledger to recognize attackers it has never personally encountered. Instead of each site independently rediscovering the same adversaries, one site’s detection becomes every site’s knowledge. The concept is well established in security: CISA operates Automated Indicator Sharing on exactly this principle, letting participants exchange machine-readable threat indicators in real time so they benefit from collective knowledge rather than isolated experience. Applied to the web it matters because attackers already reuse the same rented infrastructure across thousands of targets, so sharing intelligence back is what makes that reuse expensive instead of free.

How much does the RankShield network actually know?

In its first 28 days, from June 17 to July 15, 2026, it recorded 1,030,648 threat events from 11,691 distinct networks operating across 224 autonomous systems, and it is currently adding roughly 25,000 events per day from around 1,400 networks daily. By severity, 569,307 of those events are high and 2,141 are critical. By type it splits between 514,274 web attacks and 505,194 SEO attacks, plus 8,483 agent-spoofing events and 2,597 ad-fraud events. Every protected surface contributes to the same ledger: WordPress 509,968 events, small business sites 62,415, Shopify 10,790, browser 3,618, devices 987, and honeypots 838.

How do you know the network effect is real rather than marketing?

Because it is countable. If sharing bought nobody anything, every attacking network would appear on exactly one product. Instead, 1,829 distinct networks have attacked two or more different RankShield products, 143 have hit three, and two have hit four. Each of those is an adversary that a single-surface defense would have had to discover independently on every platform it protects, and that the shared ledger discovered once. That number also grows as the network grows, which is why it is the metric we watch. The 9,862 networks currently seen on only one product are mostly ones that have not tried a second surface yet; the network is 28 days old.

Does "threat events" mean "attacks blocked"?

No, and the distinction is important enough that we state it twice on the page. A threat event is a confirmed detection published to the shared ledger: the network recognized hostile traffic, scored it, and recorded it. It is not a claim that the request was refused. Most of our edge deliberately runs in observe mode, scoring every request against the network’s knowledge and then serving the page anyway, because a defense that blocks real customers is worse than one that watches. Only a curated, corroborated list of 7,829 decisions is a hard refusal today. If you read a million threat events as a million attacks stopped, that is our failure to write clearly, not your misreading.

Why do you exclude AbuseIPDB data from your numbers?

Because it is not ours. The mesh holds 1,674,535 records in total, but 643,887 of those are reputation entries we pull down from the AbuseIPDB public blacklist to corroborate our own findings. Those are attacks reported by other people against other targets, and none of them carry one of our sites as a victim. Folding them into a headline would inflate our network by roughly 60% using somebody else’s work, so every figure on this page uses the 1,030,648 that our own protected surfaces produced. We would rather publish the smaller number that is entirely ours and have it survive scrutiny.

Why does the network reason about /24 networks instead of individual IP addresses?

Because an individual address is disposable and a network block is not. An attacker who loses one IP rents another within seconds, so reasoning about addresses is a defense the attacker resets for free. The surrounding block is rented as a unit, which means condemning it imposes a real cost: the attacker has to acquire fresh infrastructure the network has never seen. This is the established approach to abuse at internet scale, the same reasoning behind network reputation projects like Spamhaus. The evidence is in our own data, where 11,691 attacking networks resolve to just 224 autonomous systems, which is the signature of rented infrastructure rather than 11,691 independent adversaries.

How big is the RankShield network, honestly?

Small and young, and we are not going to imply otherwise. The ledger began collecting on June 17, 2026, so it is 28 days old, and it protects tens of sites rather than millions. A bigger network sees more; that is simply true. What the data shows is that the mechanism already works at this size: over a million threat events, 11,691 networks mapped, and 1,829 adversaries already caught crossing between products. The size argument is ultimately an argument about whether the inheritance is worth anything, and the cross-product number answers that directly. It also grows with every site that joins, which is the entire point of a network.

Try one of the suggested questions above.

References

  1. RankShield mesh (threat_events analytical ledger) — first-party data, 2026-06-17 to 2026-07-15. Primary source for every RankShield figure on this page: 1,030,648 threat events from our own protected surfaces, 11,691 networks, 224 autonomous systems, 1,829 cross-product attacking networks, 569,307 high / 2,141 critical severity, ~25,000 events/day. Excludes 643,887 AbuseIPDB reputation records pulled from that public blacklist (1,674,535 total mesh records including them). Enforcement figures (7,829 corroborated hard-block decisions) come from the separate per-request events ledger.
  2. Patchstack — State of WordPress Security in 2026: 11,334 new ecosystem vulnerabilities in 2025 (+42% YoY), 91% in plugins, five-hour weighted median time to first exploitation, 46% unpatched at disclosure
  3. Imperva — 2026 Bad Bot Report: automated traffic exceeded 53% of all web traffic in 2025 (up from 51%), human traffic down to 47%
  4. Cloudflare — 2025 Radar Year in Review: 6.2% of global traffic mitigated, 3.3% mitigated as DDoS or by managed rules
  5. CISA — Automated Indicator Sharing: real-time machine-readable threat indicator exchange, and the collective-defense rationale behind it
  6. OWASP — Automated Threats to Web Applications: the taxonomy of bot-driven abuse categories this data reflects
  7. OWASP — OAT-014 Vulnerability Scanning: automated crawling and probing of applications for weaknesses
  8. OWASP — OAT-011 Scraping: automated collection of application content for use elsewhere
  9. OWASP — OAT-007 Credential Cracking: automated identification of valid credentials against login endpoints
  10. Wordfence Intelligence — public WordPress vulnerability database tracking the plugin and theme ecosystem
  11. The Spamhaus Project — network reputation and botnet tracking; background on why the network, not the address, is the unit of abuse
  12. MANRS (Mutually Agreed Norms for Routing Security) — background on how networks announce address prefixes and why prefix reputation works
  13. Cloudflare Radar — live bot traffic view, context on the share of automated traffic with no legitimate reason to reach an origin
  14. Google Search Central — Spam Policies for Google Web Search: hacked content, scraped content, and link spam as ranking harms Google acts on

Make every AI action provable.

RankShield is the verifiable, quantum-safe AI security platform — protection you can check, not just trust.