Frequently Asked Questions

OneFirewall Alliance is a UK-based cybersecurity company headquartered in London. It operates a crowd-sourced Cyber Threat Intelligence (CTI) platform built on an alliance of 180+ organisations worldwide. Member organisations share vetted threat indicators — malicious IP addresses, domains, URLs, and malware signatures — which are consolidated, enriched, and distributed in real time as actionable feeds for automated blocking.

The platform covers the full defensive lifecycle: from intelligence ingestion and threat validation through to enforcement at the firewall, IPS, WAF, mobile endpoint, and DNS layer.

OneFirewall serves enterprise security teams, MSSPs, critical infrastructure operators, and government organisations that need to:

• Automate threat blocking without manual feed management
• Consolidate intelligence from multiple sources into a single feed
• Gain MITRE ATT&CK-mapped context for every threat indicator
• Contribute intelligence and receive collective protection in return

Existing members include organisations in telecoms, finance, defence, utilities, and government sectors across Europe and beyond.

Most threat feeds deliver raw IoC lists that require separate enrichment, STIX transformation, and manual triage before they can drive enforcement. OneFirewall delivers all of that in a single API call:

• Crime Score 0–1000 — single risk value per indicator
• STIX 2.1 / TAXII — standards-compliant, ready for SIEM ingestion
• MITRE ATT&CK — 20+ mapped techniques per threat
• Geo + ASN — geolocation and network context
• Sector Intel — which industries are being targeted
• History Score — longitudinal reputation over time

Intelligence is crowd-sourced across 180+ alliance members and validated before distribution, removing the noise and false-positive burden from your team.

OneFirewall Alliance LTD is registered in the United Kingdom with its headquarters at 5 Greenwich View Place, London, E14 9NN. The company is Cyber Essentials Certified, recognised as one of the Top 27 funded cybersecurity startups in the UK, and is an alumnus of the CyberRunway Scale programme and Barclays Eagle Lab Cyber Bridge cohort.

Partner offices operate in India (Cybosecure Networks, New Delhi) and South East Asia (Skylabs Solution).

The alliance currently surpasses 180 member organisations worldwide, spanning telecoms, finance, defence, utilities, and government. Members include organisations such as Leonardo, TIM, Telepass, Terna, CDP, PSN, AlmavivA, Cy4Gate, and Olidata, among many others. Every member both contributes to and benefits from the collective intelligence pool.

The OneFirewall CTI feed covers four core indicator types:

• IP addresses — scanning hosts, C2 infrastructure, botnet nodes, Tor exit nodes
• Domains — phishing, malware delivery, C2 command domains
• URLs — specific malicious endpoints and redirect chains
• Malware hashes — file-level indicators for endpoint correlation

Each indicator is enriched with a Crime Score, MITRE ATT&CK technique mappings, geolocation, ASN data, sector targeting, and a historical reputation score. The full schema is documented at docs.onefirewall.com.

The Crime Score is a proprietary risk value ranging from 0 to 1000 assigned to every threat indicator. It combines:

• Number and recency of alliance sightings
• Historical behaviour and repeat offence patterns
• Sector targeting profile (e.g., finance vs. general internet noise)
• Associated MITRE ATT&CK technique severity
• Community confidence weighting from member contributions

A score of 700+ is generally considered high-confidence for automated blocking, while lower scores can be used for monitoring or alerting with context. Thresholds are configurable per environment.

Intelligence is updated in real time. New indicators submitted by alliance members are validated and distributed to all connected members within <200ms sync latency. The WCF Agent running on your firewall pulls updated block-lists continuously, so your enforcement policy is always current without manual intervention or scheduled batch imports.

Yes. The OneFirewall CTI API returns indicators in STIX 2.1 format and is compatible with TAXII 2.1 for SIEM and SOAR platform ingestion. This means you can connect the feeds directly to platforms such as Splunk, Microsoft Sentinel, IBM QRadar, or any other system that consumes STIX/TAXII without writing custom parsers.

The CTI platform maps indicators to 20+ MITRE ATT&CK techniques across key tactics including Reconnaissance, Initial Access, Credential Access, Discovery, Command & Control, and Impact. Every CTI API response includes the relevant technique IDs (e.g., T1595, T1133) and descriptions so your analysts understand not just what an IP is, but how it behaves during an attack.

Submitted indicators go through a multi-stage validation pipeline before reaching the distribution engine:

• Automated de-duplication — merges repeated sightings and adjusts confidence
• False-positive filtering — cross-references against known-good lists (CDNs, cloud providers, etc.)
• Enrichment layer — appends geo, ASN, MITRE, and historical data
• Community weighting — indicators corroborated by multiple independent members receive higher confidence scores

This ensures that what reaches your firewall is actionable intelligence, not raw, noisy data.

The WCF (Wall-Connected Firewall) Agent is a lightweight software component installed on or alongside your existing firewall or IPS. It connects to the OneFirewall intelligence platform and continuously pulls updated block-lists, translating them into native enforcement rules for your specific device — without any manual configuration.

The agent supports 166+ platforms and handles the full translation layer: what arrives as a STIX indicator from the alliance leaves as a native firewall rule on your Check Point, FortiGate, Forcepoint, or other appliance.

OneFirewall has purpose-built plugins for the most common enterprise platforms, including:

• Check Point (with SecureXL acceleration support)
• Fortinet FortiGate
• Forcepoint NGFW
• And 163+ additional firewalls, IPS, XDR, WAF, and router platforms

See the full list on the Integrations page. If your platform is not listed, contact us — custom integration development is available.

OneDevice is a dedicated IPS hardware appliance for organisations that prefer a physical enforcement layer. It is available in two deployment modes:

• Parallel mode — runs alongside pfSense as a passive monitor that actively blocks threats out-of-band
• Standalone in-series mode — deployed inline in the network path as a full IPS gateway

Both modes are powered by real-time OneFirewall Alliance intelligence feeds. Documentation is available at docs.onefirewall.com.

OFA Mobile is a mobile application for iOS and Android that creates a local VPN on the device to intercept and filter traffic — both inbound and outbound. Any connection attempt to an IP address or domain in the Alliance threat intelligence feed is blocked before it reaches the application or the user. It extends enterprise-grade protection to smartphones and tablets without requiring network-level changes.

The AI Gateway (available at onefirewall.ai) is a specialised firewall for AI services. As organisations adopt tools like ChatGPT, Copilot, and other public AI platforms, the AI Gateway sits between the user and the service to:

• Prevent accidental data leakage in prompts
• Block connections to known malicious AI-adjacent infrastructure
• Enforce usage policies for safe and compliant AI adoption

Yes. The OneFirewall Web Application Firewall (WAF) protects public-facing web applications against OWASP Top 10 attacks, injection, XSS, bot abuse, and more. It is powered by the same Alliance threat intelligence as the network-layer controls, ensuring consistent enforcement across all attack surfaces. Full documentation is at docs.onefirewall.com/products/waf.

Secure DNS is a DNS resolver powered by Alliance threat intelligence. Instead of resolving any domain, it checks each lookup against the alliance feed and blocks resolution of known malicious or high-risk domains in real time. It provides an additional, lightweight enforcement layer without modifying firewall rules — ideal for protecting roaming employees or as a first-line defence at the DNS layer.

Vulnix0 (at vulnix0.com) is an offensive security platform developed within the OneFirewall ecosystem. It provides:

• DAST — Dynamic Application Security Testing of live web applications
• Dark web scanning — monitoring for leaked credentials and data
• Penetration testing — structured assessments to validate your defensive posture

Used together with the defensive intelligence feeds, Vulnix0 closes the loop between attack simulation and real-world blocking policy.

The F3D (Firewall 3D) Agent is an advanced telemetry and correlation component that provides three-dimensional visibility into network traffic patterns: who is connecting, what protocols they are using, and how those patterns compare against known attack behaviours in the alliance feed. It is used to enrich detection accuracy and reduce dwell time for advanced threats. See the F3D Agent page for details.

OneFirewall uses device-based pricing — you pay per protected device or appliance, not per volume of traffic or number of threat indicators consumed. This makes costs predictable and scales naturally with your infrastructure rather than penalising you for high traffic volumes or for receiving more intelligence. Contact the team at contact us for a tailored quote.

To become an alliance member, reach out to the team or click Become a Member on the homepage. The onboarding process includes:

• Initial discovery call to understand your environment and threat profile
• Deployment of the WCF Agent alongside your existing infrastructure
• A 1-month Proof of Value to validate real attack detection in your environment
• Full membership activation with bi-directional intelligence sharing

The Proof of Value is a 1-month evaluation that runs entirely inside your own environment. Key points:

• No data leaves your organisation — logs and network traffic stay on your premises
• The WCF Agent is deployed alongside your existing firewall in monitoring or blocking mode
• Real attack traffic from the Alliance feed is validated against your environment
• You receive a full report of threats detected and blocked during the evaluation period

The PoV gives your security team concrete evidence of the platform's effectiveness before any commercial commitment. Learn more about the PoV →

OFA Coins are the Alliance's reward token system. Members earn coins by contributing verified, high-quality threat intelligence indicators to the shared pool. The more valid intelligence you contribute, the more coins you accumulate.

Coins can be redeemed for:

• Additional API quota and call limits
• Platform credits for premium features
• Exclusive alliance benefits and early access

This incentive mechanism aligns member behaviour with the collective goal: the more organisations contribute, the better the intelligence becomes for everyone. See the OFA Coins page for the full earning and redemption schedule.

Yes — the CTI API is available as a standalone product for organisations that want intelligence enrichment without deploying the WCF Agent or joining the bi-directional sharing model. API access is metered per request, and credentials are managed through the dashboard. Contact the team to discuss the right access tier for your use case.

The 1-month Proof of Value serves as the structured trial for enterprise evaluations, running in your own environment with no data leaving your organisation. For API exploration, limited sandbox access may be arranged through the team. Additionally, the Free Tools section of the site offers 15 standalone security utilities available to everyone at no cost.

The API follows a simple REST pattern. To query an IPv4 address:

GET /api/v1/intel/<IPv4>
Authorization: Bearer <your-token>

The response returns 16+ fields including Crime Score, STIX bundle, MITRE techniques, geo/ASN, sector targeting, and history score — all in a single call. Full API documentation including schemas, field definitions, and code examples is at docs.onefirewall.com.

The WCF Agent is deployed on a Linux host (physical or virtual) with outbound HTTPS access to the OneFirewall distribution infrastructure. It requires no inbound firewall rules. The agent:

• Authenticates to the Alliance platform with a device token
• Pulls differential updates of the intelligence feed continuously
• Translates indicators into native rules for your attached firewall or IPS
• Reports telemetry (no raw traffic or log data) back to the platform for score refinement

Detailed deployment guides for each integration are at docs.onefirewall.com. The Automated Deployment page covers infrastructure-as-code options.

Yes. The WCF Agent supports automated deployment via Ansible, Terraform, and standard shell provisioning scripts. This enables integration into existing CI/CD pipelines and infrastructure-as-code workflows. See the Automated Deployment page for templates and examples.

End-to-end sync latency from intelligence submission by an alliance member through validation, enrichment, distribution, and enforcement rule application is under 200 milliseconds under normal operating conditions. This near-real-time propagation means a threat seen by one member is blocking traffic at every other member's firewall within seconds.

The WCF Agent is lightweight and runs on:

• OS: Linux (most distributions supported)
• Connectivity: Outbound HTTPS (port 443) to the OneFirewall platform
• Resources: Minimal CPU and RAM footprint — exact requirements depend on the size of the block-list and integration type
• Privileged access: Requires appropriate permissions to push rules to the attached firewall or IPS

Full hardware and OS compatibility tables are in the documentation.

Yes. The CTI API outputs STIX 2.1 / TAXII 2.1 compatible data, which is natively consumable by all major SIEM and SOAR platforms:

• Splunk (via TAXII connector or REST API)
• Microsoft Sentinel (via TAXII data connector)
• IBM QRadar
• Elastic Security
• Any platform supporting the STIX/TAXII standard

OFA Events also provides a structured log stream of alliance intelligence events for custom ingestion pipelines. See the OFA Events page.

No. The WCF Agent does not send raw network traffic, packet captures, or full session logs to OneFirewall. The data flow is:

• Inbound: enriched threat intelligence received from the alliance
• Outbound: aggregated telemetry about which threat indicators were seen and blocked (no raw session data, no user information)

During the Proof of Value, no logs or data leave your organisation at all. This is confirmed in the Terms & Privacy documentation.

Yes. OneFirewall Alliance LTD is a UK-registered company operating under UK GDPR and, where applicable, EU GDPR. The platform processes threat indicator data (malicious IPs, domains, etc.) — not personal data of end users. Full details on data handling, retention, and your rights are available in the Terms & Privacy Policy. For DPA (Data Processing Agreement) requests, contact the team directly.

Yes. OneFirewall Alliance LTD holds Cyber Essentials certification, the UK government-backed scheme that demonstrates baseline cybersecurity controls are in place across the organisation's own systems and infrastructure. This provides assurance for procurement processes that require supplier security accreditation.

The full End-User Licence Agreement and Terms & Privacy Policy are available at:

• EULA (End-User Licence Agreement)
• Terms & Privacy Policy

These documents cover permitted use, data handling, liability, and member obligations for intelligence contribution.

Real-time service availability, incident reports, and maintenance windows are published at status.onefirewall.com. Subscribe to status updates there to receive notifications automatically.