CrowdSec Live Exploit Tracker (LET) is a real-time threat intelligence product that surfaces active CVE exploitation activity observed across production systems worldwide, along with the IP addresses responsible for those attacks. Unlike scoring systems such as CVSS, EPSS, or KEV that estimate exploitation likelihood, Live Exploit Tracker provides observational data sourced from crowd-sourced telemetry across hundreds of thousands of production systems. IP data is refreshed multiple times per hour, with IPs added or removed based on recent activity. Key capabilities include: - **Live Exploit Tracker Score:** A composite score built from observed exploitation factors including profile (opportunistic vs. targeted), scale, timeline, intensity, and top targeted countries per vulnerability. - **Exploit IP Feed (per CVE):** A continuously updated list of IPs actively exploiting a specific CVE, available as a raw threat intelligence feed or edge-consumable blocklist. - **Pre-CVE Scouting:** Tracks reconnaissance activity targeting specific vendors or technologies, including campaigns observed weeks before a CVE is publicly disclosed. - **IoC Visibility:** Exposes indicators of compromise used during active exploitation, such as targeted URLs, exploit payloads, credential patterns, and user agents. - **Geographic Targeting:** Identifies top targeted countries per vulnerability to support threat modeling and geopolitical risk assessment. Intelligence can be consumed via API and routed into SIEM/SOAR tools for alert enrichment, automated playbooks, and triage prioritization. Blocklist outputs are compatible with edge devices and platforms including Cisco, AWS, Fortinet, Cloudflare, and iptables.