Threat Intelligence

Definition :

Threat Intelligence is built on two fundamental and inseparable pillars:

• threat origin, and
• depth of penetration

Together, these two axes transform raw technical events into actionable knowledge.

1. Threat origin :

Threat origin aims to identify where malicious activity comes from:

• network source,
• emitting infrastructure,
• geographic context,
• threat actor or attack ecosystem.

It answers the question: where does the threat come from.

Classification by HTTP behavior :

Analysis is not limited to volume.
Events are classified according to their operational meaning:

• OK (200 / 206)
  Legitimate normal traffic (served pages, partial content).

• CACHE (301 / 304)
  Expected behavior: redirections, browser / CDN cache, SEO.

• SUSPECT (403 / 404 / 405 / 501)
  Scans, bots, URL errors, forbidden access, unauthorized HTTP methods.

• ERROR (400 / 408)
  Malformed requests, faulty clients, timeouts, noise, or low-level attacks.

• REMOVED (410)
  Resource intentionally removed (cleanup, persistent anti-indexing).

• SERVER (500 / 599)
  Server-side or infrastructure errors
  (backend, proxy, PHP-FPM, database, overload).
  Indicator of a real incident impacting availability.

• OTHER
  Unclassified, no exploitable signal.

Fundamental principle :

The danger is not the URI.
The danger is how far the request went.

This view prioritizes the origin and nature of the threat over raw traffic volume.

2. Depth of the threat :

Depth measures how far the threat has progressed within the system:

• blocked attempt,
• application-level interaction,
• partial execution,
• effective compromise.

It answers the question: how far did it go.

Depth levels :

• BLOCKED
  Request rejected upstream by Apache
  (parsing, ACLs, configuration rules).
  No routing, no file access, no backend.
  Normal noise, security intact.

• ROUTED BUT MISSING
  Request understood and routed by Apache, but the resource does not exist.
  No effective handler, no backend.
  Superficial scan, no impact.

• BACKEND TOUCHED
  Request forwarded to the handler (PHP-FPM), but properly denied
  (unknown script, invalid path, active protection).
  Critical threshold reached, isolation tested and effective.

• SECURITY FAILURE
  Application code executed or backend compromised
  (fatal PHP error, effective execution, unexpected 200 response).
  Real security incident – immediate action required.

• OTHER
  Unclassified events or residual noise with no identifiable impact.

Conclusions :

Threat intelligence is not about stacking logs.

It is about qualifying, correlating, and prioritizing events in order to:

• anticipate attacks,
• detect early,
• respond effectively,
• support strategic and operational decision-making.

This is not data.
This is actionable knowledge.

The reality of the global Internet is now well established: only a marginal fraction of observed traffic can be considered fully legitimate, and this proportion remains remarkably constant over time.

The analysis presented on this page clearly illustrates this observation. The majority of recorded network traffic corresponds to suspicious behavior, whether it involves automated scanning, enumeration attempts, vulnerability probing, or opportunistic activity originating from globally distributed infrastructures.

This structural imbalance between legitimate traffic and hostile traffic highlights an operational reality:
the Internet is not a neutral environment by default. It is a space that is continuously explored, probed, and exploited, where exposing a service inherently implies an active attack surface.

In this context, Threat Intelligence is no longer a matter of theoretical anticipation, but an operational necessity. It enables events to be qualified, situational awareness to be elevated, and defensive mechanisms to be adapted in a rational and proportionate manner.