Real-Time Threat Intelligence in an AI-Driven Threat Landscape

As cyber threats become more automated, distributed and sophisticated, maintaining accurate and timely threat intelligence is increasingly challenging. From AI-driven phishing campaigns to complex, multi-channel attack infrastructures, organizations must adapt to a rapidly evolving risk environment.

In this interview, Carel Bitter, CEO of Spamhaus Technology, explains how large-scale data analysis, machine learning, and collaborative intelligence models help identify threats early, strengthen detection capabilities, and support organizations in securing their digital ecosystems.

dotmagazine: Spamhaus Technology analyzes billions of IP addresses and millions of domains every day to provide real-time threat intelligence. How has the scale and complexity of this challenge developed in recent years, and what is required to maintain the reliability and accuracy your customers depend on?

Carel Bitter: In many areas of cybercrime, things move rapidly, which makes determining reputation challenging: it must be done both quickly and precisely. In order to successfully adapt and continue to keep users and the Internet safe, we had to create more tools, find new ways to analyze data, and sometimes work differently – and we did. 

Spamhaus works with data we receive from large, distributed sensor networks. We augment this by exchanging data with trusted third parties, including major and minor networks, as well as incorporating user reports via submit.spamhaus.org. This is all processed by highly specialized tooling that analyzes data constantly to create or refine our responses. And no matter how much automation and “AI” is used, the human element and expertise remain critical.

dotmagazine: Threat actors are increasingly leveraging AI to make spam, phishing, and malware campaigns more sophisticated and harder to detect. How is Spamhaus Technology responding to AI-driven threats, and what role does machine learning play in your own detection and data processing capabilities?

Carel Bitter: We have successfully dealt with automated threats, whether it’s spam or otherwise, in all their forms, for decades. To some degree, “AI” is just another such form, to which we respond in the same way we always have. We have used machine learning-based detection engines for quite some time, particularly in the DNS and domain reputation space. Expanding the use of these approaches into other areas of the company, where they enable us to work effectively and efficiently, is always considered.

dotmagazine: Spamhaus Technology operates at the intersection of email protection, DNS security, and cyber threat intelligence. How do these disciplines complement one another, and how do you help organizations integrate your threat data effectively into their existing security infrastructure?

Carel Bitter: All three exist interdependently. You cannot have one without the other. Looking at threats beyond their usual realm often gives us the context we need not just to see the threat, but to understand the infrastructure and TTPs. This is so we can – especially at the DNS level – be ahead of the next iteration or deployment of many campaigns. 

While email-based threats will remain relevant for the foreseeable future, most organizations face a more complex, connected threat landscape. Phishing may arrive via SMS text or instant messaging, bring-your-own-device introduces proxies into the corporate perimeter, and malware C2 channels are becoming more covert and complex. 

By providing our insights in open formats – and making much of it available for free – we can help any organization establish baseline security, regardless of the infrastructure or vendor choices they have made.

dotmagazine: The Spamhaus–abuse.ch Alliance brings together complementary, mission-driven datasets to provide more comprehensive intelligence. What advantages does this kind of partnership model provide compared to more traditional, standalone threat intelligence approaches?

Carel Bitter: Our datasets complement each other. While Spamhaus is traditionally strong in the areas of email filtering and classification of hosting providers, abuse.ch focuses on IOCs and malware detection, including C2 servers and associated infrastructure. Together, these datasets prevent the spread of malware by covering the entire attack killchain: from the initial vector containing the malware URL, via the C2 server communication, to download of second-stage malware.

dotmagazine: Looking ahead, which trends in the threat intelligence and cybersecurity landscape do you expect to have the greatest impact over the next five years, and how is Spamhaus Technology positioning itself in response?

Carel Bitter: There are three key themes we expect to have a significant impact over the next five years. 
The first is industrialization of cybercrime, where the already existing underground economy of specialized suppliers will enable even quicker iterations due to threat actors using gen AI as a more efficient  “glue.” Our focus on automation and delivery speed positions us well to counter this.

Second, platform consolidation is happening on both the source and target sides of attacks. On the source side, attackers increasingly “live off the land” by abusing legitimate infrastructure. On the receiving end, vendor consolidation is limiting the choice for defenders. As a data provider, we remain platform-agnostic, integrating easily with a wide range of solutions.

And finally, increasing geopolitical influences will shape cyber defense decisions in ways they have never done before for many organizations. This applies not only to the attacks you need to defend against, but increasingly to the solutions you must consider to address the problems. Regulatory changes around digital sovereignty may make this even more complicated in the near future. However, they may create opportunities for EU-based organizations. We expect our position as a trusted third party to continue to serve us well in this regard.

Carel Bitter is CEO of Spamhaus and an integral part of its fabric, having been with the organization for more than a decade. He remains deeply involved in investigating how a bad actor’s infrastructure operates – ensuring Internet users are protected from nefarious activity. With a focus on reputation across all Internet resources, he enjoys analyzing any (and all) data that helps provide context, and ultimately protection. 

As a recognized expert in the field, Carel can regularly be found presenting to audiences across the globe, sharing his knowledge and experience with others.