SENTINEL
SENTINEL / Command-and-Control / Indicator

SNT-C2-2026-05-0798

Confirmed Burned
Disclosed by ipsum · +32d
Command-and-Control

Lifecycle

When SENTINEL first saw this infrastructure, when public sources caught up, and when it went dark. The shaded span is our lead time.

LEAD OVER FIRST DISCLOSURE+32d +32d ipsumObserved 05-19 Burned 05-22 3d operational life
SENTINEL first observed
2026-05-19
Max lead time
+32 days
Status
Burned on 2026-05-22

Public confirmations

Public threat-intel sources that subsequently listed this indicator. Lead time is days between SENTINEL first-observed and that source's published date.

Source Published Lead time Reference
ipsum 2026-06-20 +32d https://github.com/stamparm/ipsum

Classification

Confidence Confirmed high-fidelity, analyst-validated
Category Command-and-Control
Indicator type IP address

Decay

How actionable this indicator is now. IoCs decay at type-specific rates (Pyramid of Pain); a fresh sighting resets the score.

0 / 95 expired
Lifetime3d · ip
Age0d since last sighting
Expires2026-06-23
95003dnow

Methodology. An indicator opens at a base score (set by confidence) and decays over a lifetime fixed by its type — IP 3d, URL 5d, domain 7d, file hash 21d, certificate 120d. Per the Pyramid of Pain, the harder an artefact is for an adversary to change, the longer it stays actionable. Score = base × (1 − (age / lifetime)1/speed), decay speed 2.6. Every fresh sighting in any source resets age to zero and the score back to base; once age reaches the lifetime the score is 0 and the indicator is expired and purged from active detection.

Indicator (revealed post-burn)

202.9.122.11
IP address