The Iceland IoC dashboard — how to read the live data

~5 min read · reviewed by a working Icelandic sysadmin · drafted with AI assistance

A short reading guide for the live Iceland Security Dashboard — what "Icelandic" means in the pipeline, how tenants are attributed, how the tier badges work, and what's deliberately filtered out. For the operational handbook — laws, who-to-call, the 14-item checklist — see the defender handbook.

The live tools at a glance

• Iceland Security Dashboard — operational view: which Icelandic-hosted IPs are showing up in threat feeds, attributed by hosting operator and tenant.
• Ransomware tracker — leak-site listings naming Icelandic victims as they appear.
• Threat feeds — machine-readable blocklists, including an Iceland-focused subset.
• Patch-lag index — how exposed Iceland-facing software is to the current CISA KEV list.
• Attack surface — full breakdown of exposed services on Icelandic networks.

How "Icelandic" is defined

A routing-and-registry definition, not a flag-on-the-map one:

• Mostly: peers at RIX — the Reykjavík Internet Exchange. Almost all Icelandic-to-Icelandic traffic flows through RIX, so "does this network peer there?" is most of the answer.
• Plus .is/AS-org cases and a few supplementary networks that route Icelandic space without RIX peering.
• Minus Tor exit nodes — they "attack everything" by design; counting them as Icelandic threat activity is just noise.

What it deliberately doesn't include: VPN endpoints, CDN edges, or browser-based geoIP. Those produce false attribution at scale.

Attribution — who actually owns the IP

The dashboard's by-tenant panel takes flagged Icelandic IPs and answers "who actually owns this address space, and what are they hosting?" Three attribution layers, in order:

1. PTR-hostname — if the IP's reverse DNS points at an Icelandic organisation's domain (hi.is, or.is, isb.is), that's the tenant.
2. RIPE block — if PTR is generic or LIR-branded (*.1984.is, *.cprapid.com, *.iceservers.net), fall back to the prefix's RIPE netname / org.
3. Fall-through — if neither resolves to a recognisable Icelandic organisation, the row sits under 🏢 IP-space holders with the LIR (the hosting company that holds the allocation) in italic — separate from the named-tenant tiers.

A noisy IP at 1984 ehf or Advania almost always means a customer got compromised, not that the operator is malicious. Big consumer/telco networks are scored against a bigger benign base — a few flagged IPs at Síminn or Nova is "a customer got popped", not "the operator is hostile". A high count concentrated in a small niche network reads differently.

Tier classification — what the emoji mean

Each named tenant is sorted into one of five tiers based on multi-source confirmation in the last 30 days:

• 🔴 HIGH — ≥2 multi-source confirmed-C2 indicators, non-Tor. Multiple independent feeds saw this IP attacking things. Investigate.
• 🟡 MIXED — exactly one multi-source confirmed-C2.
• 🟠 Unconfirmed — ≥2 single-source HIGH-class indicators, non-Tor. One feed thinks bad; nobody else has confirmed. Lead, not finding.
• ⚪ Neutral — flagged, but doesn't meet either of the above bars.
• 🟢 LOW — no flagged indicators in the window.

Tier emoji do not appear on 🏢 IP-space holders rows — those are LIR allocations where the actual tenant is unknown. Lumping a hosting company under a tier emoji reads as a verdict on the company, which it isn't.

What's been masked

• Pipeline-startup backfill. The first feed-ingest run on 2026-04-19 stamped a single day's created_at with the whole accumulated backlog. That bar is greyed out on every sparkline so it doesn't read as a real spike. Trail numbers in the bottom-row strip (avg/peak) exclude those backfill days, so the headline numbers are real-world only.
• Tor exit nodes. Suppressed entirely from risk tiers (as above) — they'd otherwise inflate every tenant they pass through.
• Honeypot background radiation. A chunk of "attacks on Iceland" in any feed is internet background hitting honeypots, scanners, or researchers. The dashboard tiers this down, but read indicators as signal to look into, not as findings.

What the dashboard isn't

• Not a verdict. Multi-source confirmation reduces false positives but doesn't eliminate them.
• Not exhaustive. A brand-new threat IP only one feed has caught is still real.
• Not real-time. Feeds update on different cadences (some hourly, some daily, some weekly); the dashboard is "yesterday and this morning", not "the last five minutes".

For what to do with anything here — laws that apply, who to call, the 14-item checklist — see the defender handbook.

Next

• Iceland defender handbook → — the operational companion: the infrastructure, the defenders, the law, the cases, the 14-item checklist.
• Iceland Security Dashboard → — the live view itself.
• The concepts that matter → — CVE, CVSS, KEV, ATT&CK vocabulary.
• Glossary → — ~50 terms, two lines each.

Reviewed by a working Icelandic sysadmin · drafted with AI assistance. Corrections to admin@1881.is.