CISA, NSA, FBI, and an international coalition of partners recently published guidance about an “imminent and significant risk”: bulletproof hosting. Their new Cybersecurity Information Sheet, Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers,” hands ISPs and network defenders a practical playbook for pushing back.

Bulletproof hosting is infrastructure that is popular with criminals because it is built to ignore complaints, takedown requests, and law enforcement. That infrastructure lives right alongside your legitimate traffic in the same clouds and networks you rely on every day.

Here’s the problem for defenders: bulletproof hosting gives attackers resilient, abuse-tolerant infrastructure they can spin up, discard, and relocate faster than most organizations can update a firewall rule.

TL;DR

  • Bulletproof hosting is attacker-run infrastructure that lives inside the same global ASes (autonomous systems), data centers, and clouds that your business uses.

  • Attackers use it to fail fast. They can experiment, pivot, and rebuild infrastructure faster than most organizations can react.

  • Static blocklists are not enough. You need visibility into where your workloads are going, controls that understand ASNs and IP ranges, and clean telemetry when something goes wrong.

  • CISA provides high-level guidance to mitigate the risks of bulletproof hosting: curating internet resource lists, maintaining egress visibility, and more.

What is Bulletproof Hosting?

According to CISA, a bulletproof hosting provider is an internet infrastructure provider that knowingly and intentionally markets and leases infrastructure to cybercriminals.

In practice, bulletproof hosting providers:

  • Lease their own infrastructure directly to cybercriminals.

  • Increasingly resell stolen or subleased infrastructure from legitimate hosting providers, data centers, ISPs, or cloud service providers who may have no idea their IP space is being weaponized.

  • Market abuse tolerance, anonymity, and “we do not ask questions” as core features.

  • Refuse to engage in good faith with legal processes such as subpoenas, court orders, or abuse complaints, sometimes hiding behind deliberately onerous documentation requirements before even considering a takedown.

With that promise of resilience, criminals treat bulletproof hosting as their “always on” side of the internet. They use it for:

  • Fast flux and infrastructure laundering, cycling IPs, ASNs, and DNS records so quickly that indicators go stale before they are fully deployed.

  • Command and control and payload delivery for ransomware and other intrusions.

  • Phishing infrastructure, fraud sites, and illicit content that need to stay online long enough to make money.

  • Denial of service activity and extortion operations.

The key point for defenders: this infrastructure is not some shady corner of the dark web. It is woven into the same global routing and data center ecosystem that everyone else relies on. Your traffic and their infrastructure often share the same physical space, upstream providers, and Autonomous Systems (ASes).

Why is Bulletproof Hosting a Cloud Network Security Problem?

You are not going to policy memo your way out of bulletproof hosting. At some point there is a session from your environment to somebody else’s infrastructure. That path either goes out with intent and guardrails, or it escapes through a side door no one has looked at in years.

Technically, the problem looks like this: bulletproof hosting infrastructure lives inside Autonomous Systems just like every other provider. Each AS is identified by an Autonomous System Number (ASN), and a single ASN can host a mix of perfectly legitimate services and heavily abused ranges.

Criminals deliberately spread their bulletproof infrastructure across multiple ASes so that any single AS only carries a small slice of malicious activity. A blunt “block this ASN” approach is likely to break legitimate services while leaving plenty of bad infrastructure untouched.

BPH operators can obtain a new ASN from a regional internet registry in a matter of days and migrate their abused IP ranges over. They also churn through IP addresses, nameservers, and CNAME records. By the time a static blocklist propagates, the malicious traffic may already have moved. A few uncomfortable realities for cloud defenders:

  • Egress is still the soft spot. Flat VPCs, default routes to the internet, and security groups that grew organically over years are a perfect setup for quietly reaching attacker-controlled infrastructure that looks just like any other provider.

  • Threat intel without enforcement is just trivia. Many teams subscribe to feeds that flag abusive ASNs, IP ranges, and domains. If those only live in a dashboard and never land in a network policy or egress control, nothing meaningful changes for the attacker.

  • Multicloud magnifies the chaos. Every cloud has its own way of handling routing, filtering, and logging. Attackers benefit from your differences. They only need one weak, unmonitored path to their bulletproof infrastructure.

CISA’s guidance is aimed heavily at ISPs and upstream providers, and that is appropriate. But it does not remove your responsibility inside your own estate. You still need to:

  • Know which of your workloads talk to which external networks and ASNs.

  • Make it hard for any workload to quietly pivot to known abusive infrastructure, even when it sits inside otherwise legitimate providers.

  • Produce clean, contextual logs when something ugly does happen so you can coordinate with upstream providers and law enforcement instead of guessing in the dark.

That is the defender reality this blog is written for.

Turning CISA Guidance for Bulletproof Hosting into Concrete Controls

Think of CISA’s bulletproof hosting guidance as the “what.” Aviatrix Cloud Native Security Fabric (CNSF) gives you the “how” inside your own environment.

Unlike one-off controls bolted onto individual VPCs or VNets, CNSF gives you a consistent security fabric across AWS, Azure, GCP, and on-premises environments. That means one place to see who is talking to what, one place to define egress policies, and one place to generate the telemetry your security tools need.

Below are some of the core recommendations from CISA and how Aviatrix CNSF helps you actually implement them in multicloud networks.

1. Curate and act on malicious internet resource lists

What CISA wants

CISA advises organizations to build and maintain a high confidence list of malicious internet resources such as ASNs, IP ranges, and individual IP addresses associated with bulletproof hosting and other abuse, and use that list to drive filters and alerting instead of one off block rules. They also call out a few nuances:

  • Use both commercial and open source threat intelligence, plus sector ISACs and other sharing groups.

  • Complement the list with your own traffic analysis so you are not just consuming feeds, but validating them against what you actually see.

  • Continuously review and update the list so reallocated ranges that move back to legitimate providers are removed and new abusive ranges are added.

How Aviatrix CNSF Helps

CNSF helps you follow CISA’s guidelines because it:

  • Centralizes egress control so you are not trying to maintain separate blocklists per VPC, VNet, or project.

  • Lets you apply threat intel driven policies at the fabric level against all three dimensions CISA cares about: ASNs, IP ranges, and individual IPs.

  • Example: “Deny outbound traffic from any production workload to IPs in these abusive ranges or ASNs, except through a monitored egress gateway,” while still allowing lower risk environments more flexibility.

  • Uses application, environment, and data classification tags so you can dial controls up or down by risk, instead of applying the same coarse filter to everything.

With CNSF, your malicious internet resources list becomes a living control surface instead of a static PDF. Threat intel stops being a spreadsheet of scary indicators and turns into a repeatable way to shrink the number of viable launchpads an attacker can reach from your environment.

2. Make egress paths visible and explainable

What CISA Wants

ISPs and network defenders should analyze traffic, detect anomalies, and use telemetry to refine their filters.

How Aviatrix CNSF helps

CNSF builds a live map of who talks to what across clouds. You can see:

  • Which workloads reach external ASNs tied to bulletproof hosting.

  • Which business units or environments appear most exposed.

  • Normalizes flow logs into a consistent format, then enriches them with:

    • Cloud account, project, or subscription.

    • Application and owner tags.

    • Security tier or data classification.

With CNSF, when a flow to a suspicious provider shows up, you can say in one line whose workload it was, which application, and how important it is. That shortens response time and improves your ability to cooperate with upstream providers and law enforcement.

3. Segment by risk, not just by IP range

What CISA Wants

Reduce the operational value of bulletproof hosting infrastructure without causing collateral damage to legitimate customers that happen to sit near them.

How Aviatrix CNSF Helps

CNSF lets you treat bulletproof adjacent networks as high-risk zones instead of flipping a big “block the whole internet” switch. It supports policies such as:

  • “Critical workloads may only talk to external services over approved egress gateways with TLS inspection and strict allowlists.”

  • “Dev and test can reach more destinations, but never from the same subnets or security tiers as production.”

  • Makes it much easier to run sensitive workloads in environments that assume hostile neighboring infrastructure.

With CNSF, you do not have to choose between “too risky” and “too disruptive.” You can reserve stricter controls for the flows that matter most.

4. Strengthen identity and accountability at the network layer

What CISA wants

ISPs should verify customers, document abuse, and participate in sector codes of conduct so bulletproof providers have fewer places to hide. In practical terms, that means knowing who is behind an IP address, being able to prove what that IP was doing at a given time, and being ready to act on credible abuse reports. Enterprise defenders face a similar problem at a smaller scale. When one of your public IPs shows up in someone else’s incident report, you need to answer two questions quickly: "Whose traffic was that" and "what was it doing."

How CNSF Helps

CNSF:

  • Ties network flows back to identity in a consistent way across clouds ─ not “some IP in VPC X,” but “this managed workload in this security tier, owned by this team, running in this account.”

  • Produces normalized, durable logs of outbound traffic and policy decisions that you can search by IP, ASN, tag, or application.

  • Shortens investigations when your infrastructure is abused as a relay, staging point, or command node by giving responders a clear chain from external indicator to internal workload and owner.

  • Gives you cleaner data to share with upstream providers or information sharing partners when you need to demonstrate impact, scope, and remediation.

With Aviatrix CNSF, when your IP space shows up in external threat intelligence or abuse reports, you can quickly identify which workload was involved, contain it, and demonstrate concrete action. That improves trust with providers, regulators, and customers without pretending that you are solving the entire bulletproof hosting problem yourself.

5. Build a fabric that can adapt as CISA’s playbook evolves

Guidance bodies will keep updating their expectations. Today it is bulletproof hosting providers. Tomorrow it may be another facet of criminal infrastructure. The common thread is simple. Environments with centralized visibility, consistent policy enforcement, and clean telemetry that ties flows to business context will always have an easier time adapting.

The Aviatrix Cloud Native Security Fabric provides that foundation. New lists of risky ASNs or domains become new inputs to the same enforcement engine, not a scramble to update a thousand firewall rules by hand.

A Simple CNSF Playbook for Bulletproof Hosting

If you want to align quickly with the spirit of CISA’s guidance using Aviatrix Cloud Native Security Fabric, here is a practical starting point.

  • Map your current exposure

    • Use CNSF visibility to identify all egress paths from your critical workloads.

    • Cross-reference those flows with threat intel that includes BPH linked domains, IPs, and ASNs.

  • Define tiered egress policies

    • Tier 1 (crown jewels): outbound only through hardened egress gateways with strict allowlists and logging.

    • Tier 2 (standard apps): outbound allowed to the internet, but BPH linked ASNs and domains blocked at the fabric.

    • Tier 3 (sandbox): more permissive, but still logged and periodically reviewed.

  • Wire in intelligence and sharing

    • Integrate commercial and open source threat feeds that align with CISA’s recommendations.

    • Use CNSF logs as input to your SIEM and threat hunting workflows so suspicious infrastructure can be identified and shared with partners.

  • Test and iterate

    • Run tabletop exercises that simulate attackers trying to pivot to BPH infrastructure from inside your environment.

    • Use the results to refine segmentation, egress rules, and monitoring.

Final Thoughts

Bulletproof hosting is attractive to attackers because it offers resilience and anonymity on top of someone else’s network. CISA’s new guidance makes it clear that this is a recognized operational risk to national infrastructure and the wider internet.

The Aviatrix Cloud Native Security Fabric does not replace what ISPs, takedown teams, and law enforcement need to do. It makes sure your side of the connection is not the weak link. When your cloud network has real visibility, consistent controls, and clean telemetry, bulletproof hosting stops looking “bulletproof” and starts looking like what it really is: just another hostile neighborhood your traffic does not need to visit.

If you are ready to move from static blocklists and scattered firewall rules to a unified security fabric, schedule a demo to see how Aviatrix CNSF can help. Start with the visibility, add the controls, and give your security team a backbone that matches the attackers’ infrastructure, instead of hoping a few IP blocks will keep up.

Learn more about how Aviatrix operationalizes zero trust to protect networks.

Take our free and agentless Workload Attack Path Assessment to find the pathways in your cloud that attackers could exploit.

resources_orange_glow
related posts
Embrace the ChAIos An Architectural Mandate for Cloud Security in 2026 card image

Embrace the ChAIos: Cloud Security in 2026

Why Everyone Should Care About DORA card image

Why Everyone Should Care About DORA

Understanding the Roadmap for DORA Compliance card image

Understanding the Roadmap for DORA Compliance

Subscribe
Matt Snyder
Matt Snyder

Principal Engineer/Lead - Detection and Response, Aviatrix, Inc.

Matt leads lead Detection & Response efforts at Aviatrix, working closely with internal security teams and external partners to identify, investigate, and respond to potential threats. His role spans strategic oversight and hands-on execution to ensure a strong security posture across complex, distributed environments.

Featured Categories

orange-pattern-center

ACE Program

card image

Customers

card image

Cloud Network Security

card image

AWS

card image

Partners

card image

Cloud Networking Heroes

card image

Azure

card image

Events

card image
PODCAST

Altitude

View All
subscribe now

Keep Up With the Latest From Aviatrix

Cta pattren Image