ThreatSTOP takes data that is published on the Internet, and using standard Internet Protocols, gets that data as it is updated, parses it, and puts it into a database. The database identifies the source, time of publication, IP address, and any additional reputation information that may be available in the feed.

Every 2 hours (currently, we set the update frequency to be 1/2 the update period of our feeds) ThreatSTOP creates a set of files that can be used to create DNS lookups.

ThreatSTOP takes the DNS files and assembles them into the 5 basic lookups, for the basic users, and custom lookups, for SMB and Enterprise users. These are then loaded into a DNS server, and made available to authorized client hosts.

The client machines query the zones they have configured in rules, using TCP lookups for larger lists, and take the actions that the firewall administrator has programmed for the hosts in those lists.