This post describes building a DIY IP threat feed by aggregating honeypot SSH login data in Splunk, enriching it with geo and reputation context, and exporting it as a regularly updated CSV blacklist.