The National Security Agency, the Cybersecurity and Infrastructure Security Agency and several international partners have issued a new Cybersecurity Information Sheet addressing risks linked to bulletproof hosting, or BPH, providers.
The guidance, titled Bulletproof Defense: Mitigating Risks From Bulletproof Hosting Providers, was published to provide recommended practices for internet service providers, also known as ISPs, and network defenders seeking to reduce cybercriminal activity.
Experts from the public and private sectors will discuss the increasing threats to American systems from global adversaries and near-peer nations at the Potomac Officers Club’s 2026 Cyber Summit on May 21. Build new partnerships during networking sessions and learn directly from industry leaders and government officials through insightful keynote speeches and panel discussions at the in-person GovCon conference. Get your tickets here. Â
What Is Bulletproof Hosting?
According to the information sheet, BPH providers lease their own or stolen infrastructure to cybercriminals. BPH is marketed as “bulletproof” because providers do not cooperate with law enforcement or victim complaints of malicious activity.
The agencies noted that BPH is integrated into legitimate internet infrastructure, making it challenging to block.
What Does the New Guidance Recommend?
Authoring agencies are encouraging ISPs and network defenders to review and implement the recommended measures on the Cybersecurity Information Sheet to block harmful traffic and reduce the operational value of bulletproof hosting.
They recommend maintaining an up-to-date list of high-confidence malicious internet resources drawn from commercial and open source threat intelligence and information sharing channels. Network defenders are also encouraged to analyze traffic patterns to identify anomalies and share threat intelligence with community partners.
ISPs can further reduce risk by offering optional malicious internet resource filters and working with other providers to establish a sector-wide code of conduct to prevent BPH abuse.
