Techniques are provided by which devices in a network may subscribe to a rapidly changing rules in central threat repository. The policies associated with threats are filtered so that just current attack vectors from within subnets learned via routing and/or forwarding information (at the network level of the network) are installed in the local access control list/policy database of the network devices. As routing changes occur, the list of applied policies are continually refined/revisited and pulled from a central security application. Publish/subscribe mechanisms ensure “zombie” policies are not left over in the device after reboot or routing changes occur.