IP Threat Triage

Instant risk assessment for any IP address. Queries Shodan InternetDB, BGPView, GreyNoise, OTX AlienVault, RIPE Stat, Feodo Tracker, and RDAP in parallel — composite threat score in seconds.

Last updated:

What is IP threat triage?

IP threat triage is the process of rapidly assessing whether an IP address poses a security risk by cross-referencing it against multiple threat intelligence databases simultaneously. This tool aggregates data from Shodan's pre-scanned port/vulnerability database, BGP routing information, mass-scanner detection, crowd-sourced threat intelligence, network abuse contacts, and known botnet command-and-control lists to produce a composite risk assessment.

Key Terminology

GreyNoise
A service that identifies IPs performing mass internet scanning. If an IP appears in GreyNoise, it's scanning the entire internet — which may be benign (Shodan, Censys) or malicious (botnets, credential stuffing).
Feodo Tracker
A project by abuse.ch that tracks botnet command-and-control servers. IPs on this list are confirmed C2 infrastructure for malware families like Dridex, TrickBot, Emotet, and QakBot.
CPE
Common Platform Enumeration — a standardized naming scheme for software, hardware, and operating systems. Shodan uses CPEs to identify what services are running on a host.

🎯 IP Threat Triage — Frequently Asked Questions

What data sources does IP Threat Triage use?

It queries Shodan InternetDB for open ports, CVEs, and CPEs; BGPView for ASN and prefix data; GreyNoise Community API for mass-scanner detection; OTX AlienVault for threat intelligence pulses; RIPE Stat for abuse contacts and network information; Feodo Tracker for botnet command-and-control detection; and RDAP for structured IP registration data.

What does the IP Triage tool check?

It performs geolocation, WHOIS lookup, reverse DNS, port scanning via Shodan InternetDB, ASN identification, threat intelligence via AbuseIPDB and GreyNoise, blocklist checks, and identifies whether the IP belongs to a cloud provider, VPN, or Tor exit node.

How is IP Triage different from a standard IP lookup?

Standard IP lookups show basic geolocation. IP Triage aggregates data from 10+ intelligence sources simultaneously, providing threat scores, abuse reports, open ports, CVEs, hosting provider detection, and cross-links to deeper analysis tools.

Cloud IP Identifier

Identify cloud providers.

 · BLE Scanner

ASN Intelligence

BGP and prefix mapping.

Threat Feeds

Live threat feed checks.

IP Lookup App

Desktop IP intelligence.