Indicator Investigation
Paste a domain, IP, ASN or prefix → a sourced threat verdict with evidence, enriched as deep as you choose (owning network, GeoIP, feeds, co-hosts, RPKI, history). Batch-assess a whole list in one pass.
- Listed in 0 source(s) with combined weight 0.00
- Base score: 0.00 × log₂(0 + 1) = 0.00
- Recency boost: ×1.1 (last seen 2 days ago)
- Age boost: ×1.02 (on lists for 1 day)
- Final score: 0.00 × 1.1 × 1.02 = 0.00
26 nodes · 25 edges
- google.com is listed in 0 threat feed(s). Score 0.0 (No threat detected).whisper.explain
| ip | ip.isThreat | ip.threatScore | ip.threatLevel | ip.isTor | ip.isC2 | ip.isMalware |
|---|---|---|---|---|---|---|
| 142.250.154.100 | true | 0.8 | LOW | false | false | false |
| 142.250.154.139 | true | 0.8 | LOW | false | false | false |
| 142.250.191.14 | false | 0 | ∅ | false | false | false |
| 142.251.110.100 | true | 0.8 | LOW | false | false | false |
| 142.251.110.102 | true | 0.8 | LOW | false | false | false |
| 142.251.13.100 | true | 2.535 | MEDIUM | false | false | false |
| fingerprints |
|---|
| ∅ |
The one query behind this▾
CALL explain($indicator)
Snapshot from a max-depth run on Jun 26, 2026. Run it again for live data. indicator
Free tier — no credit card. Runs up to 3 hops deep; Pro goes to 5.
What it solves
Alert triage usually means pasting the same indicator into five tabs and copying scraps back into the ticket. This answers "is it bad, and why" in one pass, so the analyst spends the time deciding instead of gathering.
One run pulls the threat verdict, the network that announces the indicator, where it sits geographically, which feeds flag it, what else is co-hosted with it, and how its registration has changed over time. You decide how deep to go, and you can hand it a whole list to triage at once.
Five lookups per indicator, then stitch the answers together by hand.
- VirusTotal
- Shodan
- whois
- a BGP looking glass
- a spreadsheet
Dig deeper
Read the how-to
The documentation for this flow — the queries explained, with variants you can adapt.
Open the documentation →Related flows
All use cases →Typosquat Scanner
Give it your brand domain and it returns the registered look-alikes, each one checked for who owns it and whether it is wired into anything malicious.
Blast Radius
Pick one piece of infrastructure and see what breaks if it disappears, from the domains it serves to the owner and datacenter behind it.
Route-Health Checker
Hand it a prefix or ASN and get a routing-integrity card: MOAS conflicts, RPKI coverage, prefix status, and footprint.
Attack-Surface Mapper
Point it at a domain and get the full external footprint, scored: subdomains, nameservers, mail senders, the origins behind any CDN, and the posture of everything that serves it.
Time Machine
Give it an indicator and see exactly what changed between its two most recent WHOIS and BGP snapshots.
Build the takedown evidence package
Assemble a one-pass dossier for a phishing or scam domain: the verdict, the owner, every feed that flags it, and the infrastructure around it.
Threat-hunting candidate sweep
A corpus-level hunt with no seed required: surface the apexes and IPs the graph itself already flags.
Actor → shared TTPs → other actors
From a named threat actor, list its ATT&CK techniques, then pivot through them to every other actor that shares the same tradecraft.
Find the real infrastructure behind the CDN
One passive call reconstructs the likely true origin IPs behind a CDN, with a confidence score for each candidate.
Ground your AI agent before it acts
A coverage-qualified read that tells 'known clean' apart from 'no data', the grounding primitive for MCP-native SOCs.
Enrich an ASN — routing, RPKI & physical footprint
One ASN in, and you get its announced prefixes, RPKI coverage, BGP peers, and the facilities and exchanges where it physically sits.
Attack Path Analysis
From one foothold, the structure an attacker would lean on: the choke points, the pivots that survive IP rotation, and how close it sits to known-bad.