Threat Report
threat_reportInvestigate an IP address by gathering threat intelligence from Shodan, AbuseIPDB, ASN data, and open ports. Useful for SOC alert triage and IP reputation analysis.
Instructions
Query comprehensive threat profile for an IP: Shodan host data, AbuseIPDB reputation, ASN/geolocation, and open ports. Use for IP investigation and SOC alert triage; for domain data use domain_report. Note: nested asn block always returns at most 50 IPv4/IPv6 prefixes — call asn_lookup with include_full_prefixes=True for the full announced-prefixes list. enrichment.vulns is severity-aware list[VulnInfo] (cve_id + severity + cvss_v3) — Phase 2 v1.16.0 BREAKING; pre-1.16 it was list[str] of CVE IDs. Free: 30/hr (costs 6 tokens), Pro: 500/hr. Returns {ip, enrichment, abuseipdb, shodan, asn, threat_level}.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| ip | Yes | Public IPv4 or IPv6 address to investigate (e.g. '8.8.8.8', '1.1.1.1'). Private/reserved IPs are rejected. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |