Turning Indicators into Intelligence in OpenCTI with Criminal IP

Cyber threat intelligence becomes more valuable when indicators are enriched with context that supports investigation, correlation, and decision-making. Through the Criminal IP integration with OpenCTI, security teams can transform IP addresses, domains, and URLs from isolated indicators into structured intelligence within the OpenCTI knowledge graph.
The integration automatically enriches indicators with Criminal IP’s reputation scoring, infrastructure intelligence, vulnerability data, behavioral signals, and phishing analysis.
The resulting information is structured as OpenCTI entities and relationships, allowing analysts to investigate connected infrastructure, identify potential attack surfaces, and prioritize high-risk indicators.
Integration Highlights
Criminal IP enrichment results for an IP address within OpenCTI,showing contextual risk scoring and behavioral indicators
Contextual Risk Scoring Beyond Simple Reputation
Criminal IP provides dual-perspective risk scoring (inbound and outbound), reflecting both how an IP is targeted and how it behaves externally. This gives analysts a more nuanced signal than traditional single-score reputation models and improves prioritization of high-risk infrastructure.
Criminal IP enrichment structures IP intelligence as connected OpenCTI entities,enabling analysts to pivot across indicators, network ownership, and geographic context
Deep Infrastructure Intelligence Embedded in the Graph
Enrichment goes beyond tagging indicators, Criminal IP creates structured OpenCTI entities and relationships, including vulnerabilities (CVEs), Autonomous Systems (ISPs), and geolocation. This enables analysts to pivot across infrastructure, uncover shared components, and identify related infrastructure within the graph.
Service Exposure & Vulnerability Correlation
By linking observed services to known CVEs, the integration provides immediate insight into potential attack surfaces. Analysts can quickly assess whether an IP is not only malicious, but also exploitable or actively leveraged in attacks.
High-Fidelity Threat Labeling & Behavioral Signals
Automatically generated labels incorporate multiple data points such as anonymization technologies (VPN, proxy, TOR), hosting characteristics, and malicious classifications. This layered labeling approach provides richer context than binary “malicious/benign” tagging.
Advanced Domain & Phishing Intelligence
For domains, Criminal IP performs full URL analysis to detect phishing activity, credential harvesting, suspicious files, and impersonation techniques. Confidence scores are directly tied to phishing probability, giving analysts a quantifiable measure of risk.
Infrastructure Mapping & Analysis support
The integration links indicators to network ownership (Autonomous Systems), physical locations, and resolved IP infrastructure. This allows teams to identify hosting patterns, regional clustering, and and infrastructure patterns across indicators.
Enrich OpenCTI Indicators with Criminal IP Intelligence
Integrate Criminal IP with OpenCTI to enrich IP addresses, domains, and URLs with contextual threat intelligence.
Automatically add dual-perspective risk scoring, infrastructure relationships, vulnerability data, behavioral signals, and phishing analysis to the OpenCTI knowledge graph, enabling faster investigation, correlation, and prioritization.
How Integration Works
Indicators such as IP addresses, domains, and URLs are first ingested into OpenCTI.
The Criminal IP connector then automatically enriches each indicator with reputation scoring, infrastructure intelligence, vulnerability information, behavioral signals, and phishing analysis.
The enriched data is structured into entities and relationships within the OpenCTI knowledge graph. Analysts can then use the resulting intelligence for investigation, correlation, infrastructure pivoting, and threat analysis.
The process can be summarized as follows:
- Indicators (IP addresses, domains, URLs) are ingested into OpenCTI
- The Criminal IP connector automatically enriches each indicator with reputation scoring, infrastructure intelligence, and phishing analysis
- Enriched data is structured into entities and relationships, enabling investigation, correlation, and analysis within the OpenCTI knowledge graph
Key Use Cases
SOC Triage and Alert Validation
Rapidly validate suspicious IPs and domains using dual risk scoring, infrastructure context, and phishing intelligence, enabling analysts to prioritize high-risk indicators and support prioritization of high-risk indicators.
Threat Hunting and Infrastructure Pivoting
Leverage enriched relationships such as CVEs, Autonomous Systems, and geolocation to pivot across connected infrastructure and uncover related assets used in attacker operations.
Phishing and Campaign Analysis
Identify and analyze malicious domains, credential harvesting pages, and supporting infrastructure to track phishing activity and understand broader campaign patterns.
OpenCTI Platform
OpenCTI is an open-source cyber threat intelligence platform designed to structure, store, and analyze threat data using a graph-based model. It enables organizations to connect indicators, vulnerabilities, threat actors, and campaigns into a unified knowledge base for investigation, collaboration, and intelligence sharing.
Criminal IP
Criminal IP delivers decision-ready cyber threat intelligence by analyzing IP addresses, domains, and URLs across the global internet. Powered by AI and OSINT, it provides reputation scoring, infrastructure visibility, and real-time detection of malicious activity, including phishing, exposed services, and anonymization technologies such as VPNs and proxies. Its API-first architecture enables seamless integration into security platforms to enhance visibility, automation, and response.
Sponsored and written by Criminal IP.
1 hour ago
1
English (US) ·