ZeroTrace OSINT
IP Reputation
Cross-feed reputation lookups including ThreatFox, URLhaus, Spamhaus DROP, Tor exit nodes, and GreyNoise Community.
The IP reputation tool checks a single IP against multiple public threat-intelligence feeds in parallel and aggregates the verdicts. It is the SOC-triage tool — paste an IP from your logs and find out whether the public threat-intelligence community has anything to say about it.
What you get
For any IPv4 or IPv6:
| Source | What it surfaces |
|---|---|
| ThreatFox (abuse.ch) | Active malware C2 IOCs, with malware family attribution and threat type |
| URLhaus (abuse.ch) | URLs hosted on the IP that have been flagged for malware distribution |
| Spamhaus DROP / EDROP | Networks Spamhaus has determined are wholly hijacked or operated for spam / botnet purposes |
| Tor exit nodes | Whether the IP is currently a Tor exit relay |
| GreyNoise Community | Whether the IP is "noise" (background internet scanning), with classification (benign / malicious) |
A composite verdict at the top tells you at a glance whether any feed flagged the IP.
When to use it
- SOC triage. A connection from an unknown external IP arrives in your SIEM. Five seconds and you know whether it is a known-bad IP or just an internet scanner.
- Phishing-IOC validation. A phishing report names an IP. The reputation tool tells you whether the IP is part of a known infrastructure cluster.
- Fraud investigation. A user logs in from a Tor exit. The reputation tool confirms that classification (versus the user pretending to be on Tor by using a VPN labelled with a Tor-shaped IP).
Reading the verdict
Each feed returns one of:
| Verdict | Meaning |
|---|---|
| Clean | Feed does not flag this IP |
| Listed | Feed flags the IP, with a category and (where available) a malware family or campaign |
| Stale | Feed previously flagged the IP but the listing has expired |
| No data | Feed has no record either way |
A composite top-line shows whether any feed is currently listing the IP. "Clean across all feeds" is real signal for IPs that have been around a while; for newly-allocated cloud IPs, it mostly means the feeds have not seen them yet.
Tor exit detection
Tor exit detection uses the public Tor consensus list. An IP that is currently a Tor exit is in the consensus right now. An IP that was a Tor exit but is no longer is not flagged here — Tor exits rotate frequently.
Tor exit detection should not be read as "this user is a malicious actor." Many people use Tor for privacy, journalism, or political reasons. The flag is a forensic context, not a verdict.
GreyNoise Community
GreyNoise classifies IPs that are observed scanning the internet at scale. Their Community API distinguishes:
- Benign noise — research scanners, search-engine crawlers, security-research projects (Shadowserver, Censys, Shodan).
- Malicious noise — IPs running widespread exploitation attempts.
- Unknown noise — IPs scanning but not yet classified.
For a SIEM hit, "benign noise" is the verdict that lets you close the ticket fastest.
Bulk reputation
Bulk paste runs the same multi-feed lookup against many IPs in one batch. The aggregate table shows verdict per feed per IP — perfect for triaging a list from a daily threat report.
Pivots
| Click on... | Pivot to |
|---|---|
| The IP | IP geolocation, WHOIS, ASN lookup, reverse DNS, exposed services |
| Malware family / campaign tag | (no pivot — copy and search externally) |
| URL listed by URLhaus | URL parser, URL redirect chain |
Sources
- ThreatFox by abuse.ch.
- URLhaus by abuse.ch.
- Spamhaus DROP and EDROP.
- The Tor consensus list (via the public list at
dan.me.uk). - GreyNoise Community API (no API key required for community tier).
Every source is named on the result. If a source is unreachable during the run, the tool surfaces a warning per row rather than silently returning "clean."