AttackThreat#
Version: 1.0.0 · Category: Threat Intelligence · Plan: Base+ · Built-in
AttackThreat is the platform's built-in threat intelligence service. It consolidates IP enrichment, domain analysis, URL and file reputation scanning, batch IP reputation checks, and vulnerability lookup into a single always-available integration. No API key configuration is required — the platform manages all credentials.
It is designed to be the default intelligence layer for every investigation. In other words:
- Start with
AttackThreatfirst - Add external integrations only when you need customer-specific data or deeper vendor-specific capabilities
- Keep outputs vendor-neutral so reports read like intelligence findings rather than raw provider dumps
!!! tip "Always available" AttackThreat is active by default in every project. You do not need to open the integration marketplace or enter any credentials to use it.
Tools#
enrich_ip — IP enrichment#
Full threat profile for an IP address, drawing on multiple intelligence sources:
| Return field | Description |
|---|---|
| Abuse confidence score | Percentage likelihood this IP is malicious (0–100%) |
| Community risk level | Overall classification (High / Medium / Low / No record) |
| ISP / Usage type | Provider and network type (datacenter, residential, VPN, etc.) |
| Country | Country of origin |
| Total reports | Number of abuse incidents in the lookback window |
| Malware associations | Known malware families, communicating files, or threat actors linked to this IP |
Example:
Investigate IP 185.220.101.45 — check its abuse score and any malware associations
enrich_domain — Domain analysis#
Comprehensive intelligence for a domain name or full URL hostname:
- WHOIS registration data
- DNS resolution to IP addresses
- Reputation checks for resolved IPs
- SSL certificate history
- Security engine verdicts (malicious, phishing, suspicious, etc.)
- Communicating malware samples linked to this domain
Example:
Analyze domain evil-corp.example.com — WHOIS, DNS history, and threat verdicts
enrich_url — URL safety analysis#
Scans a URL across 90+ security engines and also resolves the hostname to IPs for reputation checks:
| Data point | Description |
|---|---|
| Final URL | Destination after following all redirects |
| Detection verdicts | Per-engine malicious / phishing / clean assessments |
| Threat categories | Malware, phishing, spam, etc. |
| HTTP response | Status code and content type at scan time |
| Hostname IP reputation | Abuse score and risk level for resolved IPs |
This tool may take around 30 seconds because the platform waits for the URL scan to complete before returning a consolidated report.
Example:
Check whether this URL is safe: https://suspicious-site.example.com/payload.zip
enrich_file — File hash analysis#
Analyzes a file hash (MD5, SHA-1, or SHA-256) across 70+ antivirus engines:
- Detection rate and per-engine verdicts
- File type, size, and metadata
- Behavioral indicators (network connections, dropped files, registry changes)
- Threat family name and associated threat actors
Example:
Is this file hash malicious? 44d88612fea8a8f36de82e1278abb02f
check_reputation — Batch IP reputation#
Check up to 100 IP addresses in a single call:
| Parameter | Default | Description |
|---|---|---|
ips |
— | List of IPs to check (max 100) |
max_age_days |
90 | Lookback window for abuse reports (1–365) |
threshold |
0 | Confidence score cutoff for filtering results |
include_blacklist |
false |
Also fetch the global high-confidence blacklist |
Returns a summary table of IPs with confidence scores, risk levels, and ISP/country breakdown. Use this for batch triage; use enrich_ip for single-IP deep analysis.
Example:
Batch-check these IPs from today's firewall alert log: 1.2.3.4, 5.6.7.8, 9.10.11.12
lookup_vulnerability — CVE intelligence#
Detailed intelligence for a specific CVE identifier:
| Return field | Description |
|---|---|
| CVSS v2 / v3 score | Severity scores with vector string |
| EPSS score | Exploitation probability and percentile ranking |
| KEV status | Whether the CVE is on CISA's Known Exploited Vulnerabilities catalog |
| Ransomware association | Known ransomware groups exploiting this CVE |
| Affected CPEs | Full list of affected product identifiers |
| Proposed mitigations | Recommended remediation actions |
Example:
What is the CVSS and EPSS score for CVE-2024-21762? Is it in the KEV catalog?
No configuration needed#
AttackThreat requires no setup. The platform supplies all necessary API credentials. To use it, simply describe your investigation in the chat:
- "Investigate IP 45.33.32.156 and tell me its risk level"
- "Analyze file hash 275a021bbfb6489e54d471899f7db9d1039126f4"
- "Check these 50 IPs from my SIEM alert: …"
- "What do we know about CVE-2021-44228 — EPSS, KEV, ransomware?"
- "Is https://this-url.example.com safe?"
Relationship to other integrations#
AttackThreat covers the default threat intelligence workflows that should work immediately in every project.
If you later add Shodan, VirusTotal, or AbuseIPDB, treat them as optional BYOK connectors:
- They extend coverage for customers who already use those vendors
- They are not required for the core AttackTrace experience
- They should be understood as data sources attached to the platform, not as the long-term center of product value
Product direction#
The long-term direction is to make AttackTrace a threat data response center:
AttackThreatprovides the common intelligence baseline- Other connectors bring in logs, cloud evidence, tickets, and customer-owned APIs
- Reports, approvals, comments, and investigation history become the persistent operating layer