IP Investigation
Look up any IP address and get an at-a-glance profile — classification, ownership/abuse contact, routing/ASN, reverse DNS, and host exposure — pulled live from public sources.
Why It Matters
When a suspicious IP shows up in a report or a log line, the first questions are always the same: who owns it, is it real infrastructure or an end user, who do you complain to, and is the host itself exposed? Answering them usually means hopping between whois CLIs, registry websites, and scanner dashboards. IP Investigation pulls all of it into one page, so a responder gets the full picture from a single lookup.
What It Does
Enter one IP address — or paste up to 10 at once, straight from a log line. Each address gets its own card with:
- a classification — public, private, loopback, link-local, CGNAT, or reserved. Non-public addresses are answered instantly, with no network lookups.
- a one-line summary you can quote directly in a report or comment.
- signal chips highlighting notable findings at a glance.
- per-section intel with a status badge and provenance (source and age) on every section.
Invalid tokens don’t break the lookup — each gets its own “invalid” verdict card.
What each section shows
| Section | Source | What you learn |
|---|---|---|
| Ownership & abuse contact | RDAP (registry-direct) | Network name, registrant, CIDR ranges, and the abuse contact to escalate to |
| Routing / ASN | RIPEstat | Announcing AS number and holder, announced prefix |
| Reverse DNS | DNS (forward-confirmed) | The PTR hostname — only trusted when it resolves back to the same IP |
| Host exposure | Shodan | Open ports, service banners, known CVEs, and tags for the host |
Note
Reverse DNS is forward-confirmed because PTR records are controlled by whoever owns the IP — an attacker can point one anywhere. A hostname that doesn’t resolve back to the same address is flagged rather than trusted.
Investigating an IP
Open the IP Investigation page. Any signed-in account member can use it.
- Type an IP address, or paste up to 10 separated by spaces, commas, or semicolons.
- Submit — results render inline, one card per address.
Lookups run as a plain GET, so the resulting URL is shareable and deep-linkable: paste it in a report thread and a teammate lands on the same investigation.
OmniSearch knows about it too: type or paste an IP into the command palette (Cmd+K) and an Investigate IP <address> action appears, deep-linking with the address prefilled.
Where the Data Comes From
Everything is derived from public sources — RDAP registry data, RIPEstat routing data, DNS, and Shodan. The tool reads external intel about the address you enter; it does not touch or expose your account data, and nothing you look up is persisted.
Limits
| Limit | Value |
|---|---|
| Batch size | Up to 10 IP addresses per lookup |
| Placeholder sections | Cloud attribution, Tor, geolocation, and reputation are not yet available and render as placeholders |
| Caching | Results may be served from a short-lived cache shared across the app, so intel can be up to a few hours old |
Quick Checklist
- Open the IP Investigation page — or hit Cmd+K and type the IP
- Paste one IP, or up to 10 from a log line
- Quote the one-line summary in your report
- Escalate to the abuse contact from the ownership section