Logo StartupKit
EN

IP Investigation

Look up any IP address and get an at-a-glance profile — classification, ownership/abuse contact, routing/ASN, reverse DNS, and host exposure — pulled live from public sources.

Why It Matters

When a suspicious IP shows up in a report or a log line, the first questions are always the same: who owns it, is it real infrastructure or an end user, who do you complain to, and is the host itself exposed? Answering them usually means hopping between whois CLIs, registry websites, and scanner dashboards. IP Investigation pulls all of it into one page, so a responder gets the full picture from a single lookup.

What It Does

Enter one IP address — or paste up to 10 at once, straight from a log line. Each address gets its own card with:

  • a classification — public, private, loopback, link-local, CGNAT, or reserved. Non-public addresses are answered instantly, with no network lookups.
  • a one-line summary you can quote directly in a report or comment.
  • signal chips highlighting notable findings at a glance.
  • per-section intel with a status badge and provenance (source and age) on every section.

Invalid tokens don’t break the lookup — each gets its own “invalid” verdict card.

What each section shows

Section Source What you learn
Ownership & abuse contact RDAP (registry-direct) Network name, registrant, CIDR ranges, and the abuse contact to escalate to
Routing / ASN RIPEstat Announcing AS number and holder, announced prefix
Reverse DNS DNS (forward-confirmed) The PTR hostname — only trusted when it resolves back to the same IP
Host exposure Shodan Open ports, service banners, known CVEs, and tags for the host

Note

Reverse DNS is forward-confirmed because PTR records are controlled by whoever owns the IP — an attacker can point one anywhere. A hostname that doesn’t resolve back to the same address is flagged rather than trusted.

Investigating an IP

Open the IP Investigation page. Any signed-in account member can use it.

  1. Type an IP address, or paste up to 10 separated by spaces, commas, or semicolons.
  2. Submit — results render inline, one card per address.

Lookups run as a plain GET, so the resulting URL is shareable and deep-linkable: paste it in a report thread and a teammate lands on the same investigation.

OmniSearch knows about it too: type or paste an IP into the command palette (Cmd+K) and an Investigate IP <address> action appears, deep-linking with the address prefilled.

Where the Data Comes From

Everything is derived from public sources — RDAP registry data, RIPEstat routing data, DNS, and Shodan. The tool reads external intel about the address you enter; it does not touch or expose your account data, and nothing you look up is persisted.

Limits

Limit Value
Batch size Up to 10 IP addresses per lookup
Placeholder sections Cloud attribution, Tor, geolocation, and reputation are not yet available and render as placeholders
Caching Results may be served from a short-lived cache shared across the app, so intel can be up to a few hours old

Quick Checklist

  • Open the IP Investigation page — or hit Cmd+K and type the IP
  • Paste one IP, or up to 10 from a log line
  • Quote the one-line summary in your report
  • Escalate to the abuse contact from the ownership section

Type to search...