Criminal IP is now integrated with OpenCTI, an open-source cyber threat intelligence platform.
OpenCTI uses a graph-based model to structure, store, and analyze cyber threat data. It connects indicators, vulnerabilities, threat actors, attack campaigns, and other threat information within a unified knowledge base, supporting investigation, collaboration, and intelligence sharing.
Through this integration, IP addresses, domains, and URLs collected in OpenCTI can be automatically enriched with Criminal IP threat intelligence.
The Criminal IP Connector structures risk scores, infrastructure intelligence, vulnerability data, behavioral signals, and phishing analysis results as entities and relationships aligned with the OpenCTI data model. This allows analysts to move beyond reviewing isolated reputation data and analyze related infrastructure and threat context directly within the OpenCTI knowledge graph.
Expanding Threat Context for OpenCTI Indicators

The Criminal IP Connector enriches IP addresses, domains, and URLs with the following information:
- Inbound and outbound IP risk scores
- Malicious classifications and behavioral signals
- Use of anonymization technologies such as VPNs, proxies, and Tor
- Externally observed services and related CVEs
- Autonomous System and geolocation information
- Domain and URL phishing analysis
- Detection of credential harvesting, suspicious files, and impersonation techniques
This information is structured as OpenCTI entities and relationships rather than being added as simple tags. Analysts can start from an individual indicator and expand their investigation across related vulnerabilities, Autonomous Systems, geolocation data, and connected infrastructure.
Dual-Perspective Risk Scoring and Infrastructure Analysis
Criminal IP provides both inbound and outbound risk scores for IP addresses.
The inbound risk score reflects how an IP is targeted from external sources, while the outbound risk score reflects behavior observed from the IP toward external systems.
This dual-perspective model gives analysts a more granular basis for prioritizing high-risk indicators than a single reputation score.
Criminal IP data is also represented in the OpenCTI knowledge graph through relationships between IP addresses, Autonomous Systems, geolocation data, observed services, and CVEs.

Analysts can use these relationships to explore related infrastructure and identify shared infrastructure components, hosting patterns, and regional clustering.
Service Exposure and Phishing Intelligence
Criminal IP links externally observed services with known CVEs, providing insight into potential attack surfaces.
This allows analysts to assess not only whether an IP is classified as malicious, but also whether it may be exploitable or actively used in attacks.
For domains and URLs, Criminal IP provides the following phishing intelligence:
- Phishing activity detection
- Credential harvesting detection
- Suspicious file detection
- Impersonation technique analysis
- Confidence scores based on phishing probability
Analysts can also review the IP addresses, Autonomous Systems, and geolocation data associated with phishing domains to investigate related infrastructure and broader campaign patterns.
How the Criminal IP Connector Works
The integration process works as follows:
- IP addresses, domains, and URLs are ingested into OpenCTI.
- The Criminal IP Connector automatically enriches each indicator.
- Risk scores, infrastructure intelligence, and phishing analysis results are collected.
- The enriched data is structured as OpenCTI entities and relationships.
- Analysts use the knowledge graph for investigation, correlation, and threat analysis.
Key Use Cases
SOC Triage and Alert Validation
Validate suspicious IP addresses and domains using dual-perspective risk scoring, infrastructure intelligence, and phishing analysis, while prioritizing high-risk indicators for further investigation.
Threat Hunting and Infrastructure Pivoting
Use relationships involving CVEs, Autonomous Systems, and geolocation data to pivot across connected infrastructure and investigate related assets.
Phishing and Campaign Analysis
Analyze malicious domains, credential harvesting pages, and supporting infrastructure to identify phishing activity and understand broader campaign patterns.
Strengthening Threat Intelligence with a Knowledge Graph
The integration between Criminal IP and OpenCTI allows security teams to use IP addresses, domains, and URLs as structured threat intelligence rather than isolated reputation data.
By connecting indicators with vulnerabilities, network ownership, geolocation data, and related infrastructure, the integration supports investigation, correlation, and threat prioritization within the OpenCTI knowledge graph.
Criminal IP will continue to expand its integrations with global security platforms, helping organizations apply threat intelligence across security investigation, analysis, and response workflows.
🔗 View the integration documentation
https://hub.filigran.io/en/cybersecurity-solutions/opencti-integrations/criminal-ip