Start anywhere, find everyone

Most threat feeds give you a flat list of bad IPs. IntrusionLabs gives you the graph. An analyst with a single indicator — an IP, an ASN, a /24, a HASSH fingerprint, a campaign name — can pivot in one click to every related actor and campaign in our dataset.

TL;DR

Seven pivot surfaces are live today, covering 23,654 threat actors, 2,332 distinct ASNs, and 136 HASSH fingerprints. The 4,154-IP botnet finding started with one click on a HASSH pivot — that's the UX being described here.

// Pivot-graph size right now

Threat actors

23,654

3,233 active last 7d

Distinct ASNs

2,332

pivotable via /tools/asn/

HASSH fingerprints

136

pivotable via /tools/hassh/

Largest HASSH cluster

986

IPs sharing one fingerprint

// The seven pivot surfaces

Start from	URL	Returns
IP address	/tools/ip/<ip>/	Threat actor record + every linked campaign and session
ASN	/tools/asn/AS<n>/	All actors and campaigns within that Autonomous System
Subnet (CIDR)	/tools/subnet/<cidr>/	All actors inside a /8–/24 range
HASSH fingerprint	/tools/hassh/<fp>/	Every actor using that SSH client fingerprint, plus the linked campaign if ≥50 actors
Campaign	/tools/campaigns/	Search and filter active campaigns by type, geography, target pattern
Bulk IPs	/tools/bulk/	Paste 1–100 IPs, get verdict + confidence + corroboration per IP
Faceted search	/tools/search/	Country, attack type, time range, MITRE technique, cloud provider, confidence, behavioral pattern

// The pivot is the product

A flat IP blocklist answers one question: "is this IP bad?" A pivot graph answers the question an analyst actually needs to ask next: "what else looks like this?" That's the difference between reactive blocking and threat intelligence.

Every page in IntrusionLabs that shows an indicator — an actor, a campaign, a session, a fingerprint — links that indicator to every place else it appears. Actor detail pages list every campaign the actor belongs to. Campaign pages list every member actor. Session records link to the HASSH fingerprint, which links to every other actor sharing that fingerprint, which links to any campaign formed around that fingerprint. Click through it, or query it programmatically via the API.

The 4,154-IP botnet write-up is a case study of this UX — the detection wasn't the clever part; the pivot that made it visible was.

// Faceted search beyond the pivots

/tools/search/ layers additional facets on top of the basic pivots. Free: country, attack type, time range, free-text IP/ASN/hostname. Authenticated: MITRE technique, ASN-WHOIS filter, cloud provider, confidence threshold, behavioral pattern, corroboration count, Tor/VPN/ASN-DROP flags, known-scanner exclusion.

The split between free and authenticated facets is about abuse prevention, not monetization tier — the full facet set on unauthenticated traffic is a scraping vector.

// Try it now: top non-benign ASNs (last 7 days)

Each ASN link opens the /tools/asn/ pivot. Every actor inside that ASN is one click deeper.

ASN	Name	Actors (7d)
AS396982	Google LLC	224
AS132203	Tencent Building, Kejizhongyi Avenue	183
AS14061	DigitalOcean, LLC	148
AS25369	Hydra Communications Ltd	110
AS63949	Akamai Connected Cloud	99

// Honest about limits

Credential-fingerprint and JA4 pivots aren't shipped yet. The session profile tracks both fields, the grouping logic exists for credentials (actors sharing ≥5 identical password attempts), but neither has a /tools/ URL wired up. Next in the pivot roadmap, tracked in GH #186.

Pivots return what we've seen. If an ASN or subnet never touched our honeypots, the page will be empty — that's a gap in sensor coverage, not a clean bill of health.

// See also

Operator discovery → — the HASSH pivot in depth
Campaign detection → — how the graph gets clustered into campaigns
Provenance → — drilling from any node in the graph down to raw event JSON