Features / Pivot surfaces
// Deep dive, for CTI practitioners

Start anywhere, find everyone

Most threat feeds give you a flat list of bad IPs. IntrusionLabs gives you the graph. An analyst with a single indicator — an IP, an ASN, a /24, a HASSH fingerprint, a campaign name — can pivot in one click to every related actor and campaign in our dataset.

TL;DR

Seven pivot surfaces are live today, covering 31,723 threat actors, 2,816 distinct ASNs, and 154 HASSH fingerprints. The 4,154-IP botnet finding started with one click on a HASSH pivot — that's the UX being described here.

// Pivot-graph size right now

Threat actors
31,723
2,969 active last 7d
Distinct ASNs
2,816
pivotable via /tools/asn/
HASSH fingerprints
154
pivotable via /tools/hassh/
Largest HASSH cluster
691
IPs sharing one fingerprint

// The seven pivot surfaces

Start from URL
IP address /tools/ip/<ip>/
ASN /tools/asn/AS<n>/
Subnet (CIDR) /tools/subnet/<cidr>/
HASSH fingerprint /tools/hassh/<fp>/
Campaign /tools/campaigns/
Bulk IPs /tools/bulk/
Faceted search /tools/search/

// The pivot is the product

A flat IP blocklist answers one question: "is this IP bad?" A pivot graph answers the question an analyst actually needs to ask next: "what else looks like this?" That's the difference between reactive blocking and threat intelligence.

Every page in IntrusionLabs that shows an indicator — an actor, a campaign, a session, a fingerprint — links that indicator to every place else it appears. Actor detail pages list every campaign the actor belongs to. Campaign pages list every member actor. Session records link to the HASSH fingerprint, which links to every other actor sharing that fingerprint, which links to any campaign formed around that fingerprint. Click through it, or query it programmatically via the API.

The 4,154-IP botnet write-up is a case study of this UX — the detection wasn't the clever part; the pivot that made it visible was.

// Faceted search beyond the pivots

/tools/search/ layers additional facets on top of the basic pivots. Free: country, attack type, time range, free-text IP/ASN/hostname. Authenticated: MITRE technique, ASN-WHOIS filter, cloud provider, confidence threshold, behavioral pattern, corroboration count, Tor/VPN/ASN-DROP flags, known-scanner exclusion.

The split between free and authenticated facets is about abuse prevention, not monetization tier — the full facet set on unauthenticated traffic is a scraping vector.

// Try it now: top non-benign ASNs (last 7 days)

Each ASN link opens the /tools/asn/ pivot. Every actor inside that ASN is one click deeper.

ASN Actors (7d)
AS8075 309
AS396982 213
AS132203 190
AS14061 96
AS25369 76
// Honest about limits

Credential-fingerprint and JA4 pivots aren't shipped yet. The session profile tracks both fields, the grouping logic exists for credentials (actors sharing ≥5 identical password attempts), but neither has a /tools/ URL wired up. Next in the pivot roadmap, tracked in GH #186.

Pivots return what we've seen. If an ASN or subnet never touched our honeypots, the page will be empty — that's a gap in sensor coverage, not a clean bill of health.

// See also