Investigator Use
Criminal IP is an AI-powered cyber threat intelligence search engine that indexes internet-connected devices, domains, and IP addresses, providing security context including malicious activity history, open ports, running services, geolocation, and threat score assessments. It functions as an alternative to Shodan and Censys with a specific focus on threat detection and attack surface intelligence.
For OSINT investigators and threat intelligence analysts, Criminal IP provides rapid threat context for any IP address or domain. Its threat score system (0-100) synthesizes multiple risk signals — abuse history, malicious activity reports, hosting type, and behavioral indicators — into a single actionable score that enables rapid triage of large indicator sets.
The platform's real-time banner grabbing shows currently open ports and running services on target IPs, similar to Shodan but with additional threat context layered on top. This helps investigators understand both the technical exposure and the threat history of a specific IP in a single query.
Criminal IP's domain intelligence extends to certificate analysis, DNS history, and associated IP lookups — the same domain pivot chain that Censys and security researchers use for infrastructure attribution. The AI-enhanced context adds interpretive threat scoring to raw technical data, accelerating analysis.
For phishing investigations, Criminal IP's domain reputation data provides immediate context on whether a suspicious domain has been flagged for phishing activity, when it was first observed, and what hosting infrastructure it uses. This rapid phishing domain assessment is a common workflow during email security investigations.
The platform also supports API access for integration into automated investigation workflows, SIEM systems, and custom threat intelligence pipelines. Bulk IP enrichment via API is particularly useful for processing large indicator lists from incident response or threat hunting operations.
Compared to Shodan, Criminal IP places more emphasis on threat scoring and contextual intelligence rather than raw device data. It complements rather than replaces traditional internet scanning platforms.
Record queried IPs and domains, threat scores, abuse category, and query timestamps for all Criminal IP lookups in case documentation.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
APNIC
IP Address OSINT
A global, open, stable, and secure Internet that serves the entire Asia Pacific community
Abuse IP DB
IP Address OSINT
AbuseIPDB provides IP reputation data and community abuse reports for identifying malicious hosts in network and threat investigations.
Censys Search
IP Address OSINT
Internet-wide search interface for hosts and certificates with large-scale host, service, and virtual host coverage plus API access.
Cloudflare IP Finder
IP Address OSINT
Utilize misconfigured DNS and old database records to find hidden IP's behind the CloudFlare network
DNS dumpster
IP Address OSINT
Free domain research tool to discover hosts related to a domain. Find visible hosts from the attackers perspective for Red and Blue Teams.
Domain/IP lookup
IP Address OSINT
InfoByIP provides bulk IP and domain lookups returning geolocation, ASN, hostname, and WHOIS data for multiple targets simultaneously.