"Cyber threat intelligence becomes more valuable when indicators are enriched with context that supports investigation, correlation, and decision-making," Criminal IP writes — a concise promise that is the throughline of a new connector between Criminal IP and OpenCTI.
Dual-perspective risk scoring gives analysts two angles on the same IP
The Criminal IP integration adds what the vendor describes as dual-perspective risk scoring — separate signals for inbound and outbound risk — instead of a single reputation number. According to the integration description, that dual view reflects both how an IP is being targeted (inbound) and how it behaves externally (outbound). The result, the integration says, is a more nuanced signal that helps analysts prioritize high-risk infrastructure during triage and investigation.
Infrastructure intelligence is embedded as entities and relationships
Rather than merely tagging indicators, the connector maps enrichment data into OpenCTI’s graph model as structured entities and relationships. The integration creates OpenCTI entities such as vulnerabilities (CVEs), Autonomous Systems (ISPs), and geolocation tied to IPs, domains and URLs. This embedding allows analysts to pivot across connected infrastructure, uncover shared components, and identify related infrastructure within the knowledge graph.
Service exposure, CVE correlation, and behavioral labels
Criminal IP links observed services on hosts to known CVEs, giving immediate visibility into which IPs are not only flagged as malicious but also potentially exploitable or actively used in attacks. The integration also generates layered behavioral labels that combine signals like anonymization technologies (VPN, proxy, TOR), hosting characteristics, and malicious classifications. Those labels are described as higher-fidelity than binary “malicious/benign” tags and are intended to provide richer context for prioritization.
Domain and phishing analysis that scores confidence
For domains and URLs, Criminal IP performs full URL analysis to detect phishing activity, credential harvesting pages, suspicious files, and impersonation techniques. The integration attaches confidence scores that are explicitly tied to phishing probability, supplying analysts with a quantifiable measure to weigh against other signals during alert validation and campaign analysis.
How SOCs, threat hunters, and procurement leaders are affected
- SOCs and security teams: The connector’s dual-perspective scoring, infrastructure context, and phishing confidence scores are positioned to speed triage and alert validation by highlighting which indicators deserve immediate follow-up.
- Threat hunters and incident responders: Structured relationships to CVEs, Autonomous Systems, and geolocation enable infrastructure pivoting inside OpenCTI’s graph, supporting searches for related assets and attacker footholds.
- Procurement leaders and platform integrators: Criminal IP’s API-first architecture and the promise of automatic enrichment into OpenCTI are presented as features that enable seamless integration into existing security platforms and to support automation, visibility, and response workflows.
The integration workflow is straightforward: indicators (IP addresses, domains, URLs) are first ingested into OpenCTI; the Criminal IP connector automatically enriches each indicator with reputation scoring, infrastructure intelligence, vulnerability information, behavioral signals, and phishing analysis; and the enriched data is structured into OpenCTI entities and relationships for investigation, correlation, and analysis. Use cases the integration highlights include SOC triage and alert validation, threat hunting and infrastructure pivoting, and phishing and campaign analysis.
Criminal IP is presented as delivering "decision-ready cyber threat intelligence" by analyzing IPs, domains, and URLs across the global internet using AI and OSINT, with real-time detection of malicious activity including phishing, exposed services, and anonymization technologies. OpenCTI is identified as an open-source cyber threat intelligence platform that organizes threat data in a graph-based model linking indicators, vulnerabilities, threat actors, and campaigns into a unified knowledge base.
For teams already using OpenCTI, the Criminal IP connector aims to transform isolated indicators into graphed intelligence: reputation and behavioral signals become nodes and edges, CVEs and ASNs become pivot points, and phishing probability becomes a measurable attribute rather than a checklist item. The integration, the vendor states, is intended to make investigation, correlation, and prioritization faster and more data-rich.
Sponsored and written by Criminal IP. Original story: Turning Indicators into Intelligence in OpenCTI with Criminal IP




