Collection
A practical stack for confirming breach chatter and expanding it into external exposure context.
Stack tools
Scan the stack, then open profiles for caveats, pricing, and disclosure context.
Live interface preview
HIBP
Breach exposure lookup for emails and domains
Best for: Checking known breach exposure for emails, domains, and passwords in defensive account-security and incident-response workflows.
Breach exposure lookup for emails and domains
Live interface preview
Hudson Rock
Infostealer exposure intelligence
Best for: Infostealer-exposure checks around company domains, employee accounts, third-party risk, and defensive credential-risk triage.
Infostealer exposure intelligence
Live interface preview
abuse.ch
Malware-URL intelligence reference
Best for: Use it when a URL or domain needs malware-distribution context and conservative threat corroboration.
Malware-URL intelligence reference
Editorial proof card
OpenDNS / Cisco
Community phishing URL verification
Best for: Use it when a suspicious URL needs phishing-report context before broader URL or infrastructure triage.
Community phishing URL verification
Live interface preview
Cisco Talos
IP, domain, and email reputation intelligence
Best for: Use it when an indicator needs reputation or sender context from a major threat-intelligence provider.
IP, domain, and email reputation intelligence
Live interface preview
LevelBlue / AlienVault
Open threat-intelligence community pulses
Best for: Use it when an indicator needs community threat-intelligence context and related indicators.
Open threat-intelligence community pulses
Live interface preview
Google Cloud
Multi-source reputation context for indicators
Best for: Quick reputation triage for suspicious URLs, domains, IPs, file hashes, and already-public malware or phishing indicators.
Multi-source reputation context for indicators
Editorial proof card
AbuseIPDB
IP abuse-report and reputation lookup service
Best for: Checking suspicious IP addresses against public abuse reports during security, exposure, and infrastructure triage.
IP abuse-report and reputation lookup service
Live interface preview
GreyNoise
Background internet noise intelligence
Best for: Triage of suspicious IPs, scan activity, security alerts, and exposed-service noise where routine internet scanning may explain the…
Background internet noise intelligence
Live interface preview
Shodan
Public-internet exposure search for hosts and services
Best for: Fast first-pass checks on scoped IPs, hosts, ASNs, organizations, exposed services, ports, banners, and technology fingerprints.
Public-internet exposure search for hosts and services
Live interface preview
Censys
Structured search for hosts, services, and certificates
Best for: Certificate-led and host-led infrastructure mapping from a scoped technical clue.
Structured search for hosts, services, and certificates
Live interface preview
urlscan GmbH
URL render, screenshot, and network trace capture
Best for: Capturing a URL render, screenshot, DOM/network trace, redirects, loaded resources, and visible page behavior during phishing, web-evidence, or…
URL render, screenshot, and network trace capture
Live interface preview
CrowdStrike
Malware-analysis report community
Best for: Use it when a suspicious hash, file, or URL needs malware-analysis context while respecting evidence-sharing limits.
Malware-analysis report community
Live interface preview
ANY.RUN
Interactive threat-analysis sandbox
Best for: Use it when an authorized suspicious sample or URL needs behavioral analysis and visual triage.
Interactive threat-analysis sandbox
Live interface preview
GCHQ
Browser-based data decoding and transformation
Best for: Use it when an analyst needs safe, repeatable transformations of indicators, logs, URLs, encodings, or extracted text.
Browser-based data decoding and transformation
Live interface preview
SpiderFoot
Automated OSINT collection for scoped leads
Best for: Authorized OSINT automation around domains, IPs, subnets, ASNs, emails, usernames, and organization exposure review.
Automated OSINT collection for scoped leads
Workflow notes
This collection is built for operators who need to move from a breach rumor, exposed credential clue, or suspicious external signal into a more defensible picture of risk.
The case needs conservative breach confirmation, infostealer exposure context, suspicious-indicator review, internet-noise triage, or external attack-surface clues.
This is not incident response in a box. Exposure signals can involve victims and sensitive data, so publish only conservative claims that survive source and authorization review.
