Collection
A conservative stack for checking suspicious URLs, files, domains, IPs, and malware-distribution leads.
Stack tools
Scan the stack, then open profiles for caveats, pricing, and disclosure context.
Live interface preview
abuse.ch
Malware-URL intelligence reference
Best for: Use it when a URL or domain needs malware-distribution context and conservative threat corroboration.
Malware-URL intelligence reference
Editorial proof card
OpenDNS / Cisco
Community phishing URL verification
Best for: Use it when a suspicious URL needs phishing-report context before broader URL or infrastructure triage.
Community phishing URL verification
Live interface preview
Cisco Talos
IP, domain, and email reputation intelligence
Best for: Use it when an indicator needs reputation or sender context from a major threat-intelligence provider.
IP, domain, and email reputation intelligence
Live interface preview
LevelBlue / AlienVault
Open threat-intelligence community pulses
Best for: Use it when an indicator needs community threat-intelligence context and related indicators.
Open threat-intelligence community pulses
Live interface preview
MISP Project
Open-source threat-intelligence sharing platform
Best for: Use it when a team needs controlled threat-intelligence sharing, correlation, and internal/private community workflows.
Open-source threat-intelligence sharing platform
Live interface preview
Google Cloud
Multi-source reputation context for indicators
Best for: Quick reputation triage for suspicious URLs, domains, IPs, file hashes, and already-public malware or phishing indicators.
Multi-source reputation context for indicators
Editorial proof card
AbuseIPDB
IP abuse-report and reputation lookup service
Best for: Checking suspicious IP addresses against public abuse reports during security, exposure, and infrastructure triage.
IP abuse-report and reputation lookup service
Live interface preview
GreyNoise
Background internet noise intelligence
Best for: Triage of suspicious IPs, scan activity, security alerts, and exposed-service noise where routine internet scanning may explain the…
Background internet noise intelligence
Live interface preview
CrowdStrike
Malware-analysis report community
Best for: Use it when a suspicious hash, file, or URL needs malware-analysis context while respecting evidence-sharing limits.
Malware-analysis report community
Live interface preview
ANY.RUN
Interactive threat-analysis sandbox
Best for: Use it when an authorized suspicious sample or URL needs behavioral analysis and visual triage.
Interactive threat-analysis sandbox
Live interface preview
Joe Security
Automated threat-analysis sandbox
Best for: Use it when a security team needs deeper sandbox reporting for an authorized suspicious sample.
Automated threat-analysis sandbox
Live interface preview
GCHQ
Browser-based data decoding and transformation
Best for: Use it when an analyst needs safe, repeatable transformations of indicators, logs, URLs, encodings, or extracted text.
Browser-based data decoding and transformation
Workflow notes
Use this stack when a technical clue needs careful triage before it becomes a public claim. It starts with reputation and community intelligence, then moves into sandboxing only when the sample or URL is authorized and the case justifies deeper handling.
