See it in action

Try ipdex with real threat intelligence data — no setup needed.

Launch demoarrow_forward Get your free API key →

Getting Started

ipdex requires a free CrowdSec API key to run lookups. Get yours here →

list

Paste IPs

Type or paste a list of IPs directly — one per line or extracted from any text. Up to 100,000 IPs per run.

upload_file

Upload a Log File

Drop any log file directly — ipdex extracts all IPs automatically. Supports auth.log, nginx, apache, syslog, and more.

bolt

Enterprise

Batch Mode

Faster parallel processing for large IP lists. Built for high-volume workflows. Requires an Enterprise API key.

Upgrade →

scheduleResults are cached for 1 hour. Use the refresh button on any IP row to force a fresh lookup from the CrowdSec CTI API.

Reading Your Report

After running a lookup, the report gives you a global view of all your IPs before you drill into individual results.

Reputation Breakdown

Every IP is assigned one of six reputation values. The breakdown bar at the top of your report shows the distribution at a glance.

maliciousConfirmed, consistent attack behavior reported by the CrowdSec community. Act on these first.

suspiciousSome concerning activity detected but not enough to confirm as an active threat. Warrants investigation.

knownKnown to CrowdSec but no malicious behavior observed.

benignActivity is present but classified as benign — e.g., public security scanners.

safeFully trusted — typically legitimate security tooling or known infrastructure.

unknownNever reported to CrowdSec. Unknown ≠ safe. Treat as unverified.

Insights Panel

Six counters that let you triage at scale before looking at individual IPs.

gpp_bad

Malicious IPs

Confirmed attack behavior. Your highest priority.

block

IPs on Blocklists

Appear on CrowdSec Blocklists.

vpn_lock

VPN / Proxy IPs

Classified as VPN or proxy — common in evasion techniques.

waves

High Noise IPs

Mass scanners with high background noise. Low investigation priority.

bug_report

IPs targeting CVEs

Observed targeting known CVEs.

warning

Suspicious IPs

Concerning but unconfirmed activity.

The Map

Geographic distribution of your IPs plotted on a world map, colored by reputation. Clustering indicates regional activity patterns, but geography alone is a weak signal — always look at behaviors and classifications before drawing conclusions.

Background Noise

Not all malicious IPs carry the same operational weight. Background noise tells you whether the activity is targeted or automated mass-scanning.

High noise

Mass automated scanner hitting thousands of random targets per day. Block at the firewall — low investigation priority.

Low noise malicious

Targeted, deliberate behavior. This IP is choosing its targets. Act immediately and investigate the full profile.

Filtering & Export

Filter results by reputation pill or search by IP to narrow down large reports. You can also click on any badge in the results — blocklists, CVEs, classifications, behaviors, AS, or country — to instantly filter the table to IPs sharing that value.

Export your full results as CSV, JSON, PDF, or HTML for sharing or integration with your SIEM or incident management workflow.

Investigating One IP

Click any IP in the results table to open its full intelligence profile. Here’s what each field means.

Reputation & Confidence

The reputation value is paired with a confidence level that reflects how reliable the underlying data is.

high

Multiple independent sources confirm the activity.

medium

Credible data but from fewer sources.

low

Limited reports. Investigate before acting, even for malicious IPs.

none

No confidence data available.

Scores

Four dimensions scored from 0 to 5, each measured across four time windows: Overall, Last Month, Last Week, and Last Day.

Aggressiveness

How intense is the attack activity? Measures report frequency over time.

Threat

How dangerous is the behavior? Ranges from passive scanning to active exploitation.

Trust

How reliable is the data? Based on source credibility and report diversity.

Anomaly

Are there suspicious behavioral patterns outside normal activity for this IP?

tips_and_updatesHigh aggressiveness + low threat = mass scanner, low investigation priority. High threat + low aggressiveness = targeted, stealthy actor — act immediately.

History

First Seen and Last Seen timestamps from the CrowdSec network.

historyA malicious IP active for 2+ years is persistent infrastructure — a dedicated attack tool or botnet node, not a temporarily compromised machine. The longer the history, the more deliberate the threat.

Behaviors

Attack types observed from this IP. Multiple behaviors on the same IP indicate coordinated, automated tooling.

Auth Attacks

SSH BruteforceFTP BruteforceHTTP BruteforceLDAP BruteforceSMB BruteforceTelnet BruteforceWindows BruteforceDatabase BruteforceIoT BruteforceSIP BruteforcePOP3/IMAP BruteforceVCS BruteforceCloud BruteforceVM Management BruteforceGeneric Bruteforce

Scanning

TCP ScanHTTP ScanGeneric ScanFingerprintK8s Scan

Exploitation

Exploitation AttemptHTTP ExploitSSH ExploitVM Management ExploitWindows RCELinux ExploitationLinux Post-ExploitationCloud Unusual Activity

Other

HTTP CrawlHTTP DoSWeb Form SpamSMTP SpamEcommerce FraudCloud AuditK8s AuditK8s Bruteforce

Classifications

Classifications describe what is known about the entity behind the IP — its role, infrastructure type, or known identity. An IP can carry multiple classifications at once. There are two categories: classifications and false positives (safe classifications).

Classifications open_in_newfull taxonomy

Describe the nature, behavior, or infrastructure profile of the IP.

Botnets & Malware

Likely BotnetExhibits botnet-like behavior — automated, coordinated attack patterns.

Mirai / Mozi / Hajime / ...IP associated with a known botnet family, based on exploited CVEs and payload characteristics.

Hosts MalwareIP identified as hosting live payloads associated with known malware families.

Proxies & VPNs

ProxyActing as a relay for other traffic.

VPN or ProxyAI-detected VPN or proxy behavior.

VPNConfirmed VPN service exit node.

TORKnown TOR exit node.

Corporate ProxyTraffic from corporate proxy infrastructure (Zscaler, Netskope, Forcepoint, etc.).

Network & Infrastructure

Data Center IPHosted in a cloud or commercial data center.

Residential IPHome or ISP-assigned address, not hosted in a data center.

Dangerous Services ExposedHas vulnerable or insecure services open to the internet.

Many Services ExposedUnusually high number of open ports detected.

Devices

Mikrotik / Cyberoam / AsusWRT / ...IP associated with a device having known security weaknesses.

IP Camera / HikvisionCompromised or exposed IoT camera device.

AI Crawlers

OpenAI / Anthropic / Meta / Google / ...AI company indexing data for training Large Language Models.

AI SearchAI search engine used by users to search the internet via AI agents (Perplexity, CohereAI, etc.).

Bots & Scanners

Security ScannerKnown security scanner (Shodan, Censys, Qualys, Tenable, BinaryEdge, etc.).

Generic BotBot traffic detected — scrapers, headless browsers, or automated tooling.

Fake BrowserUser agent presents as a browser but behavior does not match.

Coordinated Attack GroupCohort of machines seen attacking in a coordinated fashion.

False Positives (Safe Classifications) open_in_newfull taxonomy

IPs that triggered community detections but are verified as legitimate entities. These should not be blocked.

CDN Exit Nodes

Cloudflare / Akamai / Fastly / Cloudfront / ...Traffic exits through a CDN — the IP is infrastructure, not an attacker.

Search Engines & SEO Crawlers

Googlebot / Bingbot / Duckduckbot / YandexKnown search engine crawlers performing web indexing.

Ahrefs / Semrush / Babbar / DataForSEO / ...Known SEO crawlers — look like scanners in logs but are legitimate.

Meta / Pinterest / LinkedIn / XSocial media crawlers fetching link previews and metadata.

Security & Compliance

Legitimate Scanner / Corporate Security ScannerKnown security or compliance scanning infrastructure (MSPs, audit firms).

CERT-FR / US-CERT / CERT PolskaGovernment cybersecurity agencies performing authorized scanning.

SSL Certificate RenewerSSL certificate renewal infrastructure (Let's Encrypt, etc.).

Network & Services

Public DNS ResolverKnown public DNS resolver — should not be flagged as a threat.

iCloud Private RelayApple iCloud Private Relay exit node.

Internet Archive / Common CrawlWeb archival and open dataset crawlers.

CVEs

A list of CVE identifiers this IP has been observed exploiting or actively scanning for.

warningCross-reference this list with your own assets: if this IP is actively targeting a CVE that affects your stack, escalate immediately.

Blocklists

The CrowdSec Blocklists this IP appears on. Each blocklist targets a specific threat category — botnets, bruteforcers, HTTP attackers, and more. An IP can appear on multiple lists when different detection scenarios independently flag the same behavior. Note that blocklist data is not real-time; entries reflect confirmed activity at the time of ingestion.

open_in_newExplore CrowdSec Blocklists

Target Countries

The top countries this IP has been seen attacking, with percentage breakdowns. A high percentage targeting your country increases the relevance of this IP to your organization and warrants closer investigation.

MITRE Techniques

ATT&CK technique identifiers mapped to the observed behavior. Use these to pivot into your SIEM or threat hunting workflow by correlating technique IDs across your alerts.

open_in_newNot familiar with MITRE ATT&CK? Read the framework →

Taking Action

Translating ipdex signals into operational decisions.

Malicious + low noise

→

Investigate immediately, block

Malicious + high noise

→

Block at firewall — low investigation priority

Suspicious + CVEs matching your stack

→

Investigate and patch affected services

Safe / benign classification

→

Do not block — likely legitimate security tooling

Unknown

→

Monitor, correlate with other signals