What indicator types can I pivot from?

The decision tree covers IPs, domains, file hashes and certificates, with type-specific pivots for each. It tells you which lookups are worth running for the indicator in front of you.

How does pivot-quality scoring help?

Not every shared attribute is meaningful; shared hosting or a popular service can link unrelated indicators. The scoring flags how confident a given pivot is, so you can prioritise strong leads and avoid building a cluster on coincidence.

Does it work without paid lookup APIs?

It runs in Claude Code, Cursor, Codex or Windsurf and is free and MIT-licensed. Some pivots are richer when you have lookup API keys configured, but the methodology and decision tree work regardless.

CTI Skill · Threat actor & campaign work

Indicator Pivoting.

/indicator-pivoting

Indicator pivoting is how a single known IOC becomes a map of an adversary's wider infrastructure. This free, MIT-licensed skill runs inside your AI coding agent (Claude Code, Cursor, Codex or Windsurf) and gives you a decision tree by indicator type, concrete next lookups for each pivot, a worked multi-hop example and pivot-quality scoring so you can tell a strong lead from a coincidence.

Get the free pack on GitHub →Or join the free tier waitlist

What it does.

Starting from one seed indicator, an IP, domain, hash or certificate, the skill points you to the pivots that make sense for that type and walks you across the IOC graph hop by hop. It suggests the right lookup at each step, tracks the relationships you uncover, and scores each pivot for quality so weak or shared infrastructure does not get treated as a confident link.

When to use it.

Reach for it when you have one indicator and need to know what else is connected, when you suspect a single alert is part of a larger campaign, or when you are mapping an actor's infrastructure ahead of detection work. It is the natural next step after an investigation skill returns a confirmed-bad indicator worth expanding.

What you get back.

A documented pivot chain: the seed indicator, each hop with the lookup that produced it, the related infrastructure discovered, and a quality score per pivot. The output makes the reasoning explicit, so a reviewer can see exactly why two indicators are believed to be connected rather than taking the link on trust.

How it fits your workflow.

Run it from your AI coding agent and let it route to the lookup skills in the same pack, then carry the cluster it builds into a campaign record or a threat actor profile. Because every pivot is scored and sourced, the resulting infrastructure map drops cleanly into enrichment and IOC export workflows without losing its provenance.

Keep going.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.