How do I enrich a batch of IOCs at once?

Paste the list into your AI coding agent and run /ioc-enrichment-workflow. It detects each indicator type, routes it to the right lookups, optionally checks MISP, and returns a single enrichment record per IOC.

What does IOC enrichment add to a raw indicator?

It adds reputation, related infrastructure and community context, plus any existing matches in your MISP instance, so an analyst can triage the indicator instead of starting from a bare value.

Can the IOC enrichment workflow correlate against MISP?

Yes. If a MISP instance is configured, the workflow checks each indicator against it and includes any matches in the enrichment record, so you can tell which IOCs are already known to your community.

CTI Skill · Investigation

IOC Enrichment Workflow.

/ioc-enrichment-workflow

IOC enrichment is the process of taking raw indicators and adding the context an analyst needs to triage them. This free, open-source workflow runs inside your AI coding agent and processes a batch of mixed-type indicators at once, routing each IP, domain, hash or URL to the right lookups. It is built for SOC analysts and CTI practitioners who need to triage a list of IOCs before pushing them into a sharing platform.

Get the free pack on GitHub →Or join the free tier waitlist

What it does.

It takes a batch of raw IOCs of mixed types, sends each one to the appropriate investigation lookups, and can correlate every indicator against your MISP instance. The results are synthesised into a single enrichment record per indicator.

When to use it.

Use it when you have a list of indicators from a report, a feed or an incident and need to triage them in bulk rather than one at a time. It is the step to run before deciding what to action and before pushing curated indicators into a sharing platform.

What you get back.

You get one consolidated enrichment record per indicator, covering reputation and context from the relevant sources, plus any matches found in MISP so you can see what your community already knows.

How it fits your workflow.

Run it from Claude Code, Cursor, Codex or Windsurf on a pasted list of IOCs. Free API tiers work for getting started, MISP correlation is optional, and the workflow degrades gracefully when sources or keys are unavailable.

Keep going.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.