How do I investigate an IP address for free?

Install the open-source CTI skill in your AI coding agent and run /ip-investigation against the address. It uses the free tiers of VirusTotal, Shodan, AbuseIPDB, GreyNoise and OTX, so you can get a consolidated reputation report at no cost.

What does an IP address investigation tell you?

It tells you the reputation verdict, open ports and services, abuse history, whether the address is internet scanner noise or targeted activity, and which related indicators are worth pivoting to next.

Is this a VirusTotal or Shodan replacement?

No, it sits on top of them. The skill calls VirusTotal, Shodan and other sources for you, then merges the results so you do not have to check each tool by hand during triage.

CTI Skill · Investigation

IP Address Investigation.

/ip-investigation

IP address investigation is the everyday job of working out whether an address is hostile, noisy or benign, and what it connects to. This free, open-source skill runs inside your AI coding agent and enriches any IPv4 or IPv6 address by querying several threat-intel sources at once. It is built for SOC analysts and CTI practitioners who want one consolidated answer instead of ten browser tabs.

Get the free pack on GitHub →Or join the free tier waitlist

What it does.

It queries VirusTotal, Shodan, AbuseIPDB, GreyNoise and OTX in parallel, with Censys as an optional source, then consolidates the findings into a single readable summary. It also classifies scanner noise so you can tell mass-internet scanning apart from targeted activity.

When to use it.

Reach for it during SOC triage when an IP turns up in an alert, a firewall log or a phishing header and you need a verdict quickly. It is equally useful for CTI work when you are expanding an investigation and want to know whether an address is already known to the community.

What you get back.

You get a reputation verdict, open ports and running services, abuse-report history, a scanner-noise classification, and a prioritised list of pivot candidates such as resolving domains or related infrastructure to follow next.

How it fits your workflow.

Run it from Claude Code, Cursor, Codex or Windsurf with a single command. Free API tiers are enough to get started, and the skill degrades gracefully when a key is missing, so you still get results from whatever sources you have configured.

Keep going.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.