Active scanning
Port scans, sweep behaviour and service probing can be shown with timestamps, protocol details and sensor spread.
About the project
Built to make IP reputation easier to interpret.
IPContext.io exists because analysts often have to jump between several excellent tools and still ask: “am I OK with this activity?” We want to bring the useful signals together, explain their age, and expose the raw evidence behind the summary.
The problem
Threat intelligence can become misleading when older observations are presented beside fresh activity without enough separation. An IP that was associated with bad traffic months or years ago may now be reassigned, cleaned up or used for something completely different.
IPContext focuses first on the last 30 days, with deeper history available when needed. That default view helps analysts understand current behaviour without losing access to long-term patterns.
The dashboard approach
The top of the IP dashboard is planned as a compact context snapshot. Below that, the evidence trail shows the actual events that contributed to the view, including dates, times, activity type, observed ports and relevant sensor context.
Raw JSON will be available in the dashboard for transparency, while larger automated access should use the API rather than scraping the web interface.
What IPContext does well
The platform is strongest where live network observations can provide direct evidence of behaviour.
Authentication attempts
Repeated login attempts and brute force style activity can be grouped into clear events rather than isolated lines.
Subnet behaviour
Neighbouring IPs can provide useful context when a wider range appears to be conducting similar activity.
Current limitations
Domains, URLs and phishing context are next.
IPContext is currently focused on IP-level observations. Domain history, URL context, phishing infrastructure and integrations with external providers are planned areas for future development.