Threat intel

For every flagged destination, Beacon asks several public security databases “have you seen this IP before, and if so, was it doing anything shady?” The answers show up as green/red/gray rows in the investigation panel. This page explains what each one checks.

What “threat intel” means

Threat intelligence(“threat intel” or just “intel”) is information about known attackers, their infrastructure, and their tools. When an IP address has been caught hosting malware or running a C2 server (command-and-control, where malware phones home to), it tends to end up on one or more of these public lists.

None of these lists is perfect. An IP can be on a list and still be benign (list got it wrong, shared hosting, list is out of date). An IP can be completely absent from every list and still be a brand-new C2 server nobody's caught yet. You treat intel hits as a signal, not a verdict.

What Beacon checks

For every flagged pair, the destination IP is run against these sources automatically:

• Emerging Threats. An open threat-intel feed run by Proofpoint, updated continuously. Good coverage of established C2 infrastructure.
• Feodo Tracker. A focused list of IPs used by the Emotet, TrickBot, and Dridex malware families, a huge chunk of real-world commodity malware.
• ThreatFox. A community-maintained database of indicators from current campaigns.
• VirusTotal. Aggregated results from dozens of antivirus vendors. If five vendors flag the same IP, that's strong. If one vendor flags it alone, that's usually noise.
• AbuseIPDB. Community-submitted abuse reports with a 0-to-100 confidence number.
• IPinfo. Not a bad-list. It tells you who owns the IP and where they're located. Useful for the “is this actually Microsoft or is it a DigitalOcean server pretending to be Microsoft?” question.
• RDAP. Official registration records for the network the IP belongs to. Tells you when the network was registered and whether ownership recently changed. Freshly registered or freshly transferred networks are a light red flag.

How the results are shown

Open the investigation panel for a pair and look for the Threat intel section. Each source shows up as one row, with a colored indicator:

• Green: the source checked and has nothing bad on file.
• Red: the source has flagged this IP. Click the row to see exactly what it said (for VirusTotal, which vendors flagged it; for AbuseIPDB, the reports; etc.).
• Gray: the source didn't respond, or this tier of your plan doesn't include that source. Not a verdict, just “no data.”

How intel affects the result

Intel hits change severity, not the behavior score. That's deliberate: a pair with clean behavior can still resolve to a bad IP (think: shared hosting where one customer is a criminal and another is your fitness tracker company), and a real C2 destination can be so new that no feed has it yet. Mixing intel into the behavior score would muddy both signals. Keeping them separate means you can read each one honestly.

You'll see intel-related modifiers listed explicitly in the Explain why section, e.g. “Severity +1 because AbuseIPDB reports this IP at 92/100 confidence.”

Rate limits and caching

Beacon caches every intel result for a while. If you upload two captures a day apart that both contain the same destination, the second one reuses the cached result rather than re-asking the feeds. You don't hit API limits from normal use, and you don't wait for the same lookup twice.

Plan limits

• Recon (free): no threat-intel enrichment. The fingerprint and behavior signals still work.
• Hunter, Operator, Partner: unlimited intel lookups on all queried feeds.

See pricing for the full tier breakdown.