Try Claude
Security ScannerScan URLs, IPs, domains and files for threats
AI Tools for Security Operations Center Analysts
AI tools that help SOC analysts research threat intelligence, investigate CVEs, scan for vulnerabilities, check IP reputation, and document incident responses.
Get started for free
Works in Chat, Cowork and Code
CVSS Score
10.0 (Critical) — OS command injection via GlobalProtect Gateway
Affected systems
PAN-OS 10.2, 11.0, 11.1 with GlobalProtect gateway enabled — specific builds listed
Exploitation status
ACTIVELY EXPLOITED in the wild · CISA KEV listed · nation-state actor activity confirmed
Patch
PAN-OS hotfixes available: 10.2.9-h1, 11.0.4-h1, 11.1.2-h3 — IMMEDIATE patching required
CVE and vulnerability research
Instantly look up any CVE for severity scores, affected versions, patch availability, and active exploitation status. Monitor newly published critical vulnerabilities to triage patching priority for your organization's asset inventory.
Pull details on CVE-2024-21762 (Fortinet FortiOS SSL-VPN) including CVSS score, exploitation status, affected versions, and whether there's an active patch.
CVE-2024-21762: CVSS 9.6 (Critical). FortiOS SSL-VPN out-of-bounds write vulnerability. Affected: FortiOS 6.x, 7.x (multiple branches). Exploitation: ACTIVELY EXPLOITED in the wild (CISA KEV listed). Patch: Available — FortiOS 7.4.3+ and 7.2.7+. CISA deadline for federal agencies: 72 hours. Recommend immediate priority patching for all exposed SSL-VPN endpoints.
ToolRouter get_cve
CVSS Score
9.6 (Critical) — out-of-bounds write in FortiOS SSL-VPN
Affected versions
FortiOS 6.x and 7.x multiple branches — see advisory for full version list
Exploitation status
ACTIVELY EXPLOITED in the wild · CISA KEV listed · federal patch deadline 72 hours
Patch
FortiOS 7.4.3+ and 7.2.7+ · patch all exposed SSL-VPN endpoints immediately
IP and domain threat investigation
Check suspicious IP addresses, domains, and URLs against threat intelligence feeds before they escalate to incidents. Get geolocation, ASN information, and known malicious activity history to prioritize alert investigation.
Investigate this suspicious IP 194.165.16.11 that appeared in our firewall logs making repeated port 443 connections — reputation, geolocation, and any known threat associations.
IP 194.165.16.11: Located in Netherlands (AS 206092, bulletproof hosting provider with history of abuse). Threat reputation: HIGH RISK — listed in AbuseIPDB (47 reports, last 30 days), URLhaus (associated with malware distribution). Known for: Cobalt Strike C2 infrastructure per threat intel feeds. Recommend: block immediately and review all connections in the past 72 hours.
ToolRouter lookup_ip
AreaIncidentsType
GeolocationNetherlandsAS 206092 — bulletproof hosting
AbuseIPDB47 reportsMalicious activity
URLhausListedMalware distribution
Threat intelHIGH RISKCobalt Strike C2 infrastructure
Block immediately · review all connections past 72 hours
ToolRouter scan_url
Reverse DNS
No valid reverse DNS — common for bulletproof hosting abuse infrastructure
Open ports
Ports 80, 443, 4444 open — port 4444 is default Metasploit/Cobalt Strike listener
Threat feeds
Positive in Emerging Threats, Feodo Tracker, and SSLBL — active C2 confirmed
Recommendation
Block at perimeter · quarantine any internal host that connected · escalate to IR
Threat intelligence and APT research
Research active threat actor groups, their TTPs (tactics, techniques, and procedures), and recent campaign activity. Understand the threat landscape relevant to your industry to improve detection rules and response playbooks.
Research recent Scattered Spider (UNC3944) activity — their current phishing and social engineering techniques, preferred tools, and any new targeting patterns reported in Q1 2024.
Scattered Spider Q1 2024 activity: Primary vector: vishing and SMS phishing targeting IT helpdesks for credential resets. New tools observed: Oktapus phishing kit updated, AMOS infostealer on macOS. Targeting: expanded from telecom to financial services and gaming. Key defense: implement strict identity verification for all password reset requests, monitor for SIM-swapping activity.
ToolRouter research
Primary attack vector
Vishing and SMS phishing targeting IT helpdesks for credential resets — social engineering dominant
Tools observed
Oktapus phishing kit (updated version) · AMOS infostealer on macOS · Snowflake data exfiltration
Target expansion
Expanded from telecom to financial services and gaming sectors in Q1 2024
Detection recommendations
Strict identity verification for password resets · monitor SIM-swapping · helpdesk call recording
Supply chain and dependency risk monitoring
Audit open-source packages and software dependencies in your environment for known vulnerabilities, malicious packages, and advisories. Identify exposure from third-party software supply chain attacks.
Audit these 5 npm packages used in our production environment for known CVEs, malicious indicators, and dependency advisories: log4js, axios, lodash, express, jsonwebtoken.
Audit results: log4js — 2 advisories (non-critical), patched in current version. axios — 1 high-severity SSRF CVE (CVE-2023-45857) in versions <1.6.0. lodash — 3 prototype pollution CVEs; upgrade to 4.17.21+. express — clean on latest. jsonwebtoken — 1 critical CVE (CVE-2022-23529) in <9.0.0. Immediate action: patch axios and jsonwebtoken.
ToolRouter audit_package
axios
CVE-2023-45857 (High — SSRF) in versions <1.6.0 · upgrade required immediately
jsonwebtoken
CVE-2022-23529 (Critical — remote memory forgery) in <9.0.0 · upgrade required immediately
lodash
3 prototype pollution CVEs · all resolved in 4.17.21+ · upgrade required
log4js / express
log4js: 2 non-critical advisories patched in current version · express: clean on latest
Incident response documentation
Rapidly compile incident timelines, IOC lists, and response actions into structured incident reports. Generate post-incident summaries for management briefings and regulatory notifications.
Convert these IR notes into a formal incident report: ransomware outbreak detected 02:14 on March 3rd, 47 endpoints encrypted, C2 IP identified, network isolated at 02:31, backup restoration initiated, business operations restored 18:42.
Generated formal Incident Response Report: Executive summary, timeline of events (detection → containment → recovery), technical findings (ransomware variant, IOCs, affected systems count), containment and eradication actions, recovery timeline (16h 28m total), and recommendations. Formatted for CISO briefing and meets NIST IR framework documentation standards.
ToolRouter repurpose_content
4 pages
Phishing email analysis
Analyze suspicious emails reported by end users to quickly determine if they are phishing attempts, identify indicators of compromise, and determine appropriate response actions.
Analyze this email reported by a user: From "IT-Security@company-helpdesk.net", subject "Urgent: Verify Your Account", contains link to "login.company-verified-portal.com".
PHISHING DETECTED — High Confidence. Sender domain "company-helpdesk.net" not affiliated with any known legitimate entity. Domain registered 4 days ago. Link "login.company-verified-portal.com": scanned against 70+ AV engines — 12 detections (credential harvesting). Lookalike domain pattern (typosquatting). Recommend: quarantine email, block sender domain and link URL, notify affected users.
ToolRouter analyze_email
Sender domain
"company-helpdesk.net" — not affiliated with any legitimate entity · registered 4 days ago
Subject line
"Urgent: Verify Your Account" — urgency tactic matches known phishing kit patterns
Lookalike detection
Typosquatting pattern detected — designed to impersonate legitimate IT security communications
Recommendation
Quarantine email · block sender domain · notify all recipients · review mail gateway logs
ToolRouter scan_url
AV detection
12 of 70+ engines flagging — credential harvesting page confirmed
Domain age
Registered 4 days ago — newly registered domain is a phishing indicator
Certificate
Self-signed cert · common name mismatch · not issued by known CA
Recommendation
Block domain and all subdomains at DNS and web proxy immediately
Ready-to-use prompts
CVE severity lookup
Get full details on the 5 most critical CVEs published this week affecting Windows Server and Active Directory, including CVSS scores, affected versions, and patch availability.
IP reputation check
Check the threat reputation, geolocation, ASN, and known malicious activity for these 3 IP addresses that appeared in our intrusion detection alerts.
Domain threat scan
Scan this domain that appeared in a phishing email for malware, certificate anomalies, redirect chains, and check it against URLhaus and AbuseIPDB.
APT technique research
Research current MITRE ATT&CK techniques being used by state-sponsored threat actors targeting healthcare sector organizations. Include specific TTPs and detection recommendations.
Package vulnerability audit
Audit this list of Python packages from our requirements.txt for known CVEs, malicious indicators, and any advisories published in the past 90 days.
Phishing email analysis
Analyze this suspicious email for phishing indicators: sender domain, header anomalies, embedded links, and whether the urgency tactics match known phishing kit patterns.
Draft IR report
Draft a post-incident report for a Business Email Compromise incident where an attacker redirected vendor payments totaling $240,000 by compromising a finance employee's email account over 3 weeks.
Monitor critical CVEs
Search for all CVEs rated 9.0+ published in the last 7 days that affect network infrastructure products (routers, firewalls, VPN appliances). Flag any with known active exploitation.
Tools to power your best work
Phishing Email CheckerCheck suspicious emails, screenshots, and links
Vulnerability DatabaseSearch CVEs & track new advisories
IP GeolocationIP to location, ISP & network
Tech NewsHacker News: top stories & comments
Content RepurposerTurn any content into posts, scripts, and articles
Deep ResearchAI research reports with citations
Supply Chain RiskPackage, dependency & exploit risk
165+ tools.
One conversation.
Everything security operations center analysts need from AI, connected to the assistant you already use. No extra apps, no switching tabs.
Security alert triage
When a SIEM alert fires, rapidly investigate the key indicators to determine if it's a true positive and what response is required.
Threat intelligence enrichment
Enrich threat intelligence from detection tools with contextual research to understand attacker TTPs and improve detection rules.
Monthly vulnerability patch briefing
Prepare the monthly vulnerability briefing for patch management review with current critical CVE data.
Frequently Asked Questions
How current is the CVE data in Vulnerability Database?
Vulnerability Database indexes the full NVD (National Vulnerability Database) CVE catalog and updates continuously as new CVEs are published. You can search by keyword, look up specific CVE IDs, and monitor recent critical vulnerabilities. CVSS scores and exploitation status are pulled from NVD and CISA KEV.
What threat intelligence sources does Security Scanner check?
Security Scanner checks URLs, domains, IPs, and file hashes against 70+ antivirus engines, URLhaus, AbuseIPDB, PhishTank, and other threat intelligence feeds. It combines results from multiple sources to give confidence-weighted verdicts, which is useful for quickly triaging suspicious indicators.
Can IP Geolocation help identify TOR exit nodes and VPN infrastructure?
IP Geolocation returns ASN information, which can identify hosting providers associated with bulletproof hosting, VPN services, and anonymization networks. While it doesn't specifically flag every TOR exit node, the combination of ASN reputation, geolocation anomalies, and threat database lookups provides strong context for IP investigation.
How does Supply Chain Risk audit work for software dependencies?
Supply Chain Risk checks open-source package versions against advisory databases and CVE records. You can submit package names and versions from requirements.txt, package.json, or similar files. It returns CVEs, exploitability data, and fix versions — useful for rapid dependency risk assessment before or after a security advisory.
Can Content Repurposer generate regulatory-compliant incident reports?
Content Repurposer generates well-structured incident reports following common frameworks like NIST IR. For regulatory notification requirements (GDPR 72-hour rule, SEC cybersecurity disclosure), use the output as a draft and have your legal and compliance teams review before submission, as specific language and timing requirements vary by regulation.
Give your AI superpowers.
Get started for free
Works in Chat, Cowork and Code