How to Investigate Suspicious IP Addresses with Claude
Investigate Suspicious IP Addresses with Claude and ToolRouter. Check IP addresses against abuse databases and threat feeds to assess risk before allowing traffic into your network.
Tool
Use Claude with Security Scanner to investigate suspicious IPs from logs or alerts and get a reasoned risk assessment. Claude is well-suited to correlating the raw abuse data with the context you provide — login spike timing, traffic patterns, or geographic anomalies — and recommending a clear next action.
Connect ToolRouter to Claude
1Open connector settings Open Settings
2Add a custom connector with these details
Name
ToolRouterURL
https://api.toolrouter.com/mcp3Let Claude set you up Open Claude
Steps
Once connected (see setup above), use the Security Scanner tool:
- Paste the IP addresses from your logs or alert into the conversation.
- Ask Claude to check each IP via `security-scanner` using `check_ip`.
- Ask Claude to rank the results by risk score and explain what the abuse reports indicate.
- Request a recommendation: block, monitor, or clear each IP based on the findings.
Example Prompt
Try this with Claude using the Security Scanner tool
Use security-scanner to check these IP addresses from our authentication logs: 185.220.101.45, 45.33.32.156, 203.0.113.77. Rank them by risk, explain what each abuse report says, and tell me which ones I should block immediately versus monitor.
Tips
- Provide the context — login spike, unusual geography, port scan — so Claude can correlate the IP reputation with the observed behavior.
- Ask Claude to distinguish between residential proxy abuse and dedicated malicious infrastructure — the response differs.
- Cross-reference flagged IPs against your current allow-list before recommending a block.