Most security alerts represent the result of malicious activity — not the beginning.
Event-driven public IP validation framework that applies multi-factor infrastructure risk evaluation and automated enforcement.
When a security event is triggered (e.g., malware alert, phishing detection, privileged login), the relevant infrastructure may already have communicated with additional malicious systems.
This framework:
- Retrieves outbound connections from a defined time window (e.g., previous five minutes)
- Extracts externally routable public IP addresses
- Validates them using the Criminal IP API
- Applies multi-factor infrastructure risk evaluation
- Automatically enforces blocking decisions when required
This framework does not perform full traffic inspection.
Instead, it validates only:
- Time-bound traffic (event-triggered windows)
- Contextually relevant outbound connections
- Statistically abnormal traffic (e.g., non-80/443 ports)
- Operationally low-noise segments (e.g., after-hours activity)
This selective validation approach minimizes API usage while maximizing detection precision.
All operational profiles follow the same principle:
Event-Driven + Timeline-Based + Selective Threat Validation
The pipeline operates as a contextual validation workflow:
┌──────────────────────────────────────────┐
│ Security Event │
│ (EDR / URL Filter / Login) │
└──────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────┐
│ Firewall Log Backtracking │
│ (Time-bound) │
└──────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────┐
│ Criminal IP API Validation |
| (/v1/asset/ip/report) │
└──────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────┐
│ Multi-Factor Risk Evaluation │
└──────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────┐
│ Automated Firewall / SOAR Enforcement │
└──────────────────────────────────────────┘
This is not a reputation-only lookup.
An IP may be classified as suspicious if one or more of the following conditions are met:
- Reputation score:
DangerousorCritical - SSL anomalies (self-signed / expired)
- Vulnerability exposure (e.g., directory listing)
- Mining infrastructure detection
- VPN / Tor / Proxy detection
- SSH exposure (port-based or product-based)
All IP validations are performed using the following endpoint:
"https://api.criminalip.io/v1/asset/ip/report"
Ensure proper authentication headers are included in production deployments.
Run a simple validation test.
pip install requests
{
"api_key": "YOUR_CRIMINAL_IP_API_KEY"
}python cip_ip_report_check.py --ip 1.2.3.4 --pretty
python cip_ip_report_check.py --ip 1.2.3.4 --port 22 --pretty
python cip_ip_report_check.py --ip 1.2.3.4 --port 2022 --product OpenSSH --pretty
python cip_ip_report_check.py --ip 1.2.3.4 --dump-json
[SUSPICIOUS] 1.2.3.4:22
- Reputation: Critical
- SSL: Self-signed certificate
- Service: OpenSSH
- Anonymity: Proxy detected
When deploying in operational environments, consider:
- Whitelist management
- Block duration (TTL) policies
- False-positive handling
- API rate limit management
See docs/production_considerations.md for detailed guidance.
- SOC automated response workflows
- MSSP blacklist automation
- Enterprise firewall automation
- Kubernetes ingress protection
- DNS anomaly validation
Detailed documentation is available in:
- Architecture document
- Validation Model
- Operational Scenarios
- Blocking Criteria
- Production Considerations
- Integration Guide
This is not a simple IP reputation lookup.
The system performs multi-factor infrastructure risk validation by combining:
- Reputation scoring
- SSL certificate anomaly detection
- Vulnerability tag analysis
- Mining infrastructure detection
- Anonymity infrastructure detection (VPN/Tor/Proxy)
- SSH exposure detection (port-based and product-based)
This results in a multi-indicator automated blocking model suitable for:
- Security automation demonstrations
- SOC production workflows
- Enterprise defensive architecture design