ThreatLens — Agentic Threat Investigation

What this is

An AI analyst that investigates an Indicator of Compromise (IOC) — an IP, domain, hash, or URL — by querying 8 real threat intelligence feeds and reasoning about what it finds.

Built on mcp-threatintel. Sources: AbuseIPDB, GreyNoise, AlienVault OTX, URLhaus, MalwareBazaar, ThreatFox, Feodo Tracker, plus DNS.

Why reasoning transparency matters

Most automated triage tools give you a verdict with no explanation. That's fine until a SOC analyst has to defend a block decision.

ThreatLens streams the agent's reasoning as it happens. You see which source it picks, why it picks it, and how each finding updates its assessment. Every claim in the final report is backed by an actual API call.

How to read the output

Agent Activity — live reasoning. 💭 thinking · ▶ tool call · ✓ tool result.
Investigation Report — structured verdict with risk score, evidence chain, recommendation.
History — replay any past investigation to see the full agent log.

LOW 0–3 MED 4–6 HIGH 7–8 CRIT 9–10

Investigate an IOC

Example IOCs

Agent Activity

idle

Enter an IOC to begin. The agent's reasoning will appear here in real time.

Investigation Report

Once the agent finishes, the structured report appears here.

Recent Investigations