Pivot from an IP, domain, URL, malware hash or CVE and explore the relationships observed by our sensors and enrichment feeds.
An Indicator of Compromise rarely appears in isolation. An attacker IP is often associated with specific malware hashes, malicious URLs resolve to domains reused across campaigns, and many CVE vulnerabilities are actively exploited from known infrastructures. The IOC Hub lets you walk that relationship graph in real time.
The graph combines two edge types: internal observation (what our T-Pot honeypots have seen live) and external enrichment (URLhaus, OpenPhish, NIST/CISA, Tor exit nodes, GreyNoise, Shodan InternetDB). They are visually distinct so you can judge the strength of each connection.
Enter an IOC in the search box and pick the graph depth (1 or 2 hops). The IOC Hub will show all related nodes, label each relation type (e.g. exploited_on, hosts, phishing_hosts, c2) and let you jump to the detail of any node.
A directed graph of all IOCs connected to the root indicator up to two hops. Supported types: IP, domain, URL, SHA-256 malware hash and CVE. Each edge carries the relation type, source and confidence level.
Green edges come from our own observation (honeypot telemetry). Grey edges come from external feeds. A solid connection backed by several independent sources is more reliable than a single one. Depth 2 grows quickly; keep default limits to avoid visual overload.
Internal edges: our T-Pot honeypots. External edges: abuse.ch URLhaus, OpenPhish, NIST NVD, CISA KEV, Tor Project bulk export, Shodan InternetDB, GreyNoise Community.
Indicator of compromise correlation visualization
Click a node to see details