OpenCTI Gains Automated Threat Enrichment via Criminal IP Integration
What Happened – Criminal IP released an integration for the OpenCTI threat‑intel platform that automatically enriches IP addresses, domains and URLs with reputation scores, vulnerability (CVE) data, phishing analysis, infrastructure details and behavioral signals. The enriched data is stored as structured OpenCTI entities and relationships, turning raw indicators into a searchable knowledge graph.
Why It Matters for Compliance & Audit Readiness
- Continuous‑monitoring controls (SOC 2 CC6.1) require evidence that threat‑intel is evaluated in real time; automated enrichment provides that evidence without manual lag.
- Structured enrichment creates a defensible audit trail linking each indicator to risk scores, CVEs and phishing confidence, satisfying SOC 2 criteria for risk‑assessment documentation (CC6.2).
- Mapping enriched indicators to internal security controls simplifies control‑mapping and evidence‑collection for SOC 2 audits – a core capability of Verisq’s Control Mapping offering.
Who Is Affected – Security Operations Centers, Managed Security Service Providers, and any enterprise that relies on threat‑intel platforms (e.g., finance, technology, healthcare).
Recommended Actions –
- Deploy the Criminal IP connector in OpenCTI and enable logging of enrichment metadata.
- Map the new enrichment fields (risk score, CVE links, phishing confidence) to your SOC 2 risk‑assessment and monitoring controls.
- Archive enrichment logs as part of your continuous‑compliance evidence repository.
Source: BleepingComputer
Technical Notes – The integration calls Criminal IP APIs to retrieve dual‑perspective risk scores (inbound/outbound), CVE associations, Autonomous System data, geolocation, and phishing probability. No new CVEs are disclosed; the service simply surfaces existing vulnerability data linked to the observed infrastructure.