IP REPUTATION ANALYSIS IN OSINT
Using AbuseIPDB and IP2Location for Layered Intelligence
Published: 2026-05-18
WHY IP REPUTATION MATTERS
IP addresses appear constantly in OSINT work: server logs, email headers, phishing infrastructure, C2 callbacks, and leaked data sets. Knowing whether an IP belongs to a VPN provider, a Tor exit network, or has been reported for abuse changes how you interpret everything else you find.
OpenOSINT provides two complementary tools for this: search_abuseipdb for crowd-sourced abuse data and search_ip2location for enriched geolocation and infrastructure classification. Running both gives you a complete picture.
ABUSEIPDB — CROWD-SOURCED ABUSE REPORTS
The search_abuseipdb tool queries the AbuseIPDB v2 API. The database aggregates reports from security teams, honeypots, and network operators worldwide.
Key fields returned:
| Field | What it means |
|---|---|
| Abuse Confidence Score | 0–100%. Higher = more confirmed abuse reports |
| Total Reports | Number of individual abuse reports in the database |
| Country / ISP / Domain | Basic attribution data |
| Last Reported | Timestamp of most recent report |
A warning is displayed when the confidence score exceeds 50%.
$ openosint abuseipdb 198.51.100.1 [AbuseIPDB] IP: 198.51.100.1 [AbuseIPDB] Abuse Confidence Score: 87% [AbuseIPDB] Total Reports: 143 [AbuseIPDB] Country: US [AbuseIPDB] ISP: Example ISP LLC [AbuseIPDB] Last Reported: 2026-05-20T14:33:00+00:00 ⚠️ HIGH ABUSE CONFIDENCE — flagged by AbuseIPDB
Required: ABUSEIPDB_API_KEY environment variable — register for a free key.
IP2LOCATION — ENRICHED GEOLOCATION & INFRASTRUCTURE
The search_ip2location tool (sponsored integration) queries the IP2Location.io API. Beyond standard geolocation it classifies the IP's infrastructure type.
Key fields returned:
| Field | What it means |
|---|---|
| Country / Region / City | Physical location to city level |
| ISP / Domain / ASN | Network operator and autonomous system |
| Proxy / VPN / TOR | Infrastructure classification (Security Plan) |
| Datacenter | Whether hosted in a cloud or datacenter range |
| Threat | Aggregate threat classification |
$ openosint ip2location 8.8.8.8 [IP2Location] Country: United States (US) [IP2Location] City: Mountain View, California [IP2Location] ISP: Google LLC [IP2Location] ASN: AS15169 Google LLC [IP2Location] VPN: No | Proxy: No | TOR: No [IP2Location] Datacenter: Yes [IP2Location] Threat: clean
Required: IP2LOCATION_API_KEY environment variable — get one here.
RUNNING BOTH TOOLS IN SEQUENCE
For any IP encountered during an investigation, running both tools gives you:
- Hard abuse data — reports from real incidents (AbuseIPDB)
- Infrastructure classification — is it a VPN, proxy, or datacenter? (IP2Location)
- Full geolocation — city, ASN, ISP for corroboration
In the OpenOSINT REPL, the AI agent chains both tools automatically:
openosint > investigate 198.51.100.1
→ search_ip('198.51.100.1')
→ search_ip2location('198.51.100.1')
→ search_abuseipdb('198.51.100.1')
Summary: This IP is hosted at Example ISP (US). AbuseIPDB shows
143 reports with 87% abuse confidence. Last reported 4 days ago.
High-risk — treat with significant suspicion.
PRACTICAL APPLICATIONS
| Scenario | What to look for |
|---|---|
| Phishing investigation | Datacenter flag + high abuse score = likely bulk-send infrastructure |
| Attacker attribution | VPN/Tor flag = deliberate anonymisation layer |
| Log analysis | High abuse score for a connection source = credible threat |
| Infrastructure mapping | ASN + datacenter flag identifies hosting provider |
SEE ALSO
- Full tools reference — parameters, output format, and all 14 tools
- MCP integration guide — run these tools from Claude Desktop automatically
- OpenOSINT documentation — complete manual