During a cyber investigation (Threat Hunting), the SOC analyst systematically finds himself confronted with unknown IP addresses. A machine in the accounting department communicates with a remote server on port 4444. Is this a legitimate new cloud service deployed by the IT team, or a "Command & Control" (C2) server controlled by Russian cybercriminals?
To decide, security teams rely on Threat Intelligence, and more particularly on platforms likeAlienVault OTX(Open Threat Exchange). But having raw data is not enough. Discover how Akuity SOC's algorithmic integration transforms this complex data into a clear and immediate decision score.
What is AlienVault OTX?
AlienVault OTX is one of the world's largest threat intelligence sharing networks. It operates on a community principle: thousands of cybersecurity researchers, SOCs and automated algorithms share “Pulses”.
A “Pulse” is a grouping of Indicators of Compromise (IOCs) linked to a specific threat, such as a ransomware campaign or an APT (Advanced Persistent Threat) hacker group. If an IP address has been seen distributing malware in Brazil, a researcher publishes a Pulse. From then on, the whole world knows that this IP is compromised.
The raw data problem (Red Alert syndrome)
If AlienVault is a gold mine, its "raw" use presents a risk of false positives. An IP address belonging to a massive cloud service like Amazon Web Services (AWS) or Microsoft Azure may very well be associated with malicious Pulses, because hackers also rent servers on these platforms.
Blocking a full Azure IP address because it was reported once 6 months ago risks crippling legitimate services in your own company. The SOC analyst must therefore sort things out, weigh the information, analyze the ASN (Autonomous System Number) and the domain registration date. An intellectually heavy task in the midst of crisis management.
Akuity's radial gauge: Algorithmic OSINT
To relieve the analyst, the Akuity SOC platform includes a proprietary reputation calculation engine, which queries the AlienVault OTX API (as well as other databases) and applies score modifiers to display aRadial Risk Gauge ranging from 0 to 100.
Here is how the score is calculated and adjusted:
1. Analysis of dark infrastructures
The algorithm checks the creation date and reputation of the domain associated with the IP. If the system detects anomalies, it drastically increases the risk score. In the "Analyst Notes" generated by the Gemini AI (displayed in a blue glassmorphic map below the gauge), you will read for example:
"Infrastructure analysis reveals risks: Recent registration (less than 100 days) or Zero popularity (absent from the world's top 1M)."
2. Detection of malware and critical signatures
The score jumps towards critical red (90-100/100) if the IP is actively linked to the distribution of malicious code. The AI note will specify:
“Presence of X sample(s) of active malware(s) communicating with this infrastructure”or even“Presence of highly dangerous critical signatures associated with C2 servers, Trojans or APT campaigns.”
3. Malus adjustment (Prevention of false positives)
This is where the algorithm proves its value. If the IP address generates a lot of noise (massive port scans on the Internet) but does not distribute any malware and belongs to a known search provider (like Shodan or Censys), the system applies a dampener.
The note will indicate:"Context adjustment applied: Penalty of -15 points because the main activity detected is a scan or a honeypot without critical malware."The score remains yellow (medium alert) but does not trigger the panic of a red score.
Conclusion: Make informed decisions
Threat Intelligence is only valuable if it is actionable. By transforming thousands of raw and sometimes conflicting community signals into a smoothed, AI-contextualized, easy-to-read reputation score, you give your L1 analysts the confidence to hit the hard block button.
Evaluate your indicators of compromise without leaving your interface.> Discover how the moduleIP Reputation Assessment (AlienVault)Akuity SOC streamlines your network investigations.