Investigation Workbench
Guided threat investigations with 72 enrichment engines, automated playbooks, interactive entity graphs, evidence boards, and a built-in browser research workspace.
1Overview
The Investigation Workbench transforms raw indicators of compromise (IOCs) into structured intelligence. Starting from a suspicious URL, IP address, file hash, or email address, the workbench walks your team through a wizard-driven workflow that extracts entities, enriches them against 72 threat intelligence sources, builds a relationship graph, and produces an evidence-backed verdict.
Investigations are stored in Firestore with full audit trails and can be shared, exported, or used as evidence for incident response and compliance documentation.
2Playbook Templates
Playbooks automate the investigation workflow — selecting the right entities, tools, and enrichment sequence for each scenario.
Analyze suspicious URLs, domains, and email headers. Extract IOCs, check reputation, and build a phishing verdict.
Hash lookup, sandbox results, YARA matches, and behavioral analysis across multiple threat intel databases.
WHOIS, DNS records, SSL certificates, hosting history, and related infrastructure mapping.
Geolocation, ASN, reputation, open ports, reverse DNS, and historical activity from multiple sources.
Wallet address analysis, transaction history, cluster identification, and exchange attribution.
Username, email, social media presence, and data breach exposure analysis.
Company infrastructure, DNS footprint, technology stack, leaked credentials, and attack surface mapping.
Blank canvas with manual entity and tool selection for unique investigation scenarios.
3Enrichment Engines
The workbench integrates 72 enrichment engines across 10 categories. OSINT Starter includes 8 core engines; OSINT Pro unlocks all 72.
| Category | Engines | Examples |
|---|---|---|
| URL & Domain | 12 | VirusTotal, URLScan.io, Google Safe Browsing, PhishTank, OpenPhish |
| IP Intelligence | 10 | Shodan, Censys, GreyNoise, AbuseIPDB, IPinfo, MaxMind |
| Hash & Malware | 8 | VirusTotal, MalwareBazaar, ThreatFox, CIRCL, Hybrid Analysis |
| DNS & WHOIS | 7 | SecurityTrails, DomainTools, PassiveTotal, RDAP, DNS Dumpster |
| Email & Identity | 6 | Have I Been Pwned, Hunter.io, EmailRep, Dehashed |
| SSL & Certificates | 5 | crt.sh, Censys Certificates, SSL Labs, Certificate Transparency |
| Cryptocurrency | 4 | Blockchain.com, Etherscan, Chainalysis OSINT, Blockchair |
| Threat Intel Feeds | 8 | AlienVault OTX, Pulse Dive, ThreatCrowd, MISP, Abuse.ch |
| Social & OSINT | 6 | Sherlock, Maigret, Holehe, Namechk, Social Searcher |
| Network & ASN | 6 | BGP Toolkit, RIPE, ARIN, PeeringDB, Hurricane Electric |
4Entity Graph
Every investigation builds an interactive entity relationship graph. As enrichment runs, new entities and connections are discovered and added to the graph automatically. Entity types include:
Click any node to view enrichment details, run additional tools, or pivot to connected entities. The graph supports zoom, pan, filtering by entity type, and export to PNG/SVG.
5Evidence & Reporting
Capture browser screenshots of phishing pages, suspicious domains, and web content with timestamps.
Organize all enrichment results, screenshots, notes, and artifacts into a structured evidence board.
AI-generated investigation verdict with confidence scoring, risk assessment, and recommended actions.
Export investigation reports as PDF with entity graph, timeline, evidence, and verdict for compliance or legal teams.
6Browser Research Workspace
The built-in browser research workspace uses Puppeteer running in a sandboxed Cloud Function to safely visit and analyze live URLs. This enables:
Browser research is available on OSINT Pro plans only. All requests are executed in ephemeral containers with no persistent state.
7Governance & Safety
Investigations operate within a strict governance framework: