Automating Threat Intel: How I Built a Fast, Containerised IP Triage Tool

Published: 3 weeks ago (January 17, 2026 at 05:01 PM EST)

2 min read

Source: Dev.to

The Mission: Fighting “Analyst Fatigue”

As an aspiring Security Engineer, I quickly learned that triage is where most time is lost. When a firewall flags dozens of suspicious connections, checking them one‑by‑one in a browser is slow and prone to error. I built Sentinel‑IP, a Python tool that takes a list of IPs and instantly enriches them with threat intelligence, turning a 30‑minute manual task into a 30‑second automated one.

Python – automation logic and API handling
Docker – ensures the tool runs on any machine (macOS, Windows, Linux) without setup headaches
AbuseIPDB API – crowdsourced reports on brute‑force and spam activity
AlienVault OTX API – “Pulse” data identifying IPs linked to known malware campaigns

I originally planned to include VirusTotal, but its free tier allows only 4 requests per minute, which would have made processing 50 IPs take nearly 15 minutes. Switching to AlienVault OTX removed this bottleneck, allowing dozens of IPs to be scanned in seconds. The lesson: the best data is useless if it arrives too late to stop an attack.

The tool reads a simple ips.txt file as input, queries the APIs, and generates a clean results.csv for the analyst to review.

Core Logic

for ip in tqdm(ips, desc="Analyzing"):
    abuse_score = check_abuse_ip(ip)   # Returns % confidence
    otx_pulses = check_alienvault(ip)  # Returns count of threat pulses

    results.append({
        'IP': ip,
        'Abuse_Score%': abuse_score,
        'OTX_Pulses': otx_pulses
    })

Use Cases

The Firewall Log “Dump”

Scenario: A company firewall blocks hundreds of failed SSH attempts.
Application: Copy the IPs from the logs into Sentinel‑IP.
Impact: Instantly filter for IPs with a 100 % Abuse Score, allowing you to focus on verified botnets instead of investigating every block.

Phishing Header Analysis

Scenario: A suspicious email is reported and contains a “Source IP” in the header.
Application: Run that IP through the tool.
Impact: If AlienVault OTX shows multiple pulses related to “Credential Harvesting,” you have immediate proof the email is malicious and can purge it from the network.

Project Insights

API Resilience

Handling 404 Not Found errors (often indicating a “clean” IP) versus 401 Unauthorized errors ensures the tool continues processing without interruption.

Containerization

Docker volumes allow the container to write the CSV file directly to the host’s desktop, making the output instantly accessible.

Data Correlation

An IP with a high Abuse Score and multiple OTX pulses is classified as a “Critical” threat, warranting immediate blocking.

Get the Code

Feel free to check out the full source code and contribute to the project on GitHub:

Sentinel‑IP Repository – [GitHub link]

Don’t forget to ⭐ the repo if you find it useful!