Threat Intelligence
Enrich findings with context from external providers. Bring-your-own-key model — Intreys never re-sells API access. Free tiers of every supported provider work out of the box.
Supported providers
| Provider | What you get | Free tier? |
|---|---|---|
| AbuseCH (URLhaus, ThreatFox, MalwareBazaar) | Malicious URLs, IOCs, malware samples | Yes (no key for URLhaus) |
| VirusTotal | Domain / IP / hash / URL reputation, AV consensus | Yes (4 req/min) |
| GreyNoise | Internet-wide noise classification (benign / malicious / unknown) | Yes (Community) |
| AlienVault OTX | Pulses, IOCs, indicator history | Yes |
| Shodan | Open ports, banners, vulns on an IP | Yes (limited) |
| URLScan.io | URL submission, sandboxed render, screenshot, IOCs | Yes |
| Censys | Internet asset search, certificate history | Yes |
| SecurityTrails | DNS history, passive DNS, WHOIS | Yes |
| Spur | VPN/proxy/anonymizer attribution | Paid only |
Configuring API keys
- Sign up with each provider (free tiers fine for most workloads).
- Open Settings → API Keys.
- Paste each key into the corresponding field.
- Click Test next to each key — Intreys verifies the key works.
Keys are encrypted at rest using a key derived from your machine fingerprint.
How enrichment works
When you click an IP, domain, URL, or hash in any view, the right-rail enrichment panel queries every configured provider. Results are cached locally for 24 hours so you don’t burn rate limits on repeated lookups.
Rate limits and caching
- Cache TTL is provider-specific (configurable: 1h / 24h / 7d).
- Cached lookups never count against your provider quota.
- Intreys honours Retry-After headers and backs off automatically.
- Per-provider toggles let you disable enrichment for a noisy provider without removing the key.
Bulk enrichment
Pro+: select N indicators (Cmd/Ctrl-click in DPI), right-click → Enrich selection. Results land in a sortable table you can export to CSV.
Threat-intel feeds (offline / on-prem)
Mature security teams often want offline indicator matching against a curated feed. Intreys supports:
- STIX 2.1 bundles — drop into Settings → Feeds
- MISP feed sync — configure MISP URL + key
- CSV / JSON IOC files
Feeds are matched in stage 15 (match_iocs) without any external API call. Useful for air-gapped environments.
Bring-your-own-key, no resale
Intreys never proxies your queries through our infrastructure and never re-sells provider access. Your key, your quota, your account. This means:
- Provider sees your real IP, not ours
- You can use enterprise-tier keys (e.g. VirusTotal Enterprise) at full capacity
- If a provider deprecates you, that’s between you and them