Skip to content
IntelliAuth

Test an IP

A customer reports they can't sign in from their office. You wonder if their IP is on a threat feed. Test-IP gives the answer in one click.

Where to find it

Section titled “Where to find it”

Threat intelligence → Test IP. A single text field + a Test button.

Run a check

Section titled “Run a check”

Type an IP (IPv4 or IPv6) → click Test. The page shows:

  • Risk score — what the risk engine would compute for a sign-in from this IP.
  • Per-feed results — for each enabled feed, hit / no-hit. Hits are red; no-hits are green.
  • Geolocation — country + city from the platform's GeoIP database.
  • ASN — owning ISP / cloud / organisation. Useful for "is this a corporate IP or a residential one?"
  • Reverse DNS — if available.

Common uses

Section titled “Common uses”

"Why can't this customer sign in?"

Section titled “"Why can't this customer sign in?"”

They give you their IP. Test it. If a feed hit shows up, that's likely the issue — whitelist if legitimate, or explain that the IP is on a known-bad list (which sometimes points to a compromised corporate device they should investigate).

"Should I whitelist this IP?"

Section titled “"Should I whitelist this IP?"”

Run the test. Check each feed's result. Decide:

  • All clean — no need to whitelist; the user wouldn't be blocked anyway.
  • One feed hits, the others don't — review that specific feed's claim. AbuseIPDB false positives are common; FireHOL hits are usually meaningful. Whitelist if you trust the IP; investigate further if uncertain.
  • Multiple feeds hit — almost certainly a compromised IP or a known threat actor. Don't whitelist; advise the user accordingly.

"What does the risk score actually look like for this IP?"

Section titled “"What does the risk score actually look like for this IP?"”

Run the test. The score is what the risk engine would assign at the time of a sign-in. Helpful for understanding the policy thresholds — "score 35 means the user is at warning level; 60 means demand MFA; 80 blocks."

What the test doesn't do

Section titled “What the test doesn't do”
  • Doesn't actually run a sign-in flow. No user is signed in or out by the test.
  • Doesn't record real risk-engine output. The risk engine takes more into account than just feeds (velocity, device fingerprint, etc.). The test shows only the IP-side contribution.
  • Doesn't whitelist the IP. It just shows whether it's listed. To whitelist, go to Threat → Whitelists.

Bulk test

Section titled “Bulk test”

For multiple IPs at once, paste a list (one per line) into the bulk-test text area. The page shows a table of per-IP results. Useful for "audit a list of corporate IPs" or "the IT team gave me a list to check".

Audit

Section titled “Audit”

Each test records security.threat_ip_tested in audit (with the IP + result). Visible later in the audit log — useful for "did anyone test this IP last week?" investigations.

The audit entry doesn't preserve the per-feed result detail; just the overall hit / clean. If you need detail later, re-run the test.