Torrance, United States / California, February 9th, 2026, CyberNewswire
Criminal IP (criminalip.io), the AI-powered threat intelligence and attack surface intelligence platform, is now integrated with IBM QRadar SIEM and QRadar SOAR.
The integration brings external, IP-based threat intelligence directly into IBM QRadar’s detection, investigation, and response workflows, enabling security teams to identify malicious activity faster and prioritize response actions more effectively across SOC operations.
IBM QRadar is widely adopted by enterprises and public-sector organizations as a central platform for security monitoring, automation, and incident response. By embedding Criminal IP intelligence into QRadar SIEM and extending it into SOAR workflows, organizations can apply external threat context across the incident lifecycle without leaving the QRadar environment.
Real-Time Threat Visibility from Firewall Traffic Logs
With the Criminal IP QRadar SIEM integration, security teams can analyze firewall traffic logs and automatically assess the risk associated with communicating IP addresses. Traffic data forwarded into IBM QRadar SIEM is analyzed through the Criminal IP API and reflected directly inside the SIEM interface.
Observed IP addresses are automatically classified into High, Medium, or Low risk levels from a threat intelligence perspective. This allows SOC teams to quickly identify high-risk IPs, monitor inbound and outbound traffic, and prioritize response actions such as access blocking or escalation within the familiar QRadar SIEM workflow.
Interactive Investigation Without Leaving QRadar
Beyond high-level visibility, the integration supports fast, in-context investigation. Analysts can right-click on IP addresses displayed in QRadar Log Activity to open a detailed Criminal IP report.
These reports provide additional context, including threat indicators, historical behavior, and external exposure signals, enabling analysts to validate risk and intent without switching tools. This streamlined workflow supports faster decision-making during time-sensitive investigations.
Extending Intelligence into QRadar SOAR Workflows
Criminal IP is also integrated with IBM QRadar SOAR to support automated threat enrichment during incident response. Using pre-built playbooks, Criminal IP intelligence can be applied to IP addresses and URL artifacts, with enrichment results returned directly into SOAR cases as artifact hits or incident notes.
This integration includes two playbooks:
- Criminal IP: IP Threat Service – Enriches IP address artifacts with Criminal IP threat context.
- Criminal IP: URL Threat Service – Performs lite or full URL scans and returns results as artifact hits or incident notes.
By embedding Criminal IP threat intelligence directly into SOAR workflows, analysts can reduce manual lookups and respond to incidents more efficiently.
Advancing Intelligence-Driven Detection and Response
By integrating Criminal IP with IBM QRadar SIEM and SOAR, organizations can combine QRadar’s correlation, investigation, and response capabilities with context-rich external threat intelligence derived from real-world internet exposure. This approach improves detection accuracy, shortens investigation cycles, and enhances response prioritization across SOC operations.
As alert volumes continue to grow, Criminal IP helps QRadar users make faster, more informed decisions by bringing external threat context directly into SIEM and SOAR workflows without adding operational complexity.
AI SPERA CEO Byungtak Kang commented that the integration highlights the growing importance of real-time, exposure-based intelligence in modern SOC environments and underscores Criminal IP’s focus on improving detection confidence and operational efficiency through practical, intelligence-driven integrations.
About Criminal IP
Criminal IP is the flagship cyber threat intelligence platform developed by AI SPERA and is used in more than 150 countries worldwide. It equips security teams with the actionable Threat Intelligence needed to proactively identify, analyze, and respond to emerging threats.
Powered by AI and OSINT, it delivers threat scoring, reputation data, and real-time detection of a wide array of malicious indicators, ranging from C2 servers and IOCs to masking services like VPNs, proxies, and anonymous VPNs, across IPs, domains, and URLs. Its API-first architecture ensures seamless integration into security workflows to boost visibility, automation, and response.
Contact
Michael Sena
AI SPERA
[email protected]
