Live investigation cases

Every incident here is built live from real attacker IPs in the SANS DShield feed, clustered by source country and threat kind. Each one bundles its linked alerts, a real-time timeline, and AI-generated findings + recommendations. No seed data — refresh and the cluster set rebuilds from whatever DShield observed in the last 24h.

Open

5

Investigating

1

Contained

0

Closed

0

Mean risk

78/100

Active investigations · 6

Click any case to open the timeline and AI summary. Each case groups attacker IPs sharing a country + threat kind.