Threat intelligence modules & options
The Threat Intelligence search type exposes six Modules in the captured build, split across two data sources: three on HudsonRock infostealer data and three on SpamHaus reputation data. All six are single-purpose Modules — this search type does not offer OneScan. For the composer flow that surrounds these Modules, see Threat intelligence search: overview.

The Modules
Section titled “The Modules”| Module | data source | Input | Cost / cost type | What it does |
|---|---|---|---|---|
| Computer/IP Threat (Data: HudsonRock) (selected by default) | HudsonRock | IP address (+ a Compromised Since year) | Free (0 Credits) | Checks an IP for infostealer compromise and threat indicators such as malware, botnets and malicious activity |
| Email Threat (Data: HudsonRock) | HudsonRock | Email (inferred) | Not captured — see caution | Threat analysis for an email via HudsonRock infostealer data |
| Domain Threat (Data: HudsonRock) | HudsonRock | Domain (inferred) | Not captured — see caution | Threat analysis for a domain via HudsonRock infostealer data |
| IP Reputation (Data: SpamHaus) | SpamHaus | IP address (inferred) | Not captured — see caution | Reputation and blocklist check for an IP via SpamHaus |
| Domain Reputation (Data: SpamHaus) | SpamHaus | Domain (inferred) | Not captured — see caution | Reputation and blocklist check for a domain via SpamHaus |
| Malware URLs (Data: SpamHaus) | SpamHaus | URL (inferred) | Not captured — see caution | Checks a URL against the SpamHaus malware-URL database |
HudsonRock Modules
Section titled “HudsonRock Modules”The three HudsonRock Modules run against HudsonRock infostealer data — records drawn from information-stealing malware logs, used to determine whether a machine or identity tied to an identifier has been compromised. For what this data source is and returns, see HudsonRock.
Computer/IP Threat
Section titled “Computer/IP Threat”Computer/IP Threat is the lead Module and is pre-selected when you open the Threat Intelligence search type. Its tile is drawn with a coral-orange highlighted border.
- Purpose: checks an IP address for infostealer compromise and threat indicators — malware, botnets and malicious activity — via HudsonRock infostealer data.
- Input: an IP address, plus a Compromised Since year field.
- Cost: the line beneath the input reads “Cost per search: Free” — the Module consumes no Credits per search.
Email Threat
Section titled “Email Threat”Email Threat runs threat analysis for an email address against HudsonRock infostealer data — a check for whether the email appears in infostealer logs.
Domain Threat
Section titled “Domain Threat”Domain Threat runs threat analysis for a domain against HudsonRock infostealer data.
SpamHaus Modules
Section titled “SpamHaus Modules”The three SpamHaus Modules run against SpamHaus reputation data — IP and domain reputation intelligence together with malware-URL blocklists. For what this data source is and returns, see SpamHaus.
IP Reputation
Section titled “IP Reputation”IP Reputation checks an IP address against SpamHaus reputation and blocklist data.
Domain Reputation
Section titled “Domain Reputation”Domain Reputation checks a domain against SpamHaus reputation and blocklist data.
Malware URLs
Section titled “Malware URLs”Malware URLs checks a URL against the SpamHaus malware-URL database.
Inputs and costs
Section titled “Inputs and costs”OneScan and per-search options
Section titled “OneScan and per-search options”Per-tile controls
Section titled “Per-tile controls”See also: Threat intelligence search: overview and Reading Threat intelligence results.
Verified against UserSearch v2.0.20