PERSONA: IR Consultant
CATEGORY: Incident Response
ENDPOINTS: 4 used
UPDATED: April 2026

USE CASE · IR CONSULTANT

Bulk IOC enrichment for active incident response

Hour one of an incident is IOC triage. You have a CSV from the client's EDR, a list of suspicious IPs from firewall logs, and a handful of hashes from a suspect host — and every minute spent pasting into VirusTotal tabs is a minute the attacker keeps the initial access. DFIR Platform collapses that hour into a single batch API call.

Create a free account (100 credits/mo)Try /ioc-check — no signup

CONTEXT

The first hour of an incident is tab-management

Every IR consultant has lived the same pattern. The client's EDR kicks back 200 IOCs, the firewall log parser spits out another 150 IPs, and the on-call analyst is suddenly five tabs deep across VirusTotal, AbuseIPDB, GreyNoise, Shodan, and whatever internal tooling happens to work that day. Commercial enrichment platforms exist, but they are priced for Fortune-500 retainers and gate a free-tier API behind 'contact sales'. The result is that the most valuable hour of the response is spent on copy-paste.

PAIN POINTS

A typical engagement starts with 50–500 mixed IOCs from EDR exports, NetFlow, and host triage.
Each public TI portal rate-limits the free tier at 4–15 req/min with no commercial use allowed — unusable under IR pressure.
Every source returns a different verdict shape; the analyst normalizes by hand into the case notes.
Solo consultants pay monthly for a VT Enterprise seat they use 2 weeks per quarter — poor utilization economics.

The reality

“A typical engagement starts with 50–500 mixed IOCs from EDR exports, NetFlow, and host triage.”

CAPABILITIES

The endpoints that solve it

The /v1/enrichment/lookup endpoint accepts a mixed indicators[] array — IPs, domains, URLs, hashes in a single request — and fans out to the relevant sources per indicator type. The response comes back as one normalized object per IOC with aggregated verdict, per-source raw detail, and a confidence score. For incidents where the client wants a written narrative, /v1/ai/triage and /v1/ai/threat-profile turn the enrichment JSON into a paragraph an IR lead can paste into the situation report.

Batch IOC enrichment

3 credits / IOC

POST /v1/enrichment/lookup

Mixed-type batch: IPs, domains, URLs, hashes in one indicators[] array. Each indicator returns a normalized verdict aggregated across up to 11 sources per IP (VirusTotal, AbuseIPDB, GreyNoise, Shodan, Censys, OTX, urlscan, Pulsedive, ThreatFox, Hybrid Analysis, IPVoid), 8 per domain/URL, 6 per hash.

AI triage summary

10 credits

POST /v1/ai/triage

Feed the enrichment response into the triage endpoint to get a single-paragraph situational summary — which indicators are the most confident hits, what the likely campaign overlap is, what to escalate first. Lands straight into the sit-rep.

Threat-actor profile

20 credits

POST /v1/ai/threat-profile

When the enrichment points to a known actor (FIN7, Lockbit, state-nexus cluster), generate a concise written brief covering TTPs, historic victimology, and likely next-stage behaviour. Useful context for the client's executive briefing.

Public /ioc-check fallback

For the very first triage pass before the engagement credentials are sorted, the public /ioc-check tool runs the same enrichment with a browser rate-limit. Useful for a quick-look on 2–3 indicators without waiting for API key provisioning.

WORKFLOW

The canonical IR enrichment loop

A typical engagement starts with a CSV from the client's EDR and a second list from firewall logs. Feed the combined indicator set — up to 500 mixed IOCs — into one call, write the normalized response into the case file, and send the most interesting rows through the AI triage summary for the sit-rep. Below is the minimal shape in curl.

$ dfir-lab run incident-response-ioc-enrichment

# Hour 1 — enrich every IOC from EDR export + firewall logs
curl https://api.dfir-lab.ch/v1/enrichment/lookup \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "indicators": [
      { "type": "ip",     "value": "45.155.205.233" },
      { "type": "ip",     "value": "193.29.13.211" },
      { "type": "domain", "value": "rclone-update.top" },
      { "type": "url",    "value": "https://mega.nz/file/abc123" },
      { "type": "hash",   "value": "e4a1b8c9...sha256" }
    ]
  }'

# Response: one object per IOC with aggregated verdict,
#           per-source detail, and confidence score.

# Hour 2 — turn the enrichment into a sit-rep paragraph
curl https://api.dfir-lab.ch/v1/ai/triage \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d @enrichment-response.json

# Optional: profile the apparent actor for the exec brief
curl https://api.dfir-lab.ch/v1/ai/threat-profile \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "ttps": ["T1486", "T1490", "T1562.001"],
    "context": "Ransomware on a Windows fileserver, LOLBin-heavy, SMB lateral movement observed."
  }'

One batch, one normalized response, every source — instead of five portals and a rate-limit clock.

01
Step 01
Collect
Pull the IOC set together — EDR export, firewall logs, host triage output, client-provided indicators. No strict format required; the endpoint accepts IPs, domains, URLs, and hashes in one batch.
02
Step 02
Enrich
POST the combined indicators[] array to /v1/enrichment/lookup. The response returns one normalized verdict per IOC, aggregated across every applicable source.
03
Step 03
Prioritize
Sort the response by aggregate verdict and confidence. The top-of-list indicators are where the IR lead spends the next hour; the bottom-of-list are noise that can be archived without follow-up.
04
Step 04
Narrate
For the client sit-rep, feed the enrichment JSON into /v1/ai/triage to generate a paragraph, and /v1/ai/threat-profile if an actor has been named. Both drop into the written update without hand-curation.
05
Step 05
Hand off
Export the normalized enrichment alongside the case notes. The same JSON feeds directly into TheHive, DFIR-IRIS, or a flat case-file repo — no schema translation layer needed.

PRICING

Pricing that tracks your workload

A solo IR consultant running 1–2 engagements a month fits Starter comfortably — 500 credits absorbs a typical 100–150 IOC engagement plus a couple of AI summaries. A small IR firm running 4–6 engagements a month or routinely handling 300+ IOC batches should move to Professional. The free tier is only sufficient for evaluation, not for real engagements.

Recommended tier

Starter

500 credits / month

Entry price

$29/mo

01
Solo consultant — 2 engagements/mo × 100 IOCs each
(2 × 100 × 3) + (2 × 10) = 600 + 20 = 620 credits/month
Exceeds Starter (500) slightly — Starter ($29) + a one-shot 250-credit top-up covers it, or step up to Professional ($99, 2,500 credits) for headroom.
02
Small IR firm — 5 engagements/mo × 200 IOCs + AI narrative
(5 × 200 × 3) + (5 × 10) + (5 × 20) = 3,000 + 50 + 100 = 3,150 credits/month
Exceeds Professional (2,500) — Professional + a 1,000-credit top-up, or move to Enterprise for unlimited usage.
03
DFIR practice — 15 engagements/mo × 300 IOCs
(15 × 300 × 3) + (15 × 10) + (15 × 20) = 13,500 + 150 + 300 = 13,950 credits/month
Enterprise tier (custom pricing, unlimited credits) is the only sensible fit at this volume.

GET STARTED

Three ways to evaluate

Pick the path that matches your stage. No sales call, no credit card required.

Create a free account (100 credits/mo)

Full API access, dashboard, and your own credits. Includes everything the free tier offers.

Try /ioc-check — no signup

Paste a single IP, domain, URL, or hash in the browser. Same enrichment engine as the API, rate-limited per IP — useful for a quick-look during the first minutes of an engagement before the API key is provisioned.

Open tool

API reference

Full schema, error codes, rate limits, and copy-ready code snippets for every endpoint referenced above.

Read docs

FAQ

Frequently asked

Q / 01: Practical batches run into the hundreds of indicators per request. For a 500-IOC dump, most engagements split the batch into 2–5 calls to keep latency under 30 seconds per request; the endpoint itself does not hard-cap at a small number.
Q / 02: IPs fan out to up to 11 sources (VirusTotal, AbuseIPDB, GreyNoise, Shodan, Censys, OTX, urlscan, Pulsedive, ThreatFox, IPVoid, Hybrid Analysis). Domains and URLs run 8 sources. Hashes run 6 sources. The exact source count per response depends on which providers returned data in time; the response includes a sources_consulted field you can inspect.
Q / 03: Each source returns its raw response, but the platform also computes an aggregated verdict (clean / suspicious / malicious) and a confidence score based on source agreement and historical accuracy. You get both — the normalized top-level verdict for fast triage and the raw per-source JSON for forensic defensibility.
Q / 04: Yes. The response JSON is stable and designed to map cleanly to case-management schemas. There is a separate use case on Splunk integration, and the TheHive analyzer pattern is documented — both use the same /v1/enrichment/lookup endpoint under the hood.
Q / 05: Submitted indicators are stored under your org for audit and re-query. If a client contract requires no retention, that is configurable per API key on Professional and Enterprise plans — get in touch to set it up.
Q / 06: No — those are curation and collaboration platforms. DFIR Platform is the enrichment layer, not the intel-management layer. Most IR consultants use it for fast per-engagement enrichment and keep their case records in the tool of their choice.

RELATED · INDEX

Other teams solving adjacent problems

ADJACENT USE CASE

Ready when you are

Stop triaging by hand.

Create a free account — 100 credits per month, no credit card. Or keep browsing to find the use case that matches your workflow.

Browse all use cases Create free account

Bulk IOC enrichment for active incident response

The first hour of an incident is tab-management

PAIN POINTS

A typical engagement starts with 50–500 mixed IOCs from EDR exports, NetFlow, and host triage.
Each public TI portal rate-limits the free tier at 4–15 req/min with no commercial use allowed — unusable under IR pressure.
Every source returns a different verdict shape; the analyst normalizes by hand into the case notes.
Solo consultants pay monthly for a VT Enterprise seat they use 2 weeks per quarter — poor utilization economics.

The reality

“A typical engagement starts with 50–500 mixed IOCs from EDR exports, NetFlow, and host triage.”

The endpoints that solve it

Batch IOC enrichment

3 credits / IOC

POST /v1/enrichment/lookup

AI triage summary

10 credits

POST /v1/ai/triage

Threat-actor profile

20 credits

POST /v1/ai/threat-profile

Public /ioc-check fallback

The canonical IR enrichment loop

$ dfir-lab run incident-response-ioc-enrichment

# Hour 1 — enrich every IOC from EDR export + firewall logs
curl https://api.dfir-lab.ch/v1/enrichment/lookup \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "indicators": [
      { "type": "ip",     "value": "45.155.205.233" },
      { "type": "ip",     "value": "193.29.13.211" },
      { "type": "domain", "value": "rclone-update.top" },
      { "type": "url",    "value": "https://mega.nz/file/abc123" },
      { "type": "hash",   "value": "e4a1b8c9...sha256" }
    ]
  }'

# Response: one object per IOC with aggregated verdict,
#           per-source detail, and confidence score.

# Hour 2 — turn the enrichment into a sit-rep paragraph
curl https://api.dfir-lab.ch/v1/ai/triage \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d @enrichment-response.json

# Optional: profile the apparent actor for the exec brief
curl https://api.dfir-lab.ch/v1/ai/threat-profile \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "ttps": ["T1486", "T1490", "T1562.001"],
    "context": "Ransomware on a Windows fileserver, LOLBin-heavy, SMB lateral movement observed."
  }'

One batch, one normalized response, every source — instead of five portals and a rate-limit clock.

Step 01

Collect

Pull the IOC set together — EDR export, firewall logs, host triage output, client-provided indicators. No strict format required; the endpoint accepts IPs, domains, URLs, and hashes in one batch.

Step 02

Enrich

POST the combined indicators[] array to /v1/enrichment/lookup. The response returns one normalized verdict per IOC, aggregated across every applicable source.

Step 03

Prioritize

Sort the response by aggregate verdict and confidence. The top-of-list indicators are where the IR lead spends the next hour; the bottom-of-list are noise that can be archived without follow-up.

Step 04

Narrate

For the client sit-rep, feed the enrichment JSON into /v1/ai/triage to generate a paragraph, and /v1/ai/threat-profile if an actor has been named. Both drop into the written update without hand-curation.

Step 05

Hand off

Export the normalized enrichment alongside the case notes. The same JSON feeds directly into TheHive, DFIR-IRIS, or a flat case-file repo — no schema translation layer needed.

Pricing that tracks your workload

Recommended tier

Starter

500 credits / month

Entry price

$29/mo

Solo consultant — 2 engagements/mo × 100 IOCs each

(2 × 100 × 3) + (2 × 10) = 600 + 20 = 620 credits/month

Exceeds Starter (500) slightly — Starter ($29) + a one-shot 250-credit top-up covers it, or step up to Professional ($99, 2,500 credits) for headroom.

Small IR firm — 5 engagements/mo × 200 IOCs + AI narrative

(5 × 200 × 3) + (5 × 10) + (5 × 20) = 3,000 + 50 + 100 = 3,150 credits/month

Exceeds Professional (2,500) — Professional + a 1,000-credit top-up, or move to Enterprise for unlimited usage.

DFIR practice — 15 engagements/mo × 300 IOCs

(15 × 300 × 3) + (15 × 10) + (15 × 20) = 13,500 + 150 + 300 = 13,950 credits/month

Enterprise tier (custom pricing, unlimited credits) is the only sensible fit at this volume.

Frequently asked

Q / 01

What is the maximum batch size for /v1/enrichment/lookup?

Practical batches run into the hundreds of indicators per request. For a 500-IOC dump, most engagements split the batch into 2–5 calls to keep latency under 30 seconds per request; the endpoint itself does not hard-cap at a small number.

Q / 02

Which sources actually run per IOC type?

IPs fan out to up to 11 sources (VirusTotal, AbuseIPDB, GreyNoise, Shodan, Censys, OTX, urlscan, Pulsedive, ThreatFox, IPVoid, Hybrid Analysis). Domains and URLs run 8 sources. Hashes run 6 sources. The exact source count per response depends on which providers returned data in time; the response includes a sources_consulted field you can inspect.

Q / 03

How does the normalized verdict work?

Each source returns its raw response, but the platform also computes an aggregated verdict (clean / suspicious / malicious) and a confidence score based on source agreement and historical accuracy. You get both — the normalized top-level verdict for fast triage and the raw per-source JSON for forensic defensibility.

Q / 04

Can I feed this into TheHive / DFIR-IRIS / Splunk?

Yes. The response JSON is stable and designed to map cleanly to case-management schemas. There is a separate use case on Splunk integration, and the TheHive analyzer pattern is documented — both use the same /v1/enrichment/lookup endpoint under the hood.

Q / 05

What is the retention policy for the IOCs I submit?

Submitted indicators are stored under your org for audit and re-query. If a client contract requires no retention, that is configurable per API key on Professional and Enterprise plans — get in touch to set it up.

Q / 06

Does this replace a dedicated TI platform like ThreatConnect or Anomali?

No — those are curation and collaboration platforms. DFIR Platform is the enrichment layer, not the intel-management layer. Most IR consultants use it for fast per-engagement enrichment and keep their case records in the tool of their choice.

Bulk IOC enrichment for active incident response

The first hour of an incident is tab-management

The endpoints that solve it

Batch IOC enrichment

AI triage summary

Threat-actor profile

Public /ioc-check fallback

The canonical IR enrichment loop

Collect

Enrich

Prioritize

Narrate

Hand off

Pricing that tracks your workload

Solo consultant — 2 engagements/mo × 100 IOCs each

Small IR firm — 5 engagements/mo × 200 IOCs + AI narrative

DFIR practice — 15 engagements/mo × 300 IOCs

Three ways to evaluate

Create a free account (100 credits/mo)

Try /ioc-check — no signup

API reference

Frequently asked

Other teams solving adjacent problems

Threat Intelligence API for Security Teams

Automated Phishing Triage for SOC Teams

Continuous Exposure Monitoring for MSSPs

Stop triaging by hand.

Bulk IOC enrichment for active incident response

The first hour of an incident is tab-management

The endpoints that solve it

Batch IOC enrichment

AI triage summary

Threat-actor profile

Public /ioc-check fallback

The canonical IR enrichment loop

Collect

Enrich

Prioritize

Narrate

Hand off

Pricing that tracks your workload

Solo consultant — 2 engagements/mo × 100 IOCs each

Small IR firm — 5 engagements/mo × 200 IOCs + AI narrative

DFIR practice — 15 engagements/mo × 300 IOCs

Three ways to evaluate

Create a free account (100 credits/mo)

Try /ioc-check — no signup

API reference

Frequently asked

Other teams solving adjacent problems

Threat Intelligence API for Security Teams

Automated Phishing Triage for SOC Teams

Continuous Exposure Monitoring for MSSPs

Stop triaging by hand.