Security teams are not suffering from a lack of data to investigate, or from a lack of tools to investigate with. The challenge is adding enough context to make fast, accurate decisions without forcing an analyst to pivot from console to console. Determining whether an IOC is worth investigating or should be deprioritized is an ongoing struggle for security teams, and inefficient SOC triaging is a common problem that makes organizations vulnerable to risk.
This blog will cover the importance of alert context and how to strike the right balance of contextual information without information overload in your SOC.
Context Is Key
Keeping an organization safe requires a mix of proactive defense and reactive response. An alert that bubbles up to the SOC via a SIEM or SOAR will often contain an external IP address or URL. A SOC analyst (carbon or silicon) needs external context to answer questions that will impact how the alert is handled.
- Is it still online? If not, how did it appear at the time of the incident?
- Where is it and who owns the network it’s running on?
- Are there certificates or DNS entries that provide clues to the entities behind it?
- What services, software, and hardware is it running?
- Are there indicators of suspicious or malicious services?
- If the incident happened in the past, how did it look at that moment?
- Are there similar assets on the Internet that aren’t on my radar but should be?
Enrichment actions and automated playbooks can attach all of this context to an incident in real time, speeding up triage and conserving human or AI resources.
Get the Right Context With the Right Tools
Threat intelligence platforms (TIPs) like Dataminr’s ThreatConnect, Securonix’s ThreatQ, Vertex Synapse, Maltego, Cyware, ServiceNow TISC and Filigran OpenCTI take raw intelligence, correlate it, and make it actionable. They add layers of context — but they require good inputs to make that context valuable, trustworthy, and actionable.
The Internet changes quickly as cloud IPs change hands and attackers rotate infrastructure to stay ahead of detection. Analysts need context that answers critical questions like:
- How many of the IOCs are still active?
- How many look like they have changed hands?
- Has anything about these incidents changed since we started looking at them?
- Have other similar systems appeared that should be added to the IOC list?
There are several tools that help fill in these blanks to provide analysts with a clear, complete picture of an alert, including what it means, how much of a risk it poses, and how best to address it.
Contextualizing With Censys
With Censys Internet intelligence, your SOC can determine how external assets look right now and how they appeared at any point in the past, including the time an incident occurred. That context can be used directly inside SIEM, SOAR, TIP, and investigative platforms to accelerate triage, enrich investigations, and identify related infrastructure that may otherwise go unnoticed.
For example, an intel report might contain a set of IOCs that have been seen to act maliciously. Pulling in Internet intelligence from Censys can keep these indicators fresh during an investigation. Check out three common examples of contextualized SOC alerts with Censys →
Censys also keeps track of malicious infrastructure, and can provide a near real-time view of the infrastructure an organization needs to look out for. ThreatQ can even query Censys to ingest information about vulnerabilities and exposures present in your environment or interesting third parties. This context can be used to accelerate triage, allowing an analyst to make accurate decisions about the need for proactive defense.
Contextualizing with Maltego
Maltego can find relationships that help an analyst pivot from an asset of interest to a larger set of related assets. The more information a tool like this has about an asset, the better chance it has to find interesting relationships. Censys often has thousands of separate attributes stored for each asset which Maltego and similar investigative tools can ingest to enhance an investigation. These include:
- Network ownership
- Geolocation
- HTTP headers and banners
- DNS Domain relationships
- Certificate issuers and subjects
- Open ports and protocols
- JARM and JA4 signatures
- Censys defined labels such as IOT, LOGIN_PAGE, DATABASE, or HONEYPOT
- Censys defined threats
This information will be current thanks to a robust scanning infrastructure. All ports and services across the Internet are examined and any identified protocol is scanned for its unique attributes. Combinations of these attributes can allow an analyst using Maltego to pivot into clusters of related assets.
Contextualizing with Vertex Synapse
A central intelligence system like Vertex Synapse can store these scanning observations, correlate them across investigations, and identify patterns that may not be visible when looking at a single incident in isolation. This current and historical enrichment data helps analysts track the evolution of malicious or otherwise interesting infrastructure.
Querying Censys for activity associated with 185.158.248.141 between July 1, 2025 and the current date.
Build Censys Internet Intelligence Into Your Workflows
Censys provides continuously updated visibility into Internet-exposed assets and maintains historical observations to track how the infrastructure changes over time. When it is integrated into security workflows, this added context helps analysts validate and expand on threat intelligence, uncover related infrastructure, prioritize investigations, and make faster, more informed decisions during an incident.
Explore Integrations
Censys and its partners now offer 55+ integrations across 45+ technology alliance partners. Explore our integration library to see how you can build Censys Internet intelligence into your workflows.
