50% off the first month with code OSINT50Ends in --:--:--

Back to the blog
OSINTIP

How to geolocate and analyse an IP address with OSINT (2026)

Learn to investigate an IP address: geolocation, ASN, open ports, CVEs, reputation and threat intelligence. A practical OSINT guide to analyse any IP.

afsh4ck June 12, 2026 2 min read

An IP address can reveal far more than an approximate location: provider, autonomous system (ASN), open ports, known vulnerabilities and reputation against threat sources. Learn to analyse any IP with OSINT professionally.

What does an IP address reveal?

An IP is a network identifier, but combined with public sources it provides a full profile:

  • Geolocation: country, region and approximate city.
  • ASN and organisation: the provider or company owning the range.
  • Open ports and services exposed to the internet.
  • CVEs: known vulnerabilities in those services.
  • Reputation: whether the IP is linked to spam, botnets or attacks.

Keep in mind that IP geolocation is approximate: it indicates the location of the provider or network node, not the user's exact physical address.

Step 1: Geolocation and ASN

The first step is to place the IP: which country and provider it belongs to and within which autonomous system (ASN). This lets you distinguish, for example, a residential IP from a datacenter or VPN one.

IP Analyzer in OSINT UI

With IP Analyzer you get geolocation, ASN, open ports, CVEs and threat intelligence for any IP in a single query, aggregating several sources.

IP AnalyzerGeolocate an IP and get its ASN, open ports, CVEs and threat intelligence from several sources at once.Open

Step 2: Open ports and services

Open ports reveal what services run on an IP: web servers, databases, admin panels or misconfigured services. Passive sources like Shodan or InternetDB let you discover them without directly scanning the target, which is more discreet and legal during reconnaissance.

Port ScannerDiscover open ports, running services and vulnerabilities of an IP or domain via Shodan and InternetDB.Open

Step 3: Reputation and threat intelligence

Checking an IP's reputation against Threat Intelligence sources (AbuseIPDB, VirusTotal, GreyNoise, AlienVault OTX) shows whether it's involved in spam, mass scanning, malware distribution or botnet activity. It's an essential step when analysing logs, suspicious connections or email headers.

Reputation CheckerCheck the reputation of an IP or domain against multiple threat-intelligence sources and blocklists.Open

Best practices and legality

IP analysis with OSINT relies on public information. Remember:

  • Don't run intrusive scans without authorisation.
  • Don't try to access protected services.
  • Comply with GDPR and local regulations.
  • Use these techniques for legitimate purposes: defence, incident response and Threat Intelligence.

Conclusion

Analysing an IP address with OSINT lets you obtain geolocation, ASN, open ports, vulnerabilities and reputation, all from open sources. It's a fundamental technique in incident response, log analysis and threat hunting.

Try IP Analyzer for free and get the full profile of any IP address in seconds.

Tools for your investigation

Username Analyzer

Find a username's profiles across hundreds of social networks and platforms, verifying that each one exists.

Open
Email Analyzer

Verify an email's existence and reputation, its associated profiles and its presence in known data breaches.

Open
Leak Check

Search for leaks of an email, domain, IP or phone across pastes, leaks, forums and the darknet with Intelligence X.

Open
OSINT UI PRO

Take your investigations to the next level

Upgrade to OSINT UI PRO and unlock advanced searches, bulk analysis and every professional tool in the OSINT ecosystem.

Advanced searches Bulk analysis All tools
Go PRO