Scry

Returns Scry's corpus knowledge for a single IPv4 address: when it was first/last observed, observation count, protocols and ports targeted, ASN, country, category (actor/scanner/not_observed), and confidence_bucket (low/medium/high). Use when an agent needs IP triage, hostility assessment, or risk signaling. Do NOT use for raw payloads (never exposed) or IPv6 (corpus is v4-only at v0.1).

Look up many IPv4 addresses in one request. Up to 100 IPs per call. Same per-IP shape as scry_check, keyed by IP.

Top-N source dimensions over a time window. Useful for situational awareness — 'where is the noise coming from right now?'

Bucketed observation counts over time. Detect bursts, plot trends, sanity-check whether attacker activity is rising or falling.

Roll-up of corpus activity for a single ASN — observation count, distinct source IPs, actor count, scanner count, high-confidence actor count, and per-protocol breakdown.

Roll-up of corpus activity by ISO country code. Same shape as scry_asn.

List detected attack tools — (protocol, payload, path) tuples sent by 3+ distinct source IPs. Aggregate metadata only; never lists member actors.

Single tool detail by 16-char hex id from scry_tools.

Active threat campaigns — coordinated attacker activity that exceeds the noise floor. ≥5 distinct actors, ≥3 ASNs, ≤5 destination ports, ≥1h history.

Single campaign detail by id (format: c[0-9a-f]{15}).

Recent observations feed — aggregated by source IP within a time window. Cursor-paginated via since_ms.