External IP Reputation
Assets in your OT environment continuously communicate with external assets. These external assets are identified by their IP addresses and are listed as external IPs associated with each asset. You can view the reputation score of these IPs to identify risky or malicious IPs.
IP Reputation Score
The IP Reputation score is a numerical value assigned to an external IP address or domain that may pose a threat to your OT environment. This score measures the trustworthiness of the external IPs to help you evaluate potential threat exposure.
The score is calculated based on the following factors:
- History of malware, phishing, spam, or botnet activity
- Age and stability of the IP or domain
- Traffic patterns and geographic location
- Association with known malicious networks
The score ranges from 1 to 100, where a lower score indicates a higher risk and a higher score indicates a lower risk. Refer to the following table for the Reputation index:
| Reputation Score | Reputation Rating | Description | |
|---|---|---|---|
 |
1-20 | High Risk | These IPs are malicious and are strongly associated with activities such as malware, phishing, spam, or botnets. |
 |
21-40 | Suspicious | These IPs are potentially malicious or have a partial association with suspicious activities. |
 |
41-60 | Moderate Risk | These IPs have some risk indicators but no strong evidence of malicious intent. |
 |
61-80 | Low Risk | These IPs are generally safe with minimal or no known malicious activity. |
 |
81-100 | Trustworthy | These IPs are highly trusted and have no known history of malicious activity. |
| - | - | Unclassified | These IPs do not fall under any other risk level. |
VMDR OT can only display reputation scores for known malicious/high-risk IPs. In upcoming releases, VMDR OT may support additional IP reputation ratings such as Suspicious, Moderate Risk, Low Risk, and Trustworthy.
View IP Reputation Score
On the Network > List View tab, external assets are marked as External. Hover over the info 
icon for an external asset to view the total number of IPs according to their risk level. This quick view helps you understand the overall risk distribution of external IPs.
Below the External label, a reputation bar displays that provides a quick visual summary of the risk associated with external IPs. Each segment in the bar is color-coded to indicate the count of IPs based on their associated risk level.
The Total count displayed below the bar indicates the number of unique external IPs associated with that asset.
Refer to the following screenshot for an example:
You can also view the reputation score for an asset in Asset Details > NETWORK > Network Map.
View External IPs Details
The External IPs Details page provides details of all external IPs communicating with the selected asset.
At the top of the page, you can view the total number of IPs categorized by risk level in count cards. This gives you an instant overview of the risk distribution. You can click the cards to filter the list.
For each IP, the following information is displayed:
This column lists the external IP addresses communicating with the asset. If an IP is identified as malicious, a malicious indicator icon 
is displayed next to the IP address.
Click an IP address to view its basic details and geolocation information.
Click Virus Total to open a third-party threat intelligence platform that provides additional insights, helping you analyze potential threats, validate findings, and identify false positives.
For any private IP, basic and geolocation information is not displayed.
The Last Seen column displays the most recent date and time when the asset communicated with the external IP.
The Count column indicates the total number of times the asset has communicated with the external IP.
Reputation RatingReputation Rating
This column displays a visual indicator of the IP's risk level. Hover over the indicator to view the exact reputation score of that IP. For more information on the score, refer to IP Reputation Score.
Threat CategoryThreat Category
This column displays the type of threat associated with the IP. The threats are classified into the following categories:
| Threat Category | Description |
|---|---|
| Spam Sources | IPs known for sending large volumes of spam or unwanted messages. |
| Windows Exploits | IPs associated with attacks targeting Windows system vulnerabilities. |
| Web Attacks | IPs involved in attacking web applications. |
| Botnets | IPs that are part of compromised networks.. |
| Scanners | IPs that scan networks to find open ports or vulnerabilities. |
| Denial of Service | IPs involved in flooding systems to disrupt availability. |
| Reputation | IPs flagged based on overall suspicious or malicious behavior history. |
| Phishing | IPs used to host or distribute phishing content to steal sensitive data. |
| Proxy | IPs acting as intermediaries to hide the true source of traffic. |
| Mobile Threats | IPs linked to malicious activities targeting mobile devices or apps. |
| Tor Proxy | IPs associated with Tor network used to mask identity. |
Except for the Phishing and Proxy threat categories, IPs that fall into all other categories can be marked as malicious.