← Back to Agent Chain
🌐 W3 Intel
Real-time AI threat intelligence from the open web — sighting cards, attacker fingerprints, MITRE ATT&CK mapping
What Is W3 Intel?

W3 Intel is Agent Chain's real-time threat intelligence product for the open (surface) web. Every interaction with Agent Chain's honeypot infrastructure generates a W3 Intel Sighting Card — a structured threat intelligence record that captures attacker identity, behavior, geolocation, flags, and MITRE ATT&CK techniques.

It's the VirusTotal for AI agents — except instead of files, you're scanning agent behaviors.

💎 W3 Intel subscription — $4.99/month. No free tier. All sighting cards, search, trending, bulk export, and real-time feed included. Public access: /api/v1/trending and /api/v1/stats only.
Sighting Card — What It Records

Each sighting card is a complete intelligence record. Here's what a CRITICAL-severity card looks like:

did:agent:ac:unknown:0xf291a...c8b3
CRITICAL
Wallet Drainer LangChain GPT-4o Prompt Injection
Encounters
14
Risk Score
97
Source
🍯 Honeypot
Fingerprint
fp:sha256:a3f9c2..e84b1
🌍 United States (AS14061) Last seen: 2026-03-11
Merkle: 0x7f2a...b91c · anchored to L1
AC-W3Intel #1 Agent Chain
Sighting Card Schema
FieldTypeDescription
idstringUnique sighting card ID (AC-W3Intel #N)
agent_fingerprintstringSHA-256 behavioral fingerprint
agent_didstringDID if known, unknown otherwise
threat_levelenumcritical / high / medium / low / unknown
risk_scoreinteger0–100 risk score
encounter_countintegerTotal times this agent has been seen
sourcestringDetection origin: Passive Honeypot, Active Client Honeypot, Dark Web Crawl
classification_tagsstring[]Attack categories (e.g., Wallet Drainer, Prompt Injection)
mitre_techniquesstring[]MITRE ATT&CK technique IDs
frameworkstringDetected LLM framework (LangChain, AutoGen, CrewAI, etc.)
modelstringLLM model if detectable (GPT-4o, Claude, Gemini, etc.)
geo_countrystringISO country code of origin IP
geo_asnstringASN of origin (e.g., AS14061 DigitalOcean)
flagsobjectBoolean flags: walletDrain, promptInjection, dataExfil, jailbreak, c2, impersonation
first_seenISO 8601When this agent was first encountered
last_seenISO 8601Most recent encounter
merkle_hashstringHash of this card's data, included in daily L1 Merkle anchor
Merkle Anchoring — Tamper-Proof Intelligence

Every 24 hours, a Merkle root of all sighting cards is hashed and written to the Agent Chain L1 blockchain. This provides cryptographic, tamper-evident proof that the intelligence data hasn't been altered since publication.

Any subscriber can verify any individual sighting card against the daily anchor:

GET /api/v1/anchor/verify/{merkle_hash} // Response: { "valid": true, "anchor_block": 14721, "anchor_date": "2026-03-11", "card_id": "AC-W3Intel #1", "root": "0x7f2a9b3c..." }
API Endpoints
Free (No Auth Required)
MethodEndpointDescription
GET/v1/w3intel/trendingTop 10 trending threats (public)
GET/v1/w3intel/statsPlatform-wide threat stats
GET/v1/w3intel/anchorsDaily Merkle anchor history
Subscriber (W3 Intel $4.99/mo)
MethodEndpointDescription
GET/v1/w3intel/sightingsAll sighting cards (paginated, filterable)
GET/v1/w3intel/sightings/:idGet a specific sighting card
GET/v1/w3intel/agents/:fingerprintGet all sightings for an agent fingerprint
GET/v1/w3intel/searchSearch by framework, model, country, tag, MITRE technique
GET/v1/w3intel/exportBulk export in JSON or CSV
GET/v1/w3intel/feedReal-time sighting feed (streaming)
GET/v1/w3intel/mitreMITRE ATT&CK technique frequency map
GET/v1/w3intel/geoGeoIP breakdown of attacker origins
Quick Start
// Fetch trending threats (free, no auth) curl https://api.agent-chain.io/v1/w3intel/trending // Fetch all CRITICAL sighting cards (requires W3 Intel subscription) curl "https://api.agent-chain.io/v1/w3intel/sightings?threat_level=critical&limit=20" \ -H "Authorization: Bearer ac_live_xxx" // Search by MITRE technique const results = await ac.w3intel.search({ mitre: 'T1059', // Command and Scripting Interpreter threat_level: 'high' });

🃏 Sighting Card Design Reference

All 6 threat level variants — exactly as they appear in your W3 Intel feed. Cards are sorted by severity: Critical → High → Medium → Low → Dark Web → Unknown.

Critical Threat BLOCK
185.220.101.34
Entity: IPv4 · Classification: Botnet C2
Critical
botnet c2-server mirai-variant CVE-2024-3400
Encounters
2,847
Honeypots Hit
14/15
Confidence
98%
🇷🇺 Russia · Moscow · AS12389 Rostelecom
🤖 Bot 🚫 Block 🔀 Spoofable 🧅 Tor 🔒 VPN ☁️ Cloud
JA3 Fingerprint
e35d3e47e23af04ab28b4c8a0d7b7603
Ports Scanned
22, 23, 80, 443, 445, 3389, 5900, 8080, 8443
First seen: 2024-11-03
Last seen: 2 hours ago
W3-SC #00284 · Merkle: 0x7f2a...b91c
🍯 Passive Honeypot AC-W3Intel #1 Agent Chain
High Threat SUSPICIOUS
ua:python-requests/2.31.0
Entity: User-Agent · Classification: Credential Stuffer
High
credential-stuffing brute-force python-bot
Encounters
891
Honeypots Hit
6/15
Confidence
85%
🇳🇱 Netherlands · Amsterdam · AS60068 Datacamp Ltd
🤖 Bot 🚫 Block 🔀 Spoofable 🧅 Tor 🔒 VPN ☁️ Cloud
HASSH Fingerprint
b12d2871a1571f3866f2407ea1d2e47d
Protocols
HTTP/1.1, SSH
First seen: 2025-01-18
Last seen: 18 min ago
W3-SC #01547 · Merkle: 0x3c8d...f20e
🍯 Passive Honeypot AC-W3Intel #2 Agent Chain
Medium Threat MONITOR
ja3:a0e9f5d64349fb13191bc781f81f42e1
Entity: JA3 Hash · Classification: Vulnerability Scanner
Medium
vuln-scanner nuclei automated
Encounters
342
Honeypots Hit
9/15
Confidence
72%
🇺🇸 United States · Ashburn, VA · AS14618 Amazon AWS
🤖 Bot 🚫 Block 🔀 Spoofable 🧅 Tor 🔒 VPN ☁️ Cloud
HTTP Hash
mmh3:-1049174963
CVEs Probed
CVE-2023-44487 (HTTP/2 Rapid Reset), CVE-2024-3400 (PAN-OS)
First seen: 2025-03-02
Last seen: 6 hours ago
W3-SC #03891 · Merkle: 0xa1f7...c403
🔍 Active Client Honeypot AC-W3Intel #3 Agent Chain
Low Threat BENIGN
66.249.66.1
Entity: IPv4 · Classification: Search Crawler
Low
crawler googlebot verified
Encounters
12,403
Honeypots Hit
15/15
Confidence
99%
🇺🇸 United States · Mountain View, CA · AS15169 Google LLC
🤖 Bot 🚫 Block 🔀 Spoofable 🧅 Tor 🔒 VPN ☁️ Cloud
User-Agent
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
First seen: 2024-06-14
Last seen: 4 min ago
W3-SC #00001 · Merkle: 0x5e91...d827
🍯 Passive Honeypot AC-W3Intel #4 Agent Chain
Dark Web Sighting TOR
exit:5a3abf...c9e2
Entity: Tor Exit Node · Classification: Ransomware Delivery
Critical
tor-exit ransomware lockbit-variant CVE-2024-1709
Encounters
67
Honeypots Hit
3/15
Confidence
91%
🧅 Tor Network · Exit Node · AS Unknown
🤖 Bot 🚫 Block 🔀 Spoofable 🧅 Tor 🔒 VPN ☁️ Cloud
Malware Family
LockBit 3.0 / Black (STIX: malware--lockbit-3)
Ports Scanned
445 (SMB), 3389 (RDP), 5985 (WinRM)
First seen: 2025-03-07
Last seen: 42 min ago
W3-SC #04102 · Merkle: 0x9d2e...a7f8
🧅 Dark Web Crawl AC-W3Intel #5 Agent Chain
Unknown Entity UNCLASSIFIED
asn:AS208091
Entity: ASN · Classification: Unknown
Unknown
unclassified first-contact
Encounters
1
Honeypots Hit
1/15
Confidence
🇩🇪 Germany · Frankfurt · AS208091
🤖 Bot 🚫 Block 🔀 Spoofable 🧅 Tor 🔒 VPN ☁️ Cloud
First seen: 2025-03-08
Last seen: Just now
W3-SC #05290 · Merkle: 0xb4a1...ee39
🍯 Passive Honeypot AC-W3Intel #6 Agent Chain