Interactive Investigation Toolbox new

2.0 only had automatic inline enrichment that decorated threat cards. 3.0 keeps that and adds a set of on-demand investigation tools - none of the underlying tool renderers existed in 2.0. Confirmed tools and their stated purpose:

• Domain Lookup - RDAP / WHOIS + live threat reputation
• DNS Lookup - A / AAAA / MX / NS / TXT records via DNS-over-HTTPS
• IP Lookup - RDAP allocation + live threat reputation
• Reverse IP Lookup - other hosts on the same address
• ASN Lookup - network / BGP allocation
• Subdomain enumeration - discover hostnames under a target domain
• Certificate Transparency - issued-certificate history from CT logs
• CVE Lookup - full CVE detail with CWE references; includes a CVE gauge / ring visual
• Hash Lookup - file-hash reputation against malware-sample and sandbox sources
• IOC Lookup - generic indicator triage
• Email Auth - SPF / DKIM / DMARC / MX checks
• Reputation Check - threat-exchange pulses + IP abuse reputation + malware / phishing scan
• Breach Intel - public breach-notification datasets
• Credential Leak Search - email / username against public leak datasets
• Infostealer Check - stealer-log & combolist captures by email, username, or domain
• Brand Protect Lookup - lookalike-domain / typosquat detection
• Security News, Threat Intelligence Report, Backup, and Quick Filters & Views

Supporting infrastructure: tabbed tool panels, inline IOC rows with copy actions, gauges / rings / sparklines, and result caching.

Expanded enrichment & new data sources

Enrichment that already shipped in 2.0 (registration / WHOIS, malicious-URL scanning, IOC feeds, stealer-log lookups, screenshots, and TTP tactics) was significantly expanded, and several new categories of external source were wired in. The additions break down by capability:

• Certificate transparency - issued-certificate history for a host or domain.
• Network & routing - ASN / BGP allocation and reverse-IP neighbours.
• Internet exposure - open-port and service-exposure search.
• Malware intelligence - file-hash reputation across sample repositories and a sandbox source.
• Reputation & abuse - threat-exchange pulses and IP abuse scoring.
• Breach & leak - account breach notification and credential-leak datasets.
• Vulnerability data - CVE / CWE detail from public vulnerability databases.

Existing sources also saw heavy use growth, and a handful of capabilities are new from zero: malicious-URL feeds, internet-exposure search, breach / leak lookups, IP and domain reputation, and subdomain discovery.

Triage & verdict workflow new

A full per-threat triage system, persisted in dwi_triage_v1 and absent in 2.0:

• Mark threats as Investigating, Dismissed, or Accepted with verdict pills (good / bad / neutral).
• Live counters for investigating and dismissed items, with toggles to show or hide them.
• Mute categories, with a persistent muted bar and one-click clear.
• Verdict and evidence indicators (high / medium / low confidence).

Tagging, saved views & pivots new

• Tagging - apply custom tags to threats, stored in dwi_threat_tags_v1.
• Saved views - save and restore filter / search configurations (dwi-saved-views-v1).
• Feed pivots & panel filters - pivot the feed by actor, category, or country and apply multi-facet panel filters.

Export overhaul

• New export filter panel with facet combo-boxes for building precise export queries.
• Live export count + quota shown before exporting, with reset-time formatting.
• HTML threat report generation produces a standalone, shareable report, alongside the existing JSON / CSV / XML exports.
• State backup & restore - export and re-import local bookmarks, tags, triage, and views.

Source branding & card redesign

• Per-source logos with monogram fallbacks and a brand-icon cache.
• New inline card actions: bookmark, copy-URL, dismiss, and mute on each card.
• Entry animations for newly arriving alerts.

Related threats, reposts & actor claims new

• Related-threats and threat-summary sections inside the detail modal.
• Repost detection flags near-duplicate / cross-posted alerts.
• Actor-claim UI surfaces which actor is claiming an incident.
• Watch terms matching for tracked keywords.

Forum & source monitoring upgrades

• Status-board monitoring new - polls an external uptime board, detects up / down state, pushes notification subscriptions, and drives a badge.
• Forum-status redesign - a ring / donut status visualization, a new Evaluating status alongside up / onboarding / maintenance / degraded / down / paused / unmonitored, and a collapsible forum-status section (dwi:fs-collapsed).

New & enhanced charts

• Category Trend chart.
• Month-over-month delta card.
• CVE gauge / ring and abuse gauge visuals.
• Trend signals with sparklines.
• TTP / tactic display refreshed with new legend and bar styling; the underlying tactic data existed in 2.0.

UI / UX additions

• Custom timezone picker - a searchable dropdown replacing the native select, with a full bundled timezone list.
• "New since last visit" banner with snooze (dwi_last_visit_v1, dwi_new_since_snooze_until).
• Sidebar / rail - a collapsible left rail is injected; the bookmarks button moves into the rail and quick-stats merge into the header. Collapse state persists (dwi_sb_collapsed, dwi-sb-pinned).
• Bookmarks now persist under dwi_bookmarks_v1; notification history under dwi_notification_history_v1 with prefs bumped to v2.
• Defang / refang - IOCs are defanged when copied or exported (e.g. hxxp://, [.]) for safer sharing, with a copy-defanged action.
• Screenshot capture + OCR findings expanded.

Privacy & consent new

A consent banner with Accept / Decline, persisted in dwi_consent_v1 and posted to a consent API. It gates external behavior - confirm exactly which third-party lookups are blocked until consent is given. This matters for the public launch.