diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d7311fe..edad005 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -30,11 +30,11 @@ jobs:
         continue-on-error: ${{ env.ADVISORY == 'true' }}
 
       - name: Lint (ruff check)
-        run: uv run ruff check src/ apps/ mcp/ tests/ *.py
+        run: uv run ruff check src/ apps/ mcp_servers/ tests/ *.py
         continue-on-error: ${{ env.ADVISORY == 'true' }}
 
       - name: Format check (ruff format) — advisory
-        run: uv run ruff format --check src/ apps/ mcp/ tests/ *.py
+        run: uv run ruff format --check src/ apps/ mcp_servers/ tests/ *.py
         continue-on-error: true
 
       - name: Dependency audit (pip-audit) — advisory
@@ -42,7 +42,7 @@ jobs:
         continue-on-error: true
 
       - name: SAST (bandit) — advisory
-        run: uv run bandit -r src/ apps/ mcp/ -c pyproject.toml
+        run: uv run bandit -r src/ apps/ mcp_servers/ -c pyproject.toml
         continue-on-error: true
 
       - name: Lint HTML (djlint check)
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..6241107
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,128 @@
+# Changelog
+
+All notable changes to this project are documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [1.1.0] — 2026-06-14
+
+### Added
+
+- **Incident correlator** — new Phase 1 orchestrator (`src/correlator/`) that assembles
+  incident context from OpenSearch, Mantis tickets, and enrichment in one call.
+  Exposed via the MCP `investigate` tool and `/investigate` web pages in
+  opensearch_web.
+- **Public IP profiler** — `profile_device` now supports public IPs, with sensor
+  presence and reverse DNS surfaced in web device cards.
+- **Mantis Explorer** — new Flask app for browsing student activity, registered in
+  `run_all.py` and the Hub landing page.
+- **Hub redesign** — list layout, live data-freshness indicators, settings page with
+  theme dropdown, version + git update status in the footer.
+- **Theme system** — 8 community themes (Gruvbox, Tokyo Night, Catppuccin variants),
+  CSS-variable-driven ECharts colors so charts render correctly on every theme.
+- **Shared static blueprint** — `apps/shared/` serves tokens, base CSS, and logos
+  across all four web apps; per-app duplicate assets removed.
+- **Dashboard** — alert trend chart, triage workqueues, per-sensor log time-series,
+  Tickets tab, sensor filter modal, date-range controls wired into the toolbar.
+- **MCP OpenSearch tools** — `investigate`, `histogram`, `aggregate`,
+  `bulk_enrich_ips`, `count`, `list_filter_categories`, `list_fp_filters`,
+  `delete_fp_filter`, `get_notice_summary`, `build_share_urls`,
+  `compare_to_baseline`, `enrich_top_talkers`.
+- **MCP querier** — port/proto filters, multi-value IP/sensor parameters, absolute
+  timestamps, `truncated` flag surfaced on all search results.
+- **Wildcard filters** — `notice_note` and `weird_name` accept ES wildcard syntax,
+  dispatched to `wildcard` queries with exact-match fallback.
+- **Filter loader** — validates category/subcategory pairs against
+  `filters/categories.yaml`.
+- **FP manager** — `delete_ip_from_filter` extracted into reusable module.
+- **Investigate UX** — escalation indicators on ticket cards, Investigate entry-points
+  on IP pivot and notice/Suricata records, public device cards, profile buttons.
+- **Web UX** — sidebar nav with per-tab persisted filters, sticky-column rendering,
+  src/dest/both IP role toggle on ip_pivot, error banners for OpenSearch/Mantis,
+  destination IP filter in search bar.
+- **Enricher** — `prewarm_enrichment_cache` background warmer, parallel execution
+  and result caching on the web enrich path.
+
+### Changed
+
+- **Querier refactor** — `src/querier/zeek_modules/base.py` split into focused
+  modules; silent `None` returns replaced with typed exceptions.
+- **Web concurrency** — overview route switched from `ThreadPoolExecutor` fan-out
+  to `asyncio.gather`; single-flight dedup, shared thread pool, and ETag support
+  added; `bool.must` switched to `bool.filter` context for cacheability.
+- **MCP package rename** — `mcp/` → `mcp_servers/` to resolve a namespace collision
+  with the upstream `mcp` package. **Breaking** for anyone importing the old path.
+- **App rename** — `mantis_web` → `threat_model`. **Breaking** for any external
+  bookmarks or imports referencing the old name.
+- **Pivot/profile/investigate** and `aggregate` MCP tools consolidated.
+- **Mantis Explorer** — escalation detection rewritten; `is_escalated` surfaced on
+  tickets; warning modal added about escalated-count accuracy.
+- **Enricher clients** — persistent HTTP sessions, retry adapter, shared console,
+  `atexit` cleanup across all enricher modules.
+- **Dashboard / OpenSearch panels** — low-signal Malcolm panels pruned; protocol
+  bar replaced with time-series area charts; unified to horizontal bars.
+- **Hub branding** — heading renamed to "PISCES Toolkit" with toolbox icon; brand
+  link navigates to hub; redundant home button removed.
+- **OpenSearch web** — search bar redesigned as two-row pill layout; sensor
+  selector reworked as single clickable button; Investigate button moved to the
+  global search bar; auth history section replaced with search-all-logs.
+
+### Fixed
+
+- **OpenSearch mapping drift** — `terms` aggregations now use a `_source` Painless
+  script via `source_terms_script()`, surviving indices whose mapping for the
+  same field disagrees (keyword vs text + `.keyword` subfield on rolled-over
+  write index).
+- **Zeek notice/weird** — exact and wildcard filters now target the `.keyword`
+  subfield.
+- **Dashboard XSS** — date query parameters sanitised; CodeQL taint chain broken
+  by returning parsed ISO-format date.
+- **MCP dest_ip** — pushed into the ES query instead of being post-filtered.
+- **Web exceptions** — bare `except` handlers that silently swallowed tracebacks
+  now log the exception.
+- **Cross-protocol query handler** — logs protocol name and error on failure.
+- **Querier** — `FilesModule` IP filter flag corrected; `SuricataAlert` summary
+  type fix; `build_extra_must` tuple correctly unpacked before
+  `build_base_query`.
+- **Correlator** — parallel profile fetches, timeline key override, ticket
+  deduplication.
+- **OpenSearch web** — doubled `script_name` prefix removed from investigate
+  HTMX paths; em-dash placeholder IPs skipped in overview table.
+- **Threat model / Mantis Explorer** — one-time-per-session notice modal.
+- **Surface hierarchy** — Catppuccin and Gruvbox themes corrected.
+
+### Performance
+
+- **HTTP timeout** — sync and async OpenSearch clients bumped from 30s → 60s to
+  accommodate slower script aggregations.
+- **OpenSearch client cache** — session reused across queries; query construction
+  optimised.
+- **Filter loader** — mtime-based cache avoids re-parsing YAML on every query.
+- **Mantis** — index pagination parallelised; HTTP sessions reused; linear scan
+  and per-request sorts replaced with dict lookups in `data.py`.
+- **Filter loading / remapping / post-filtering** — redundant work removed.
+
+### Removed
+
+- Root-level standalone app launcher shims.
+- `cryptography` dependency dropped; `geoip2` moved to the `offline-enrichment`
+  extra.
+- `pytest` moved out of main dependencies into dev dependencies.
+- Theme toggle buttons removed from per-app navbars (now centralised in Hub
+  settings).
+
+### CI
+
+- `djlint` HTML linting added to pre-commit and the CI pipeline.
+
+## [1.0.0] — 2026-XX-XX
+
+Initial tagged release. Dashboard redesign, theming, threat model rename, and
+Mantis Explorer (PR #40).
+
+[Unreleased]: https://github.com/liamadale/pisces-scripts/compare/v1.1.0...HEAD
+[1.1.0]: https://github.com/liamadale/pisces-scripts/compare/v1.0.0...v1.1.0
+[1.0.0]: https://github.com/liamadale/pisces-scripts/releases/tag/v1.0.0
diff --git a/README.md b/README.md
index 644cc9a..c73958f 100644
--- a/README.md
+++ b/README.md
@@ -85,6 +85,8 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for development guidelines and how to ope
 
 To report a vulnerability, follow the process in [SECURITY.md](SECURITY.md).
 
+Release notes for each version are recorded in [CHANGELOG.md](CHANGELOG.md).
+
 ---
 
 ## Development Transparency — Use of AI Tooling
diff --git a/apps/dashboard_web/opensearch/__init__.py b/apps/dashboard_web/opensearch/__init__.py
index bf7fd35..ff6abdf 100644
--- a/apps/dashboard_web/opensearch/__init__.py
+++ b/apps/dashboard_web/opensearch/__init__.py
@@ -3,6 +3,7 @@
 from apps.dashboard_web import cache as dcache
 from apps.dashboard_web.opensearch.aggregations import (
     agg_conn_volume_over_time,
+    agg_logs_by_sensor_over_time,
     agg_notice_over_time,
     agg_opensearch_sensors,
     agg_opensearch_top_ips,
@@ -30,6 +31,7 @@ def section():
             "conn_over_time": agg_conn_volume_over_time(time_range, sensors),
             "sensors": agg_opensearch_sensors(time_range),
             "top_ips": agg_opensearch_top_ips(time_range, sensors),
+            "sensor_trend": agg_logs_by_sensor_over_time(time_range, sensors),
         }
     except Exception as exc:
         data = {"error": str(exc)}
diff --git a/apps/dashboard_web/opensearch/aggregations.py b/apps/dashboard_web/opensearch/aggregations.py
index 00e336e..f34cbbf 100644
--- a/apps/dashboard_web/opensearch/aggregations.py
+++ b/apps/dashboard_web/opensearch/aggregations.py
@@ -2,12 +2,22 @@
 
 from src.querier.zeek_modules.base import (
     FILTERS_DIR,
+    OpenSearchAuthError,
+    OpenSearchConnectionError,
     build_base_query,
     load_with_remap,
     query_opensearch,
 )
 
 
+def _safe_query(body: dict, params: dict) -> dict | None:
+    """query_opensearch wrapper that returns None on connectivity/auth errors."""
+    try:
+        return query_opensearch(body, params)
+    except (OpenSearchConnectionError, OpenSearchAuthError):
+        return None
+
+
 def parse_sensors(raw: str) -> list | None:
     """Parse a comma-separated sensor string into a list, or None for 'all'."""
     if not raw or raw.strip().lower() == "all":
@@ -53,7 +63,7 @@ def agg_opensearch_sensors(time_range: str) -> dict:
             }
         }
     }
-    raw = query_opensearch(body, params)
+    raw = _safe_query(body, params)
     buckets = raw.get("aggregations", {}).get("sensors", {}).get("buckets", []) if raw else []
     return {
         "labels": [b["key"] for b in buckets],
@@ -81,7 +91,7 @@ def agg_opensearch_notice_count(time_range: str, sensors: list | None = None) ->
     body["size"] = 0
     body.pop("sort", None)
     body.pop("_source", None)
-    raw = query_opensearch(body, params)
+    raw = _safe_query(body, params)
     if not raw:
         return 0
     return raw.get("hits", {}).get("total", {}).get("value", 0)
@@ -127,7 +137,7 @@ def agg_suricata_alert_count(time_range: str, sensors: list | None = None) -> in
     body["size"] = 0
     body.pop("sort", None)
     body.pop("_source", None)
-    raw = query_opensearch(body, params)
+    raw = _safe_query(body, params)
     if not raw:
         return 0
     return raw.get("hits", {}).get("total", {}).get("value", 0)
@@ -160,7 +170,7 @@ def agg_suricata_over_time(time_range: str, sensors: list | None = None) -> dict
             }
         }
     }
-    raw = query_opensearch(body, params)
+    raw = _safe_query(body, params)
     buckets = raw.get("aggregations", {}).get("over_time", {}).get("buckets", []) if raw else []
     return {
         "timestamps": [b["key_as_string"] for b in buckets],
@@ -199,7 +209,7 @@ def agg_notice_over_time(time_range: str, sensors: list | None = None) -> dict:
             }
         }
     }
-    raw = query_opensearch(body, params)
+    raw = _safe_query(body, params)
     buckets = raw.get("aggregations", {}).get("over_time", {}).get("buckets", []) if raw else []
     return {
         "timestamps": [b["key_as_string"] for b in buckets],
@@ -235,7 +245,7 @@ def agg_conn_volume_over_time(time_range: str, sensors: list | None = None) -> d
             }
         }
     }
-    raw = query_opensearch(body, params)
+    raw = _safe_query(body, params)
     buckets = raw.get("aggregations", {}).get("over_time", {}).get("buckets", []) if raw else []
     return {
         "timestamps": [b["key_as_string"] for b in buckets],
@@ -244,6 +254,68 @@ def agg_conn_volume_over_time(time_range: str, sensors: list | None = None) -> d
     }
 
 
+def agg_logs_by_sensor_over_time(time_range: str, sensors: list | None = None) -> dict:
+    """Total log count per sensor as aligned time series (terms → date_histogram)."""
+    interval = _interval_for_range(time_range)
+    body, params = build_base_query(
+        must_not=[],
+        extra_must=[],
+        source_fields=[],
+        limit=0,
+        time_range=time_range,
+        sensors=sensors,
+        datasets=["all"],
+        public_only=False,
+        src_ip_filter=None,
+        direction=None,
+    )
+    body["size"] = 0
+    body.pop("sort", None)
+    body.pop("_source", None)
+    body["aggs"] = {
+        "by_sensor": {
+            "terms": {"field": "host.name", "size": 50, "order": {"_count": "desc"}},
+            "aggs": {
+                "over_time": {
+                    "date_histogram": {
+                        "field": "@timestamp",
+                        "fixed_interval": interval,
+                        "min_doc_count": 0,
+                    }
+                }
+            },
+        }
+    }
+    raw = _safe_query(body, params)
+    sensor_buckets = (
+        raw.get("aggregations", {}).get("by_sensor", {}).get("buckets", []) if raw else []
+    )
+
+    # Collect all unique timestamps in order across all sensors
+    all_ts: dict[str, None] = {}
+    for sb in sensor_buckets:
+        for tb in sb.get("over_time", {}).get("buckets", []):
+            all_ts[tb["key_as_string"]] = None
+    timestamps = list(all_ts.keys())
+
+    # Build per-sensor series aligned to the shared timestamp list
+    series = []
+    for sb in sensor_buckets:
+        ts_map = {
+            tb["key_as_string"]: tb["doc_count"]
+            for tb in sb.get("over_time", {}).get("buckets", [])
+        }
+        series.append(
+            {
+                "sensor": sb["key"],
+                "counts": [ts_map.get(t, 0) for t in timestamps],
+                "total": sb["doc_count"],
+            }
+        )
+
+    return {"timestamps": timestamps, "series": series, "interval": interval}
+
+
 def agg_new_ips_delta(time_range: str, sensors: list | None = None) -> dict:
     """Compare unique source IPs in the current window vs the previous window.
 
@@ -270,7 +342,7 @@ def _unique_count(tr: str) -> int:
         body["aggs"] = {
             "uniq": {"cardinality": {"field": "source.ip", "precision_threshold": 3000}}
         }
-        raw = query_opensearch(body, params)
+        raw = _safe_query(body, params)
         if not raw:
             return 0
         return raw.get("aggregations", {}).get("uniq", {}).get("value", 0)
diff --git a/apps/dashboard_web/opensearch/malcolm.py b/apps/dashboard_web/opensearch/malcolm.py
index d6a279d..f960cdb 100644
--- a/apps/dashboard_web/opensearch/malcolm.py
+++ b/apps/dashboard_web/opensearch/malcolm.py
@@ -6,7 +6,20 @@
 
 import concurrent.futures
 
-from src.querier.zeek_modules.base import build_base_query, query_opensearch
+from src.querier.zeek_modules.base import (
+    OpenSearchAuthError,
+    OpenSearchConnectionError,
+    build_base_query,
+    query_opensearch,
+)
+
+
+def _safe_query(body: dict, params: dict) -> dict | None:
+    """query_opensearch wrapper that returns None on connectivity/auth errors."""
+    try:
+        return query_opensearch(body, params)
+    except (OpenSearchConnectionError, OpenSearchAuthError):
+        return None
 
 
 def _terms(field: str, time_range: str, datasets: list, size: int = 20) -> dict:
@@ -27,7 +40,7 @@ def _terms(field: str, time_range: str, datasets: list, size: int = 20) -> dict:
     body.pop("sort", None)
     body.pop("_source", None)
     body["aggs"] = {"r": {"terms": {"field": field, "size": size, "order": {"_count": "desc"}}}}
-    raw = query_opensearch(body, params)
+    raw = _safe_query(body, params)
     buckets = raw.get("aggregations", {}).get("r", {}).get("buckets", []) if raw else []
     return {
         "labels": [b["key"] for b in buckets],
@@ -60,7 +73,7 @@ def _sum_terms(
             "aggs": {"total": {"sum": {"field": sum_field}}},
         }
     }
-    raw = query_opensearch(body, params)
+    raw = _safe_query(body, params)
     buckets = raw.get("aggregations", {}).get("r", {}).get("buckets", []) if raw else []
     buckets = sorted(buckets, key=lambda b: -b.get("total", {}).get("value", 0))
     return {
diff --git a/apps/dashboard_web/opensearch/templates/opensearch/section.html b/apps/dashboard_web/opensearch/templates/opensearch/section.html
index c2bd447..c651f33 100644
--- a/apps/dashboard_web/opensearch/templates/opensearch/section.html
+++ b/apps/dashboard_web/opensearch/templates/opensearch/section.html
@@ -60,15 +60,25 @@
       {% endif %}
     </div>
 
+    <div class="chart-card" style="grid-column:1/-1;">
+      <div class="chart-title">Log Count by Sensor ({{ data.sensor_trend.interval }} intervals)</div>
+      {% if not data.sensor_trend.timestamps %}
+      <div class="chart-empty">No sensor data in this window</div>
+      {% else %}
+      <div id="chart-sensor-trend" style="height:340px;"></div>
+      {% endif %}
+    </div>
+
   </div>
 
   <script>
   (function() {
-    var NOTICE_TS = {{ data.notice_over_time | tojson }};
-    var SURICATA_TS = {{ data.suricata_over_time | tojson }};
-    var CONN_TS   = {{ data.conn_over_time   | tojson }};
-    var SENSORS   = {{ data.sensors   | tojson }};
-    var TOP_IPS   = {{ data.top_ips   | tojson }};
+    var NOTICE_TS    = {{ data.notice_over_time | tojson }};
+    var SURICATA_TS  = {{ data.suricata_over_time | tojson }};
+    var CONN_TS      = {{ data.conn_over_time   | tojson }};
+    var SENSORS      = {{ data.sensors   | tojson }};
+    var TOP_IPS      = {{ data.top_ips   | tojson }};
+    var SENSOR_TREND = {{ data.sensor_trend | tojson }};
 
     var S = getComputedStyle(document.documentElement);
     var C_TEXT     = S.getPropertyValue('--on-surface').trim();
@@ -133,6 +143,79 @@
       c3.setOption(hBarOption(TOP_IPS.ips, TOP_IPS.counts, '#bc8cff'));
       window.addEventListener('resize', function() { c3.resize(); });
     }
+
+    if (SENSOR_TREND.timestamps && SENSOR_TREND.timestamps.length && SENSOR_TREND.series.length) {
+      var PALETTE = [
+        '#4f8ef7','#f85149','#3fb950','#d29922','#bc8cff',
+        '#7ec8e3','#ff7c7c','#56d364','#ffa657','#79c0ff',
+        '#f778ba','#ffd700','#00ced1','#ff69b4','#98fb98',
+        '#dda0dd','#87ceeb','#f4a460','#20b2aa'
+      ];
+      var stEl = document.getElementById('chart-sensor-trend');
+      var stChart = echarts.init(stEl);
+      var stSeries = SENSOR_TREND.series.map(function(s, i) {
+        var col = PALETTE[i % PALETTE.length];
+        // Sensors beyond palette length (shouldn't happen with 19) get muted
+        var isMuted = i >= PALETTE.length;
+        return {
+          name: s.sensor,
+          type: 'line',
+          data: s.counts,
+          smooth: false,
+          symbol: 'none',
+          lineStyle: { color: isMuted ? C_TEXT_DIM : col, width: 1.5, opacity: isMuted ? 0.4 : 0.85 },
+          itemStyle: { color: isMuted ? C_TEXT_DIM : col },
+          emphasis: { focus: 'series', lineStyle: { width: 2.5, opacity: 1 } },
+          blur: { lineStyle: { opacity: 0.15 } },
+        };
+      });
+
+      // Sort legend entries by total desc so the busiest sensors appear first
+      var legendOrder = SENSOR_TREND.series.map(function(s) { return s.sensor; });
+
+      stChart.setOption({
+        backgroundColor: 'transparent',
+        tooltip: {
+          trigger: 'item',
+          backgroundColor: C_SURFACE,
+          borderColor: C_OUTLINE,
+          textStyle: { color: C_TEXT, fontSize: 12 },
+          formatter: function(p) {
+            return '<div style="font-size:11px;">' + tsLabel(p.name) + '<br>' +
+              '<span style="display:inline-block;width:8px;height:8px;border-radius:50%;background:' +
+              p.color + ';margin-right:4px;"></span>' +
+              p.seriesName + ': <b>' + p.value.toLocaleString() + '</b></div>';
+          }
+        },
+        legend: {
+          type: 'scroll',
+          orient: 'horizontal',
+          bottom: 0,
+          data: legendOrder,
+          textStyle: { color: C_TEXT, fontSize: 11 },
+          pageTextStyle: { color: C_TEXT_DIM },
+          pageIconColor: C_TEXT,
+          pageIconInactiveColor: C_TEXT_DIM,
+          itemWidth: 14,
+          itemHeight: 8,
+        },
+        grid: { left: 10, right: 20, top: 10, bottom: 60, containLabel: true },
+        xAxis: {
+          type: 'category',
+          data: SENSOR_TREND.timestamps,
+          axisLabel: { color: C_TEXT_DIM, fontSize: 11, rotate: 35, formatter: tsLabel },
+          axisLine: { lineStyle: { color: C_OUTLINE } },
+          boundaryGap: false,
+        },
+        yAxis: {
+          type: 'value',
+          axisLabel: AXIS_DIM,
+          splitLine: GRID_LINE,
+        },
+        series: stSeries,
+      });
+      window.addEventListener('resize', function() { stChart.resize(); });
+    }
   })();
   </script>
 </div>
diff --git a/apps/dashboard_web/run.py b/apps/dashboard_web/run.py
index e14cd6e..f2fbbb5 100644
--- a/apps/dashboard_web/run.py
+++ b/apps/dashboard_web/run.py
@@ -21,7 +21,9 @@
 
 app = create_app()
 
-if __name__ == "__main__":
+
+def main() -> None:
+    """Entry point for `pisces-dashboard` console script."""
     parser = argparse.ArgumentParser(description="PISCES Dashboard")
     parser.add_argument("--host", default="0.0.0.0", help="Bind address (default: 0.0.0.0)")
     parser.add_argument("--port", type=int, default=5004, help="Port (default: 5004)")
@@ -29,5 +31,8 @@
         "--debug", action="store_true", default=False, help="Enable Flask debug mode"
     )
     args = parser.parse_args()
-
     app.run(host=args.host, port=args.port, debug=args.debug, threaded=True)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/apps/hub/run.py b/apps/hub/run.py
index d366d09..8c5a10c 100644
--- a/apps/hub/run.py
+++ b/apps/hub/run.py
@@ -15,12 +15,16 @@
 
 from apps.hub.app import create_app
 
-if __name__ == "__main__":
+
+def main() -> None:
+    """Entry point for `pisces-hub` console script."""
     parser = argparse.ArgumentParser(description="PISCES Hub Portal")
     parser.add_argument("--host", default="0.0.0.0")
     parser.add_argument("--port", type=int, default=5000)
     parser.add_argument("--debug", action="store_true", default=False)
     args = parser.parse_args()
+    create_app().run(host=args.host, port=args.port, debug=args.debug, threaded=True)
 
-    app = create_app()
-    app.run(host=args.host, port=args.port, debug=args.debug, threaded=True)
+
+if __name__ == "__main__":
+    main()
diff --git a/apps/hub/templates/index.html b/apps/hub/templates/index.html
index baf2924..4ddf89c 100644
--- a/apps/hub/templates/index.html
+++ b/apps/hub/templates/index.html
@@ -180,7 +180,7 @@ <h1><i class="fa-solid fa-toolbox"></i> PISCES Toolkit</h1>
 </div>
 
 <footer style="text-align:center;padding:2.5rem 1rem 1.5rem;font-family:var(--sans);font-size:0.75rem;color:var(--on-surface-dim);">
-  PISCES Toolkit v{{ version }}
+  PISCES Toolkit <a href="https://github.com/liamadale/pisces-scripts/blob/main/CHANGELOG.md" style="color:inherit;text-decoration:underline;">v{{ version }}</a>
   {% if git.behind is not none %}
     <span style="margin-left:0.5rem;">·</span>
     {% if git.behind == 0 %}
diff --git a/apps/mantis_explorer/run.py b/apps/mantis_explorer/run.py
index 36ca070..97128f5 100644
--- a/apps/mantis_explorer/run.py
+++ b/apps/mantis_explorer/run.py
@@ -3,8 +3,15 @@
 from apps.mantis_explorer.app import create_app
 from apps.mantis_explorer.data import SLUG_TO_ORG, get_report
 
-if __name__ == "__main__":
+app = create_app()
+
+
+def main() -> None:
+    """Entry point for `pisces-mantis-explorer` console script."""
     report = get_report("", "")
     print(f"Mantis Explorer: {len(SLUG_TO_ORG)} institutions, {len(report)} students")
-    app = create_app()
     app.run(host="0.0.0.0", port=5005, debug=False, threaded=True)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/apps/opensearch_web/app.py b/apps/opensearch_web/app.py
index 4321fbe..65fd7b5 100644
--- a/apps/opensearch_web/app.py
+++ b/apps/opensearch_web/app.py
@@ -1,15 +1,17 @@
 """Flask application factory and route definitions for PISCES Web UI."""
 
 import os
+from concurrent.futures import as_completed
 from datetime import datetime, timedelta, timezone
 
-from flask import Flask, abort, render_template, request
+from flask import Flask, abort, make_response, render_template, request
 
 from apps.opensearch_web import cache as wcache
 from apps.opensearch_web.queries import (
+    POOL,
     build_search_params_from_request,
     cached_run_query,
-    run_cross_protocol_query,
+    run_cross_protocol_query_async,
 )
 from apps.shared.blueprints import (
     make_cache_blueprint,
@@ -18,13 +20,23 @@
     make_shared_static_blueprint,
 )
 from apps.shared.jinja_globals import register_shared_helpers
+from src.correlator.incident_context import (
+    IncidentContext,
+    build_timeline,
+    query_attack_chain,
+    query_auth_history,
+)
 from src.querier.zeek_modules import (
     CATEGORY_LABELS,
     CATEGORY_ORDER,
     MODULES,
     MODULES_BY_CATEGORY,
 )
-from src.querier.zeek_modules.base import TIME_RANGES
+from src.querier.zeek_modules.base import (
+    TIME_RANGES,
+    OpenSearchAuthError,
+    OpenSearchConnectionError,
+)
 from src.utils.format import fmt_dur
 
 # ------------------------------------------------------------------
@@ -72,6 +84,7 @@ def _resolve_city(request):  # type: ignore[no-untyped-def]
 
 def create_app() -> Flask:
     app = Flask(__name__, static_folder="static", template_folder="templates")
+    app.send_file_max_age_default = 31_536_000  # 1 year for versioned static assets
 
     register_shared_helpers(app)
 
@@ -123,9 +136,21 @@ def inject_nav_data() -> dict:
     # GET /  — cross-protocol IP matrix
     # ------------------------------------------------------------------
     @app.route("/")
-    def overview():
+    async def overview():
+        from src.enricher.threat_intel import prewarm_enrichment_cache
+
         search_params = build_search_params_from_request(request)
-        rows = run_cross_protocol_query(search_params)
+        error = None
+        rows = []
+        try:
+            rows = await run_cross_protocol_query_async(search_params)
+        except (OpenSearchConnectionError, OpenSearchAuthError) as exc:
+            error = str(exc)
+
+        # Pre-warm the enrichment cache for all source IPs while the page renders.
+        if rows:
+            prewarm_enrichment_cache([r["src_ip"] for r in rows])
+
         # Build per-category module lists, excluding non-IP modules (pe, capture_loss)
         ip_modules_by_category = {
             cat: [lt for lt in lts if MODULES[lt].SUPPORTS_IP_FILTER]
@@ -134,6 +159,7 @@ def overview():
         return render_template(
             "overview.html",
             rows=rows,
+            error=error,
             search_params=search_params,
             ip_modules_by_category=ip_modules_by_category,
         )
@@ -143,20 +169,59 @@ def overview():
     # ------------------------------------------------------------------
     @app.route("/ip/<ip>")
     def ip_pivot(ip: str):
-        search_params = build_search_params_from_request(request)
-        search_params["src_ip"] = ip
+        from urllib.parse import urlencode
+
+        ip_role = request.args.get("ip_role", "both")
+        if ip_role not in ("src", "dest", "both"):
+            ip_role = "both"
 
+        search_params = build_search_params_from_request(request)
+        if ip_role == "dest":
+            search_params["dest_ip"] = ip
+            search_params["src_ip"] = None
+        elif ip_role == "src":
+            search_params["src_ip"] = ip
+            search_params["dest_ip"] = None
+        else:  # both
+            search_params["any_ip"] = ip
+            search_params["src_ip"] = None
+            search_params["dest_ip"] = None
+
+        # Build toggle URLs preserving all other query params
+        base_args = {k: v for k, v in request.args.items() if k != "ip_role"}
+        script_name = request.environ.get("SCRIPT_NAME", "")
+        src_url = f"{script_name}/ip/{ip}?ip_role=src&{urlencode(base_args)}"
+        dest_url = f"{script_name}/ip/{ip}?ip_role=dest&{urlencode(base_args)}"
+        both_url = f"{script_name}/ip/{ip}?ip_role=both&{urlencode(base_args)}"
+
+        ip_modules = [lt for lt, mod in MODULES.items() if mod.SUPPORTS_IP_FILTER]
         results: dict = {}
-        for lt, mod in MODULES.items():
-            if not mod.SUPPORTS_IP_FILTER:
-                continue  # pe, capture_loss have no src_ip to pivot on
-            sp = dict(search_params)
-            results[lt] = cached_run_query(lt, sp)
+        error = None
+        first_error: Exception | None = None
+        futures = {POOL.submit(cached_run_query, lt, dict(search_params)): lt for lt in ip_modules}
+        for f in as_completed(futures):
+            lt = futures[f]
+            try:
+                results[lt] = f.result()
+            except (OpenSearchConnectionError, OpenSearchAuthError) as exc:
+                if first_error is None:
+                    first_error = exc
+                results[lt] = []
+            except Exception:
+                app.logger.exception("ip_pivot query failed for %s", lt)
+                results[lt] = []
+        if first_error is not None:
+            error = str(first_error)
 
         return render_template(
             "ip_pivot.html",
             ip=ip,
+            ip_role=ip_role,
+            src_url=src_url,
+            dest_url=dest_url,
+            both_url=both_url,
             results=results,
+            error=error,
             search_params=search_params,
         )
 
@@ -175,12 +240,19 @@ def log_view(log_type: str):
         # unless the user has drilled into a specific value.
         has_drill_filter = bool(mod.SUMMARY_PARAM and search_params.get(mod.SUMMARY_PARAM))
         summary_mode = bool(mod.SUMMARY_FIELD) and not has_drill_filter
-        records = [] if summary_mode else cached_run_query(log_type, search_params)
+        error = None
+        records = []
+        if not summary_mode:
+            try:
+                records = cached_run_query(log_type, search_params)
+            except (OpenSearchConnectionError, OpenSearchAuthError) as exc:
+                error = str(exc)
 
         return render_template(
             "log_view.html",
             log_type=log_type,
             records=records,
+            error=error,
             search_params=search_params,
             extra_keys=extra_keys,
             detail_fields=mod.DETAIL_FIELDS,
@@ -200,14 +272,37 @@ def api_search(log_type: str):
         mod = MODULES[log_type]
         extra_keys = mod.EXTRA_PARAMS
         search_params = build_search_params_from_request(request, extra_keys)
-        records = cached_run_query(log_type, search_params)
-        return render_template(
-            "partials/log_rows.html",
-            log_type=log_type,
-            records=records,
-            detail_fields=mod.DETAIL_FIELDS,
-            web_columns=mod.WEB_COLUMNS,
+
+        etag = f'"{wcache.raw_key(log_type, search_params)}"'
+        if (
+            request.headers.get("If-None-Match") == etag
+            and wcache.get(log_type, search_params) is not None
+        ):
+            return "", 304
+
+        try:
+            records = cached_run_query(log_type, search_params)
+        except (OpenSearchConnectionError, OpenSearchAuthError) as exc:
+            return render_template(
+                "partials/log_rows.html",
+                log_type=log_type,
+                records=[],
+                error=str(exc),
+                detail_fields=mod.DETAIL_FIELDS,
+                web_columns=mod.WEB_COLUMNS,
+            )
+        resp = make_response(
+            render_template(
+                "partials/log_rows.html",
+                log_type=log_type,
+                records=records,
+                error=None,
+                detail_fields=mod.DETAIL_FIELDS,
+                web_columns=mod.WEB_COLUMNS,
+            )
         )
+        resp.headers["ETag"] = etag
+        return resp
 
     # ------------------------------------------------------------------
     # GET /api/detail/<log_type>/<int:i>  — HTMX: expanded record detail
@@ -397,6 +492,7 @@ def api_summary(log_type: str):
             build_base_query,
             load_with_remap,
             query_opensearch,
+            source_terms_script,
         )
 
         if log_type not in MODULES:
@@ -428,29 +524,24 @@ def api_summary(log_type: str):
             direction=search_params.get("direction"),
             time_from=search_params.get("time_from"),
             time_to=search_params.get("time_to"),
+            sort=False,
         )
         body["size"] = 0
-        body.pop("sort", None)
         body.pop("_source", None)
 
+        # Read the summary field from _source so this works across indices
+        # whose mappings disagree (older indices have the field as keyword;
+        # the rolled-over write index has it as text + .keyword and a native
+        # terms agg over the wildcard pattern fails on that shard).
+        terms_script = source_terms_script(mod.SUMMARY_FIELD)
+
         if mod.SUMMARY_TYPE == "grouped":
-            # Prefix-grouped aggregation: extract prefix from rule.name,
-            # with nested severity breakdown and top rules per group.
+            # Aggregate on the full rule.name field; Python groups into prefixes.
             body["aggs"] = {
-                "prefixes": {
+                "rules": {
                     "terms": {
-                        "script": {
-                            "source": (
-                                "def n = doc['rule.name'].value;"
-                                "int i = n.indexOf(' ');"
-                                "if (i < 0) return n;"
-                                "int j = n.indexOf(' ', i + 1);"
-                                "if (j < 0) return n.substring(0, i);"
-                                "return n.substring(0, j);"
-                            ),
-                            "lang": "painless",
-                        },
-                        "size": 50,
+                        "script": terms_script,
+                        "size": 500,
                         "order": {"_count": "desc"},
                     },
                     "aggs": {
@@ -460,13 +551,6 @@ def api_summary(log_type: str):
                                 "size": 5,
                             }
                         },
-                        "top_rules": {
-                            "terms": {
-                                "field": "rule.name",
-                                "size": 10,
-                                "order": {"_count": "desc"},
-                            }
-                        },
                     },
                 }
             }
@@ -474,7 +558,7 @@ def api_summary(log_type: str):
             body["aggs"] = {
                 "items": {
                     "terms": {
-                        "field": mod.SUMMARY_FIELD,
+                        "script": terms_script,
                         "size": 500,
                         "order": {"_count": "asc"},
                     }
@@ -483,34 +567,45 @@ def api_summary(log_type: str):
 
         raw = query_opensearch(body, params)
 
-        is_inline = request.args.get("inline") == "1"
-
         if mod.SUMMARY_TYPE == "grouped":
-            groups = []
+            # Group the flat rule.name buckets into two-word prefixes in Python.
+            groups_by_prefix: dict[str, dict] = {}
             if raw:
-                for b in raw.get("aggregations", {}).get("prefixes", {}).get("buckets", []):
+                for b in raw.get("aggregations", {}).get("rules", {}).get("buckets", []):
+                    rule_name: str = b["key"]
+                    count: int = b["doc_count"]
                     sev_map = {
                         s["key"]: s["doc_count"]
                         for s in b.get("by_severity", {}).get("buckets", [])
                     }
-                    min_sev = min(sev_map.keys()) if sev_map else 3
-                    groups.append(
-                        {
-                            "prefix": b["key"],
-                            "count": b["doc_count"],
-                            "min_severity": min_sev,
-                            "sev": sev_map,
-                            "top_rules": [
-                                {"name": r["key"], "count": r["doc_count"]}
-                                for r in b.get("top_rules", {}).get("buckets", [])
-                            ],
+                    # Mirror the painless prefix logic: up to the second space
+                    i = rule_name.find(" ")
+                    if i < 0:
+                        prefix = rule_name
+                    else:
+                        j = rule_name.find(" ", i + 1)
+                        prefix = rule_name[:i] if j < 0 else rule_name[:j]
+
+                    if prefix not in groups_by_prefix:
+                        groups_by_prefix[prefix] = {
+                            "prefix": prefix,
+                            "count": 0,
+                            "sev": {},
+                            "top_rules": [],
                         }
-                    )
-            template = (
-                "partials/summary_grouped.html" if is_inline else "partials/summary_grouped.html"
-            )
+                    g = groups_by_prefix[prefix]
+                    g["count"] += count
+                    for sev, cnt in sev_map.items():
+                        g["sev"][sev] = g["sev"].get(sev, 0) + cnt
+                    g["top_rules"].append({"name": rule_name, "count": count})
+
+            groups = sorted(groups_by_prefix.values(), key=lambda g: -g["count"])[:50]
+            for g in groups:
+                g["top_rules"] = sorted(g["top_rules"], key=lambda r: -r["count"])[:10]
+                g["min_severity"] = min(g["sev"].keys()) if g["sev"] else 3
+
             return render_template(
-                template,
+                "partials/summary_grouped.html",
                 groups=groups,
                 summary_param=mod.SUMMARY_PARAM,
             )
@@ -555,9 +650,9 @@ def api_sensor_summary():
             direction=None,
             time_from=search_params.get("time_from"),
             time_to=search_params.get("time_to"),
+            sort=False,
         )
         body["size"] = 0
-        body.pop("sort", None)
         body.pop("_source", None)
         body["aggs"] = {
             "sensors": {
@@ -593,16 +688,379 @@ def api_sensor_summary():
     def api_profile(ip: str):
         from src.querier.zeek_modules.base import is_private
 
-        if not is_private(ip):
-            return '<p class="empty-note">Device profiling is for private IPs only.</p>'
+        sensor = request.args.get("sensor", "all")
+        time_range = request.args.get("time_range", "now-7d")
+        compact = request.args.get("compact") == "1"
+
+        try:
+            if is_private(ip):
+                from src.profiler.device_profiler import profile_device
+
+                profile = profile_device(ip, time_range=time_range, sensor=sensor)
+                return render_template(
+                    "partials/device_card.html", profile=profile, compact=compact
+                )
+            else:
+                from src.profiler.public_ip_profiler import profile_public_ip
+
+                profile = profile_public_ip(ip, time_range=time_range)
+                return render_template(
+                    "partials/public_device_card.html", profile=profile, compact=compact
+                )
+        except (OpenSearchConnectionError, OpenSearchAuthError) as exc:
+            app.logger.warning("device profile failed for %s: %s", ip, exc)
+            return (
+                '<p class="investigate-error">'
+                '<i class="fa-solid fa-triangle-exclamation"></i> '
+                "Unable to load device profile.</p>"
+            )
+
+    # ------------------------------------------------------------------
+    # GET /investigate/<src_ip>/<dest_ip>  — one-click incident context page
+    # ------------------------------------------------------------------
+    @app.route("/investigate/<src_ip>/<dest_ip>")
+    def investigate_view(src_ip: str, dest_ip: str):
+        search_params = build_search_params_from_request(request)
+        return render_template(
+            "investigate.html",
+            src_ip=src_ip,
+            dest_ip=dest_ip,
+            search_params=search_params,
+        )
 
+    # ------------------------------------------------------------------
+    # GET /api/investigate/profiles  — HTMX: device profiles for src + dest
+    # ------------------------------------------------------------------
+    @app.route("/api/investigate/profiles")
+    def api_investigate_profiles():
+        from src.enricher.threat_intel import enrich_ip
         from src.profiler.device_profiler import profile_device
+        from src.profiler.public_ip_profiler import profile_public_ip
+        from src.querier.zeek_modules.base import is_private
 
+        src_ip = request.args.get("src_ip", "")
+        dest_ip = request.args.get("dest_ip", "")
         sensor = request.args.get("sensor", "all")
-        time_range = request.args.get("time_range", "now-7d")
-        compact = request.args.get("compact") == "1"
+        time_range = request.args.get("time_range", "now-24h")
+
+        src_profile = None
+        dest_profile = None
+        src_enrichment = None
+        dest_enrichment = None
+        src_error = None
+        dest_error = None
+
+        def _do_src():
+            nonlocal src_profile, src_enrichment, src_error
+            try:
+                if is_private(src_ip):
+                    src_profile = profile_device(src_ip, time_range=time_range, sensor=sensor)
+                else:
+                    src_profile = profile_public_ip(src_ip, time_range=time_range)
+                    src_enrichment = enrich_ip(src_ip, offer_fp=False)
+            except Exception as exc:
+                app.logger.exception("api_investigate_profiles src failed")
+                src_error = str(exc)
+
+        def _do_dest():
+            nonlocal dest_profile, dest_enrichment, dest_error
+            try:
+                if is_private(dest_ip):
+                    dest_profile = profile_device(dest_ip, time_range=time_range, sensor=sensor)
+                else:
+                    dest_profile = profile_public_ip(dest_ip, time_range=time_range)
+                    dest_enrichment = enrich_ip(dest_ip, offer_fp=False)
+            except Exception as exc:
+                app.logger.exception("api_investigate_profiles dest failed")
+                dest_error = str(exc)
+
+        f_src = POOL.submit(_do_src)
+        f_dest = POOL.submit(_do_dest)
+        f_src.result()
+        f_dest.result()
+
+        def _enrich_urls(ip: str) -> dict:
+            from src.enricher import abuseipdb, greynoise, shodan, virustotal
+
+            return {
+                "greynoise": greynoise.URL.format(ip=ip),
+                "abuseipdb": abuseipdb.URL.format(ip=ip),
+                "shodan": shodan.URL.format(ip=ip),
+                "virustotal": virustotal.URL.format(ip=ip),
+            }
 
-        profile = profile_device(ip, time_range=time_range, sensor=sensor)
-        return render_template("partials/device_card.html", profile=profile, compact=compact)
+        return render_template(
+            "partials/investigate_profiles.html",
+            src_ip=src_ip,
+            dest_ip=dest_ip,
+            src_profile=src_profile,
+            dest_profile=dest_profile,
+            src_enrichment=src_enrichment,
+            dest_enrichment=dest_enrichment,
+            src_urls=_enrich_urls(src_ip) if src_enrichment else None,
+            dest_urls=_enrich_urls(dest_ip) if dest_enrichment else None,
+            src_error=src_error,
+            dest_error=dest_error,
+        )
+
+    # ------------------------------------------------------------------
+    # GET /api/investigate/auth  — HTMX: Kerberos + NTLM auth history
+    # ------------------------------------------------------------------
+    @app.route("/api/investigate/auth")
+    def api_investigate_auth():
+        src_ip = request.args.get("src_ip", "")
+        dest_ip = request.args.get("dest_ip", "")
+        sensor = request.args.get("sensor", "all")
+        time_range = request.args.get("time_range", "now-24h")
+
+        try:
+            kerberos, ntlm = query_auth_history(src_ip, dest_ip, sensor, time_range)
+            error = None
+        except Exception as exc:
+            app.logger.exception("api_investigate_auth failed")
+            kerberos, ntlm, error = [], [], str(exc)
+
+        return render_template(
+            "partials/investigate_auth.html",
+            kerberos_history=kerberos,
+            ntlm_history=ntlm,
+            src_ip=src_ip,
+            dest_ip=dest_ip,
+            error=error,
+        )
+
+    # ------------------------------------------------------------------
+    # GET /api/investigate/chain  — HTMX: ATTACK::* notice chain for src_ip
+    # ------------------------------------------------------------------
+    @app.route("/api/investigate/chain")
+    def api_investigate_chain():
+        src_ip = request.args.get("src_ip", "")
+        sensor = request.args.get("sensor", "all")
+        time_range = request.args.get("time_range", "now-24h")
+
+        try:
+            chain = query_attack_chain(src_ip, sensor, time_range)
+            error = None
+        except Exception as exc:
+            app.logger.exception("api_investigate_chain failed")
+            chain, error = [], str(exc)
+
+        return render_template(
+            "partials/investigate_chain.html",
+            attack_chain=chain,
+            src_ip=src_ip,
+            error=error,
+        )
+
+    # ------------------------------------------------------------------
+    # GET /api/investigate/notices  — HTMX: Zeek notices for IP pair
+    # ------------------------------------------------------------------
+    @app.route("/api/investigate/notices")
+    def api_investigate_notices():
+        src_ip = request.args.get("src_ip", "")
+        dest_ip = request.args.get("dest_ip", "")
+        sensor = request.args.get("sensor", "all")
+        time_range = request.args.get("time_range", "now-24h")
+
+        try:
+            from src.querier.zeek_modules.base import run_query
+
+            base = {
+                "sensor": sensor,
+                "time_range": time_range,
+                "limit": 200,
+                "no_filters": False,
+                "public_only": False,
+                "raise_on_error": False,
+            }
+            fwd = run_query(MODULES["notice"], {**base, "src_ip": src_ip})
+            fwd = [r for r in fwd if r.get("dest_ip") == dest_ip]
+            rev = run_query(MODULES["notice"], {**base, "src_ip": dest_ip})
+            rev = [r for r in rev if r.get("dest_ip") == src_ip]
+            records = fwd + rev
+            records.sort(key=lambda r: r.get("timestamp", ""))
+            error = None
+        except Exception as exc:
+            app.logger.exception("api_investigate_notices failed")
+            records, error = [], str(exc)
+
+        return render_template(
+            "partials/investigate_notices.html",
+            notices=records,
+            src_ip=src_ip,
+            dest_ip=dest_ip,
+            error=error,
+        )
+
+    # ------------------------------------------------------------------
+    # GET /api/investigate/suricata  — HTMX: Suricata alerts for IP pair
+    # ------------------------------------------------------------------
+    @app.route("/api/investigate/suricata")
+    def api_investigate_suricata():
+        src_ip = request.args.get("src_ip", "")
+        dest_ip = request.args.get("dest_ip", "")
+        sensor = request.args.get("sensor", "all")
+        time_range = request.args.get("time_range", "now-24h")
+
+        try:
+            from src.querier.zeek_modules.base import run_query
+
+            base = {
+                "sensor": sensor,
+                "time_range": time_range,
+                "limit": 200,
+                "no_filters": False,
+                "public_only": False,
+                "raise_on_error": False,
+                "exclude_stream": True,
+            }
+            # src→dest direction
+            fwd = run_query(MODULES["suricata_alert"], {**base, "src_ip": src_ip})
+            fwd = [r for r in fwd if r.get("dest_ip") == dest_ip]
+            # dest→src direction
+            rev = run_query(MODULES["suricata_alert"], {**base, "src_ip": dest_ip})
+            rev = [r for r in rev if r.get("dest_ip") == src_ip]
+            records = fwd + rev
+            records.sort(key=lambda r: r.get("timestamp", ""))
+            error = None
+        except Exception as exc:
+            app.logger.exception("api_investigate_suricata failed")
+            records, error = [], str(exc)
+
+        return render_template(
+            "partials/investigate_suricata.html",
+            alerts=records,
+            src_ip=src_ip,
+            dest_ip=dest_ip,
+            error=error,
+        )
+
+    # ------------------------------------------------------------------
+    # GET /api/investigate/tickets  — HTMX: Mantis tickets for src + dest
+    # ------------------------------------------------------------------
+    @app.route("/api/investigate/tickets")
+    def api_investigate_tickets():
+        from src.mantis.mantis_search import search as search_tickets
+
+        src_ip = request.args.get("src_ip", "")
+        dest_ip = request.args.get("dest_ip", "")
+
+        try:
+            src_tickets = search_tickets(src_ip) if src_ip else []
+            dest_tickets = search_tickets(dest_ip) if dest_ip else []
+            # Deduplicate: drop dest tickets already shown under src
+            src_ids = {t.get("id") for t in src_tickets}
+            dest_tickets = [t for t in dest_tickets if t.get("id") not in src_ids]
+            error = None
+        except Exception as exc:
+            app.logger.exception("api_investigate_tickets failed")
+            src_tickets, dest_tickets, error = [], [], str(exc)
+
+        return render_template(
+            "partials/investigate_tickets.html",
+            src_ip=src_ip,
+            dest_ip=dest_ip,
+            src_tickets=src_tickets,
+            dest_tickets=dest_tickets,
+            error=error,
+        )
+
+    # ------------------------------------------------------------------
+    # GET /api/investigate/timeline  — HTMX: merged chronological event list
+    # ------------------------------------------------------------------
+    @app.route("/api/investigate/timeline")
+    def api_investigate_timeline():
+        src_ip = request.args.get("src_ip", "")
+        dest_ip = request.args.get("dest_ip", "")
+        sensor = request.args.get("sensor", "all")
+        time_range = request.args.get("time_range", "now-24h")
+
+        kerberos: list[dict] = []
+        ntlm: list[dict] = []
+        chain: list[dict] = []
+        errors: dict[str, str] = {}
+
+        def _auth() -> tuple[list[dict], list[dict]]:
+            return query_auth_history(src_ip, dest_ip, sensor, time_range)
+
+        def _chain() -> list[dict]:
+            return query_attack_chain(src_ip, sensor, time_range)
+
+        f_auth = POOL.submit(_auth)
+        f_chain = POOL.submit(_chain)
+        for fut in as_completed([f_auth, f_chain]):
+            if fut is f_auth:
+                try:
+                    kerberos, ntlm = fut.result()
+                except Exception as exc:
+                    app.logger.exception("api_investigate_timeline auth failed")
+                    errors["auth"] = str(exc)
+            else:
+                try:
+                    chain = fut.result()
+                except Exception as exc:
+                    app.logger.exception("api_investigate_timeline chain failed")
+                    errors["chain"] = str(exc)
+
+        ctx = IncidentContext(
+            trigger_type="ip_pair",
+            trigger={},
+            src_ip=src_ip,
+            dest_ip=dest_ip,
+            sensor=sensor,
+            time_range=time_range,
+            kerberos_history=kerberos,
+            ntlm_history=ntlm,
+            attack_chain=chain,
+            errors=errors,
+        )
+        timeline = build_timeline(ctx)
+
+        return render_template(
+            "partials/investigate_timeline.html",
+            timeline=timeline,
+            errors=errors,
+        )
+
+    # ------------------------------------------------------------------
+    # GET /api/investigate/log_counts  — HTMX: per-module record counts for src_ip
+    # ------------------------------------------------------------------
+    @app.route("/api/investigate/log_counts")
+    def api_investigate_log_counts():
+        src_ip = request.args.get("src_ip", "")
+        sensor = request.args.get("sensor", "all")
+        time_range = request.args.get("time_range", "now-24h")
+
+        search_params: dict = {
+            "time_range": time_range,
+            "time_from": None,
+            "time_to": None,
+            "sensor": sensor,
+            "limit": 500,
+            "public_only": False,
+            "src_ip": src_ip or None,
+            "dest_ip": None,
+            "direction": None,
+            "no_filters": False,
+            "use_cache": False,
+        }
+
+        counts: dict[str, int] = {}
+        futures = {POOL.submit(cached_run_query, lt, dict(search_params)): lt for lt in MODULES}
+        for fut in as_completed(futures):
+            lt = futures[fut]
+            try:
+                counts[lt] = len(fut.result())
+            except Exception:
+                app.logger.exception("log count query failed for %s", lt)
+                counts[lt] = 0
+
+        return render_template(
+            "partials/investigate_log_counts.html",
+            counts=counts,
+            src_ip=src_ip,
+            sensor=sensor,
+            time_range=time_range,
+        )
 
     return app
diff --git a/apps/opensearch_web/cache.py b/apps/opensearch_web/cache.py
index d99ebe6..6066366 100644
--- a/apps/opensearch_web/cache.py
+++ b/apps/opensearch_web/cache.py
@@ -10,6 +10,7 @@
 import hashlib
 import json
 import os
+import threading
 import time
 from threading import Lock
 
@@ -18,12 +19,47 @@
 _store: dict[str, tuple[float, list]] = {}
 _lock = Lock()
 
+# Single-flight: prevents duplicate in-flight queries for the same key.
+_inflight: dict[str, threading.Event] = {}
+_inflight_lock = Lock()
+
 
 def _key(log_type: str, search_params: dict) -> str:
     payload = json.dumps({"log_type": log_type, **search_params}, sort_keys=True)
     return hashlib.md5(payload.encode()).hexdigest()
 
 
+def raw_key(log_type: str, search_params: dict) -> str:
+    """Return the cache key string (used for ETags and single-flight coordination)."""
+    return _key(log_type, search_params)
+
+
+def claim(key: str) -> threading.Event | None:
+    """Try to become the leader for a cache miss. Returns an Event if leader, None if follower."""
+    with _inflight_lock:
+        if key in _inflight:
+            return None
+        event = threading.Event()
+        _inflight[key] = event
+        return event
+
+
+def wait_inflight(key: str) -> None:
+    """Block until the leader for this key finishes."""
+    with _inflight_lock:
+        event = _inflight.get(key)
+    if event:
+        event.wait()
+
+
+def release(key: str) -> None:
+    """Mark a key as done and wake any threads waiting on it."""
+    with _inflight_lock:
+        event = _inflight.pop(key, None)
+    if event:
+        event.set()
+
+
 def get(log_type: str, search_params: dict) -> list | None:
     """Return cached records if still within TTL, else None."""
     k = _key(log_type, search_params)
diff --git a/apps/opensearch_web/queries.py b/apps/opensearch_web/queries.py
index ef3baf1..96d2238 100644
--- a/apps/opensearch_web/queries.py
+++ b/apps/opensearch_web/queries.py
@@ -1,11 +1,24 @@
 """Web-layer query helpers — bridge between HTTP request params and run_query()."""
 
+import asyncio
+import os
 from collections import defaultdict
 from concurrent.futures import ThreadPoolExecutor, as_completed
 
 from apps.opensearch_web import cache as wcache
+from src.querier.runner import run_query_async
 from src.querier.zeek_modules import MODULES
-from src.querier.zeek_modules.base import console, run_query
+from src.querier.zeek_modules.base import (
+    OpenSearchAuthError,
+    OpenSearchConnectionError,
+    console,
+    run_query,
+)
+
+# Shared long-lived pool for all OpenSearch fan-out operations.  One pool
+# bounds total thread count across all concurrent requests instead of letting
+# each route spawn its own unlimited pool.
+POOL = ThreadPoolExecutor(max_workers=min(32, (os.cpu_count() or 4) * 4))
 
 
 def build_search_params_from_request(request, extra_keys=None) -> dict:
@@ -29,13 +42,29 @@ def build_search_params_from_request(request, extra_keys=None) -> dict:
 
 
 def cached_run_query(log_type: str, search_params: dict) -> list:
-    """run_query with in-memory TTL caching. Falls through to OpenSearch on miss."""
+    """run_query with in-memory TTL caching and single-flight dedup.
+
+    If two concurrent requests arrive with the same params and both miss the
+    cache, only one queries OpenSearch; the other waits and returns the same
+    result.
+    """
     cached = wcache.get(log_type, search_params)
     if cached is not None:
         return cached
-    records = run_query(MODULES[log_type], search_params)
-    wcache.put(log_type, search_params, records)
-    return records
+
+    k = wcache.raw_key(log_type, search_params)
+    event = wcache.claim(k)
+
+    if event is None:
+        wcache.wait_inflight(k)
+        return wcache.get(log_type, search_params) or []
+
+    try:
+        records = run_query(MODULES[log_type], search_params)
+        wcache.put(log_type, search_params, records)
+        return records
+    finally:
+        wcache.release(k)
 
 
 def run_cross_protocol_query(search_params: dict) -> list:
@@ -46,15 +75,89 @@ def run_cross_protocol_query(search_params: dict) -> list:
     """
     ip_modules = {lt: mod for lt, mod in MODULES.items() if mod.SUPPORTS_IP_FILTER}
     results_by_type: dict = {}
-    with ThreadPoolExecutor(max_workers=len(ip_modules)) as ex:
-        futures = {ex.submit(cached_run_query, lt, search_params): lt for lt in ip_modules}
-        for f in as_completed(futures):
-            lt = futures[f]
-            try:
-                results_by_type[lt] = f.result()
-            except Exception as exc:
-                results_by_type[lt] = []
-                console.print(f"[yellow]Cross-protocol query failed for {lt}: {exc}[/yellow]")
+    first_conn_error: Exception | None = None
+    futures = {POOL.submit(cached_run_query, lt, search_params): lt for lt in ip_modules}
+    for f in as_completed(futures):
+        lt = futures[f]
+        try:
+            results_by_type[lt] = f.result()
+        except (OpenSearchConnectionError, OpenSearchAuthError) as exc:
+            if first_conn_error is None:
+                first_conn_error = exc
+            results_by_type[lt] = []
+        except Exception as exc:
+            results_by_type[lt] = []
+            console.print(f"[yellow]Cross-protocol query failed for {lt}: {exc}[/yellow]")
+
+    if first_conn_error is not None:
+        raise first_conn_error
+
+    ip_data: dict = defaultdict(lambda: {"per_protocol": {lt: 0 for lt in ip_modules}, "total": 0})
+    for lt, records in results_by_type.items():
+        for rec in records:
+            ip = rec.get("src_ip", "")
+            if not ip or ip == "—":
+                continue
+            freq = rec.get("freq", 1)
+            ip_data[ip]["per_protocol"][lt] += freq
+            ip_data[ip]["total"] += freq
+
+    return sorted(
+        [{"src_ip": ip, **data} for ip, data in ip_data.items()],
+        key=lambda x: -x["total"],
+    )
+
+
+async def cached_run_query_async(log_type: str, search_params: dict) -> list:
+    """Async variant of cached_run_query — uses httpx.AsyncClient for web fan-out."""
+    cached = wcache.get(log_type, search_params)
+    if cached is not None:
+        return cached
+
+    k = wcache.raw_key(log_type, search_params)
+    event = wcache.claim(k)
+
+    if event is None:
+        # Another coroutine is already fetching this — yield control until it's done.
+        loop = asyncio.get_event_loop()
+        await loop.run_in_executor(None, wcache.wait_inflight, k)
+        return wcache.get(log_type, search_params) or []
+
+    try:
+        records = await run_query_async(MODULES[log_type], search_params)
+        wcache.put(log_type, search_params, records)
+        return records
+    finally:
+        wcache.release(k)
+
+
+async def run_cross_protocol_query_async(search_params: dict) -> list:
+    """Async fan-out across all IP-capable log types using httpx.AsyncClient.
+
+    Replaces the ThreadPoolExecutor-based run_cross_protocol_query with
+    asyncio.gather, which avoids thread creation overhead and shares a single
+    persistent HTTP/2-capable connection pool via httpx.AsyncClient.
+    """
+    ip_modules = {lt: mod for lt, mod in MODULES.items() if mod.SUPPORTS_IP_FILTER}
+    first_conn_error: Exception | None = None
+
+    tasks = {lt: cached_run_query_async(lt, search_params) for lt in ip_modules}
+    task_results = await asyncio.gather(*tasks.values(), return_exceptions=True)
+
+    results_by_type: dict = {}
+    for lt, result in zip(tasks.keys(), task_results):
+        if isinstance(result, (OpenSearchConnectionError, OpenSearchAuthError)):
+            if first_conn_error is None:
+                first_conn_error = result
+            results_by_type[lt] = []
+        elif isinstance(result, Exception):
+            results_by_type[lt] = []
+            console.print(f"[yellow]Cross-protocol query failed for {lt}: {result}[/yellow]")
+        else:
+            results_by_type[lt] = result
+
+    if first_conn_error is not None:
+        raise first_conn_error
 
     ip_data: dict = defaultdict(lambda: {"per_protocol": {lt: 0 for lt in ip_modules}, "total": 0})
     for lt, records in results_by_type.items():
diff --git a/apps/opensearch_web/run.py b/apps/opensearch_web/run.py
index 5f96dd0..28aa2c6 100755
--- a/apps/opensearch_web/run.py
+++ b/apps/opensearch_web/run.py
@@ -21,7 +21,9 @@
 
 app = create_app()
 
-if __name__ == "__main__":
+
+def main() -> None:
+    """Entry point for `pisces-opensearch` console script."""
     parser = argparse.ArgumentParser(description="PISCES Web UI")
     parser.add_argument("--host", default="0.0.0.0", help="Bind address (default: 0.0.0.0)")
     parser.add_argument("--port", type=int, default=5001, help="Port (default: 5001)")
@@ -29,5 +31,8 @@
         "--debug", action="store_true", default=False, help="Enable Flask debug mode"
     )
     args = parser.parse_args()
-
     app.run(host=args.host, port=args.port, debug=args.debug, threaded=True)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/apps/opensearch_web/static/pisces.css b/apps/opensearch_web/static/pisces.css
index a9d33d2..aa09212 100644
--- a/apps/opensearch_web/static/pisces.css
+++ b/apps/opensearch_web/static/pisces.css
@@ -804,6 +804,20 @@ tr.detail-row td {
   align-items: center;
   gap: 6px;
 }
+.enrich-col-header.enrich-col-src,
+.enrich-col-header.enrich-col-dst {
+  padding: 4px 10px;
+  border-radius: 6px;
+  border: 1px solid var(--outline);
+}
+.enrich-col-header.enrich-col-src {
+  border-color: color-mix(in srgb, var(--red) 25%, var(--outline));
+  background: color-mix(in srgb, var(--red) 4%, var(--surface-container));
+}
+.enrich-col-header.enrich-col-dst {
+  border-color: color-mix(in srgb, var(--primary) 25%, var(--outline));
+  background: color-mix(in srgb, var(--primary) 4%, var(--surface-container));
+}
 
 /* Legacy enrich triggers */
 .enrich-triggers { display: flex; flex-wrap: wrap; gap: 0.4rem; margin-top: 0.6rem; }
@@ -911,6 +925,10 @@ tr.detail-row td {
   border: 1px solid var(--outline);
   background: var(--surface-container-highest);
 }
+.mantis-ticket-card.mantis-ticket-escalated {
+  border-color: var(--red);
+  border-width: 2px;
+}
 .mantis-ticket-header {
   display: flex;
   align-items: center;
@@ -1328,6 +1346,29 @@ tr.detail-row td {
 
 .empty-note { color: var(--on-surface-dim); font-size: 0.82rem; font-style: italic; }
 
+.role-toggle {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  margin-bottom: 1rem;
+}
+
+.role-toggle-label {
+  font-size: 0.8rem;
+  color: var(--on-surface-dim);
+}
+
+.btn-active {
+  background: var(--primary);
+  color: var(--on-primary);
+  border-color: var(--primary);
+}
+
+.btn-active:hover {
+  background: var(--primary);
+  opacity: 0.9;
+}
+
 
 /* ── 13. Utilities ────────────────────────────────────── */
 
@@ -1427,18 +1468,25 @@ tr.detail-row td {
 /* ---------------------------------------------------------------------------
    Device profile card
    --------------------------------------------------------------------------- */
-.device-card { border: 1px solid var(--border); border-radius: 8px; margin: 1rem 0; }
+.device-card { border: 1px solid var(--border); border-radius: 8px; margin: 1rem 0; min-width: 0; overflow: hidden; }
 .device-card-header { padding: .75rem 1rem; border-bottom: 1px solid var(--border); display: flex; justify-content: space-between; align-items: center; flex-wrap: wrap; gap: .5rem; }
 .device-card-identity { font-size: 1.1rem; }
 .device-card-domain { color: var(--on-surface-dim); }
 .device-card-meta { display: flex; gap: .5rem; align-items: center; }
 .device-card-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1px; background: var(--border); }
-.device-card-section { padding: .75rem 1rem; background: var(--surface); }
+.device-card-section { padding: .75rem 1rem; background: var(--surface); overflow: hidden; }
 .device-card-section h4,
 .device-card-section summary { margin: 0 0 .5rem; font-size: .8rem; color: var(--on-surface-dim); text-transform: uppercase; letter-spacing: .05em; cursor: pointer; }
 .device-card-section h4 { cursor: default; }
 .device-card-footer { padding: .5rem 1rem; font-size: .75rem; color: var(--on-surface-dim); border-top: 1px solid var(--border); }
+.device-card-footer .btn-link { background: none; border: none; color: var(--primary); cursor: pointer; font-size: .75rem; padding: 0; margin-right: .5rem; text-decoration: underline; }
 .device-card-users { padding: 0 1rem .5rem; font-size: .8rem; color: var(--on-surface-dim); border-bottom: 1px solid var(--border); }
+.device-card-traffic { padding: .4rem 1rem; font-size: .8rem; border-bottom: 1px solid var(--border); display: flex; flex-wrap: wrap; gap: .25rem .5rem; align-items: center; }
+.dct-up   { color: var(--green); font-weight: 600; font-family: var(--mono); }
+.dct-down { color: var(--on-surface); font-weight: 600; font-family: var(--mono); }
+.dct-sep  { color: var(--on-surface-dim); }
+.dct-dests { color: var(--on-surface-dim); }
+.dct-status { color: var(--on-surface-dim); font-style: italic; }
 .role-badge { padding: 2px 8px; border-radius: 4px; font-size: .8rem; font-weight: 600; }
 .role-domain_controller { background: color-mix(in srgb, var(--blue) 15%, transparent); color: var(--blue); }
 .role-file_server { background: color-mix(in srgb, var(--yellow) 15%, transparent); color: var(--yellow); }
@@ -1449,9 +1497,9 @@ tr.detail-row td {
 .role-unknown { background: var(--surface-dim); color: var(--on-surface-dim); }
 .os-badge { padding: 2px 8px; border-radius: 4px; font-size: .75rem; background: var(--surface-dim); }
 .confidence { font-weight: 400; opacity: .7; margin-left: .25rem; }
-.mini-table { width: 100%; font-size: .8rem; border-collapse: collapse; }
+.mini-table { width: 100%; font-size: .8rem; border-collapse: collapse; table-layout: fixed; }
 .mini-table th { text-align: left; font-weight: 600; color: var(--on-surface-dim); border-bottom: 1px solid var(--border); padding: 2px 4px; }
-.mini-table td { padding: 2px 4px; }
+.mini-table td { padding: 2px 4px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
 .mini-label { font-size: .75rem; color: var(--on-surface-dim); margin: .25rem 0 .125rem; }
 .tag-list { list-style: none; padding: 0; margin: 0; display: flex; flex-wrap: wrap; gap: .25rem; }
 .tag { padding: 2px 6px; border-radius: 3px; font-size: .75rem; background: var(--surface-dim); }
@@ -1460,3 +1508,218 @@ tr.detail-row td {
 .device-card-compact .device-card-grid { grid-template-columns: 1fr; }
 .device-card-compact .device-card-header { flex-direction: column; align-items: flex-start; }
 .device-card-compact .device-card-identity { font-size: .95rem; }
+
+/* ── Investigate page ─────────────────────────────────────────────── */
+.investigate-arrow { color: var(--on-surface-dim); margin: 0 .25rem; }
+
+.investigate-section {
+  margin-bottom: 2rem;
+}
+
+.investigate-section-header {
+  display: flex;
+  align-items: baseline;
+  gap: .75rem;
+  margin-bottom: .75rem;
+}
+
+.investigate-section-header h2 {
+  font-size: 1rem;
+  font-weight: 600;
+  margin: 0;
+  color: var(--on-surface);
+}
+
+.investigate-section-sub {
+  font-size: .8rem;
+  color: var(--on-surface-dim);
+}
+
+/* Side-by-side device profile columns */
+.investigate-profiles-grid {
+  display: grid;
+  grid-template-columns: 1fr 1fr;
+  gap: 1rem;
+}
+
+.investigate-profile-col {
+  min-width: 0;
+}
+
+.investigate-profile-label {
+  font-size: .8rem;
+  font-weight: 600;
+  color: var(--on-surface-dim);
+  margin-bottom: .5rem;
+  display: flex;
+  align-items: center;
+  gap: .4rem;
+}
+
+/* Auth history protocol sub-headers */
+.investigate-auth-protocol {
+  margin-bottom: 1.25rem;
+}
+
+.investigate-auth-proto-label {
+  font-size: .875rem;
+  font-weight: 600;
+  margin: 0 0 .5rem;
+  color: var(--on-surface);
+  display: flex;
+  align-items: center;
+  gap: .5rem;
+}
+
+/* Two-column ticket grid */
+.investigate-tickets-grid {
+  display: grid;
+  grid-template-columns: 1fr 1fr;
+  gap: 1rem;
+  align-items: start;
+}
+
+.investigate-ticket-col {
+  min-width: 0;
+}
+
+/* Attack chain notice badge */
+.attack-note-badge {
+  font-size: .75rem;
+  font-family: var(--font-mono, monospace);
+  background: color-mix(in srgb, var(--red) 12%, transparent);
+  color: var(--red);
+  padding: 2px 6px;
+  border-radius: 3px;
+  white-space: nowrap;
+}
+
+/* Error state */
+.investigate-error {
+  color: var(--red);
+  font-size: .85rem;
+  display: flex;
+  align-items: center;
+  gap: .4rem;
+}
+
+.investigate-error-list {
+  display: flex;
+  flex-direction: column;
+  gap: .25rem;
+  margin-bottom: .75rem;
+}
+
+/* Skeleton loaders */
+.investigate-skeleton { opacity: .5; }
+
+.skeleton-card {
+  height: 140px;
+  background: var(--surface-dim);
+  border-radius: 6px;
+  animation: skeleton-pulse 1.4s ease-in-out infinite;
+}
+
+.skeleton-table {
+  height: 80px;
+  background: var(--surface-dim);
+  border-radius: 4px;
+  animation: skeleton-pulse 1.4s ease-in-out infinite;
+}
+
+.skeleton-list {
+  height: 60px;
+  background: var(--surface-dim);
+  border-radius: 4px;
+  animation: skeleton-pulse 1.4s ease-in-out infinite;
+}
+
+.investigate-profiles-skeleton {
+  display: grid;
+  grid-template-columns: 1fr 1fr;
+  gap: 1rem;
+}
+
+@keyframes skeleton-pulse {
+  0%, 100% { opacity: .5; }
+  50%       { opacity: .25; }
+}
+
+@media (max-width: 900px) {
+  .investigate-profiles-grid,
+  .investigate-tickets-grid { grid-template-columns: 1fr; }
+  .investigate-profiles-skeleton { grid-template-columns: 1fr; }
+}
+
+/* ── Investigate: log search buttons ─────────────────────────────── */
+.log-count-group { margin-bottom: 1.2rem; }
+.log-count-group:last-child { margin-bottom: 0; }
+.log-count-group-label {
+  font-size: 0.7rem;
+  text-transform: uppercase;
+  letter-spacing: 0.08em;
+  color: var(--on-surface-dim);
+  margin-bottom: 0.4rem;
+  display: flex;
+  align-items: center;
+  gap: 0.35rem;
+}
+.log-count-btns { display: flex; flex-wrap: wrap; gap: 0.4rem; }
+.log-count-btn {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.4rem;
+  padding: 0.3rem 0.7rem;
+  border-radius: var(--radius-pill);
+  background: var(--surface-container-high);
+  color: var(--on-surface);
+  text-decoration: none;
+  font-size: 0.8rem;
+  border: 1px solid var(--outline);
+  transition: background 0.15s, border-color 0.15s;
+}
+.log-count-btn:hover {
+  background: var(--surface-container-highest);
+  border-color: var(--primary);
+  color: var(--on-surface);
+}
+.log-count-btn--empty { opacity: 0.38; }
+.log-count-badge {
+  background: var(--primary);
+  color: #fff;
+  border-radius: var(--radius-pill);
+  padding: 0 0.45rem;
+  font-size: 0.7rem;
+  font-weight: 600;
+  min-width: 1.35rem;
+  text-align: center;
+  line-height: 1.5;
+}
+.log-count-btn--empty .log-count-badge { background: var(--on-surface-dim); }
+
+/* ── Query error banner ───────────────────────────────── */
+.query-error-banner {
+  display: flex;
+  align-items: flex-start;
+  gap: .6rem;
+  padding: .85rem 1.1rem;
+  margin: 1rem 0;
+  background: color-mix(in srgb, var(--red) 12%, var(--surface));
+  border: 1px solid color-mix(in srgb, var(--red) 40%, transparent);
+  border-radius: var(--radius-card);
+  color: var(--on-surface);
+  font-size: .875rem;
+  line-height: 1.5;
+}
+.query-error-banner i {
+  color: var(--red);
+  margin-top: .15rem;
+  flex-shrink: 0;
+}
+.query-error-cell {
+  text-align: left;
+  color: var(--red);
+  padding: .75rem 1rem;
+  font-size: .85rem;
+}
+.query-error-cell i { margin-right: .4rem; }
diff --git a/apps/opensearch_web/templates/base.html b/apps/opensearch_web/templates/base.html
index d0b44ac..b8f3e79 100644
--- a/apps/opensearch_web/templates/base.html
+++ b/apps/opensearch_web/templates/base.html
@@ -147,6 +147,10 @@
           <i class="fa-solid fa-magnifying-glass"></i> Search
         </button>
 
+        <button type="button" class="btn search-btn" onclick="launchInvestigate()">
+          <i class="fa-solid fa-magnifying-glass-chart"></i> Investigate
+        </button>
+
         <div class="search-pill share-pill share-wrapper"
              onclick="toggleShareDropdown()" title="Share this view"
              style="cursor:pointer">
@@ -334,6 +338,28 @@
     });
   };
 
+  window.toggleDetailsAll = function(btn) {
+    var card = btn.closest(".device-card");
+    var details = card.querySelectorAll("details");
+    var allOpen = Array.from(details).every(function(d) { return d.open; });
+    details.forEach(function(d) { d.open = !allOpen; });
+    btn.textContent = allOpen ? "Expand all" : "Collapse all";
+  };
+
+  window.launchInvestigate = function() {
+    var form = document.getElementById("global-search");
+    var src = (form.querySelector('input[name="src_ip"]').value || "").trim();
+    var dst = (form.querySelector('input[name="dest_ip"]').value || "").trim();
+    if (!src || !dst) {
+      var missing = !src && !dst ? "Src IP and Dst IP" : !src ? "Src IP" : "Dst IP";
+      alert("Investigate requires both IPs. Please fill in " + missing + " in the search bar.");
+      return;
+    }
+    var qs = new URLSearchParams(new FormData(form)).toString();
+    window.location.href = window.SCRIPT_NAME + "/investigate/" +
+      encodeURIComponent(src) + "/" + encodeURIComponent(dst) + "?" + qs;
+  };
+
   window.handleDetailToggle = function(el) {
     var row = el.tagName === "TR" ? el : el.closest("tr");
     var isSelected = row.classList.contains("row-selected");
diff --git a/apps/opensearch_web/templates/investigate.html b/apps/opensearch_web/templates/investigate.html
new file mode 100644
index 0000000..5bc44d0
--- /dev/null
+++ b/apps/opensearch_web/templates/investigate.html
@@ -0,0 +1,133 @@
+{% extends "base.html" %}
+{% block title %}PISCES · Investigate — {{ src_ip }} → {{ dest_ip }}{% endblock title %}
+
+{% block content %}
+<div class="page-header">
+  <h1>
+    <i class="fa-solid fa-magnifying-glass-chart"></i>
+    {{ src_ip }}
+    <span class="investigate-arrow">→</span>
+    {{ dest_ip }}
+  </h1>
+  <span class="time-window">
+    <i class="fa-regular fa-clock"></i>
+    {{ fmt_time_window(search_params.get('time_range', 'now-24h')) }}
+  </span>
+  <a class="btn btn-sm"
+     href="{{ script_name }}/ip/{{ src_ip }}?{{ request.query_string.decode() }}">
+    <i class="fa-solid fa-arrow-right-from-bracket"></i> Src Pivot
+  </a>
+  <a class="btn btn-sm"
+     href="{{ script_name }}/ip/{{ dest_ip }}?{{ request.query_string.decode() }}">
+    <i class="fa-solid fa-arrow-right-to-bracket"></i> Dst Pivot
+  </a>
+</div>
+
+{# Lazy-load query string shared across all sections #}
+{% set qs = "src_ip=" ~ src_ip ~ "&dest_ip=" ~ dest_ip ~ "&sensor=" ~ search_params.get('sensor', 'all') ~ "&time_range=" ~ search_params.get('time_range', 'now-24h') %}
+
+{# ── Device Profiles ──────────────────────────────────────────────── #}
+<section class="investigate-section">
+  <div class="investigate-section-header">
+    <h2><i class="fa-solid fa-fingerprint"></i> Device Profiles</h2>
+  </div>
+  <div hx-get="/api/investigate/profiles?{{ qs }}"
+       hx-trigger="load"
+       hx-swap="innerHTML">
+    <div class="investigate-skeleton investigate-profiles-skeleton">
+      <div class="skeleton-card"></div>
+      <div class="skeleton-card"></div>
+    </div>
+  </div>
+</section>
+
+{# ── Attack Chain ─────────────────────────────────────────────────── #}
+<section class="investigate-section">
+  <div class="investigate-section-header">
+    <h2><i class="fa-solid fa-link"></i> Attack Chain</h2>
+    <span class="investigate-section-sub">ATTACK::* notices from {{ src_ip }}</span>
+  </div>
+  <div hx-get="/api/investigate/chain?src_ip={{ src_ip }}&sensor={{ search_params.get('sensor', 'all') }}&time_range={{ search_params.get('time_range', 'now-24h') }}"
+       hx-trigger="load"
+       hx-swap="innerHTML">
+    <div class="investigate-skeleton">
+      <div class="skeleton-table"></div>
+    </div>
+  </div>
+</section>
+
+{# ── Suricata Alerts ──────────────────────────────────────────────── #}
+<section class="investigate-section">
+  <div class="investigate-section-header">
+    <h2><i class="fa-solid fa-fire"></i> Suricata Alerts</h2>
+    <span class="investigate-section-sub">IDS alerts between {{ src_ip }} ↔ {{ dest_ip }}</span>
+  </div>
+  <div hx-get="/api/investigate/suricata?{{ qs }}"
+       hx-trigger="load"
+       hx-swap="innerHTML">
+    <div class="investigate-skeleton">
+      <div class="skeleton-table"></div>
+    </div>
+  </div>
+</section>
+
+{# ── Zeek Notices ─────────────────────────────────────────────────── #}
+<section class="investigate-section">
+  <div class="investigate-section-header">
+    <h2><i class="fa-solid fa-bell"></i> Zeek Notices</h2>
+    <span class="investigate-section-sub">All notice types between {{ src_ip }} ↔ {{ dest_ip }}</span>
+  </div>
+  <div hx-get="/api/investigate/notices?{{ qs }}"
+       hx-trigger="load"
+       hx-swap="innerHTML">
+    <div class="investigate-skeleton">
+      <div class="skeleton-table"></div>
+    </div>
+  </div>
+</section>
+
+{# ── Related Tickets ──────────────────────────────────────────────── #}
+<section class="investigate-section">
+  <div class="investigate-section-header">
+    <h2><i class="fa-solid fa-ticket"></i> Related Tickets</h2>
+    <span class="investigate-section-sub">Mantis tickets mentioning either IP</span>
+  </div>
+  <div hx-get="/api/investigate/tickets?src_ip={{ src_ip }}&dest_ip={{ dest_ip }}"
+       hx-trigger="load"
+       hx-swap="innerHTML">
+    <div class="investigate-skeleton">
+      <div class="skeleton-list"></div>
+    </div>
+  </div>
+</section>
+
+{# ── Timeline ─────────────────────────────────────────────────────── #}
+<section class="investigate-section">
+  <div class="investigate-section-header">
+    <h2><i class="fa-solid fa-clock-rotate-left"></i> Timeline</h2>
+    <span class="investigate-section-sub">Merged chronological events</span>
+  </div>
+  <div hx-get="/api/investigate/timeline?{{ qs }}"
+       hx-trigger="load"
+       hx-swap="innerHTML">
+    <div class="investigate-skeleton">
+      <div class="skeleton-table"></div>
+    </div>
+  </div>
+</section>
+
+{# ── Search All Logs ──────────────────────────────────────────────── #}
+<section class="investigate-section">
+  <div class="investigate-section-header">
+    <h2><i class="fa-solid fa-magnifying-glass"></i> Search All Logs</h2>
+    <span class="investigate-section-sub">Browse log types filtered by {{ src_ip }}</span>
+  </div>
+  <div hx-get="/api/investigate/log_counts?src_ip={{ src_ip }}&sensor={{ search_params.get('sensor', 'all') }}&time_range={{ search_params.get('time_range', 'now-24h') }}"
+       hx-trigger="load"
+       hx-swap="innerHTML">
+    <div class="investigate-skeleton">
+      <div class="skeleton-table"></div>
+    </div>
+  </div>
+</section>
+{% endblock content %}
diff --git a/apps/opensearch_web/templates/ip_pivot.html b/apps/opensearch_web/templates/ip_pivot.html
index 75be338..6302470 100644
--- a/apps/opensearch_web/templates/ip_pivot.html
+++ b/apps/opensearch_web/templates/ip_pivot.html
@@ -8,26 +8,48 @@ <h1>IP Pivot: {{ ip }}</h1>
     <i class="fa-regular fa-clock"></i>
     {{ fmt_time_window(search_params.get('time_range', 'now-24h')) }}
   </span>
-  {% if is_private(ip) %}
   <button class="btn"
           hx-post="/api/profile/{{ ip }}?{{ request.query_string.decode() }}"
-          hx-target="#enrich-panel"
+          hx-target="#profile-slot"
           hx-swap="innerHTML"
           hx-indicator="#profile-spinner">
-    <i class="fa-solid fa-fingerprint"></i> Profile Device
+    <i class="fa-solid fa-fingerprint"></i> {{ 'Profile Device' if is_private(ip) else 'Profile' }}
     <span id="profile-spinner" class="htmx-indicator"><i class="fa-solid fa-spinner fa-spin"></i></span>
   </button>
-  {% else %}
+  {% if not is_private(ip) %}
   <button class="btn"
           hx-post="/api/enrich/{{ ip }}"
-          hx-target="#enrich-panel"
+          hx-target="#enrich-slot"
           hx-swap="innerHTML">
     <i class="fa-solid fa-shield-halved"></i> Enrich
   </button>
   {% endif %}
 </div>
 
-<div id="enrich-panel"></div>
+<div class="role-toggle">
+  <span class="role-toggle-label">IP role:</span>
+  <a class="btn btn-sm{% if ip_role == 'both' %} btn-active{% endif %}" href="{{ both_url }}">
+    <i class="fa-solid fa-arrows-left-right"></i> Both
+  </a>
+  <a class="btn btn-sm{% if ip_role == 'src' %} btn-active{% endif %}" href="{{ src_url }}">
+    <i class="fa-solid fa-arrow-right-from-bracket"></i> As Source
+  </a>
+  <a class="btn btn-sm{% if ip_role == 'dest' %} btn-active{% endif %}" href="{{ dest_url }}">
+    <i class="fa-solid fa-arrow-right-to-bracket"></i> As Destination
+  </a>
+</div>
+
+<div id="enrich-panel">
+  <div id="profile-slot"></div>
+  <div id="enrich-slot"></div>
+</div>
+
+{% if error %}
+<div class="query-error-banner">
+  <i class="fa-solid fa-triangle-exclamation"></i>
+  <strong>OpenSearch unavailable</strong> — {{ error }}
+</div>
+{% endif %}
 
 {% for lt, records in results.items() %}
 {% set mod = MODULES[lt] %}
@@ -36,7 +58,14 @@ <h1>IP Pivot: {{ ip }}</h1>
   <div class="pivot-section-header">
     <span class="proto-tag">{{ lt }}</span>
     <span class="count-note">{{ records|length }} record(s)</span>
-    <a class="btn btn-sm" href="{{ script_name }}/log/{{ lt }}?src_ip={{ ip }}&{{ request.query_string.decode() }}">
+    {% if ip_role == 'dest' %}
+      {% set ip_qs = 'dest_ip=' ~ ip %}
+    {% elif ip_role == 'both' %}
+      {% set ip_qs = 'src_ip=' ~ ip ~ '&dest_ip=' ~ ip %}
+    {% else %}
+      {% set ip_qs = 'src_ip=' ~ ip %}
+    {% endif %}
+    <a class="btn btn-sm" href="{{ script_name }}/log/{{ lt }}?{{ ip_qs }}&{{ request.query_string.decode() }}">
       <i class="fa-solid fa-arrow-up-right-from-square"></i> Full view
     </a>
   </div>
@@ -55,8 +84,13 @@ <h1>IP Pivot: {{ ip }}</h1>
           <th class="num">#</th>
           <th class="sortable">Time</th>
           <th class="sortable">Sensor</th>
+          {% if ip_role == 'dest' %}
+          <th class="sortable">Src IP</th>
+          <th class="sortable num">Src Port</th>
+          {% else %}
           <th class="sortable">Dst IP</th>
           <th class="sortable num">Dst Port</th>
+          {% endif %}
           {% for header, _ in web_columns %}
           <th class="sortable">{{ header }}</th>
           {% endfor %}
@@ -67,7 +101,7 @@ <h1>IP Pivot: {{ ip }}</h1>
         {% for rec in records %}
         {% set idx = loop.index %}
         <tr id="{{ lt }}-row-{{ idx }}"
-            hx-get="/api/detail/{{ lt }}/{{ idx }}?src_ip={{ ip }}&{{ request.query_string.decode() }}"
+            hx-get="/api/detail/{{ lt }}/{{ idx }}?{%- if ip_role == 'dest' -%}dest_ip={{ ip }}{%- else -%}src_ip={{ ip }}{%- endif -%}&{{ request.query_string.decode() }}"
             hx-target="#detail-panel-content"
             hx-swap="innerHTML"
             hx-trigger="click[this.classList.contains('row-selected') && !event.target.closest('a')]"
@@ -80,8 +114,13 @@ <h1>IP Pivot: {{ ip }}</h1>
             {% set sensors = rec.get('sensors') %}
             {% if sensors %}{{ sensors | join(', ') }}{% else %}{{ rec.get('sensor', '—') }}{% endif %}
           </td>
+          {% if ip_role == 'dest' %}
+          <td title="{{ rec.get('src_ip','') }}">{{ rec.get('src_ip', '—') }}</td>
+          <td class="num">{{ rec.get('src_port', '—') }}</td>
+          {% else %}
           <td title="{{ rec.get('dest_ip','') }}">{{ rec.get('dest_ip', '—') }}</td>
           <td class="num">{{ rec.get('dest_port', '—') }}</td>
+          {% endif %}
           {% for _, fn in web_columns %}
           <td>{{ fn(rec) }}</td>
           {% endfor %}
@@ -92,7 +131,7 @@ <h1>IP Pivot: {{ ip }}</h1>
     </table>
   </div>
   {% else %}
-  <p class="empty-note">No {{ lt }} records for this IP in the selected window.</p>
+  <p class="empty-note">No {{ lt }} records for this IP as {{ ip_role }}.</p>
   {% endif %}
 </div>
 {% endfor %}
diff --git a/apps/opensearch_web/templates/log_view.html b/apps/opensearch_web/templates/log_view.html
index 39ba006..ffbbb98 100644
--- a/apps/opensearch_web/templates/log_view.html
+++ b/apps/opensearch_web/templates/log_view.html
@@ -18,6 +18,13 @@ <h1>{{ log_type }}</h1>
   </span>
 </div>
 
+{% if error %}
+<div class="query-error-banner">
+  <i class="fa-solid fa-triangle-exclamation"></i>
+  <strong>OpenSearch unavailable</strong> — {{ error }}
+</div>
+{% endif %}
+
 {# Protocol-specific filter form (only shown if the module has extra params) #}
 {% if extra_keys %}
 <form class="filter-form" id="notice-filter-form"
diff --git a/apps/opensearch_web/templates/overview.html b/apps/opensearch_web/templates/overview.html
index 246e0bf..83258dd 100644
--- a/apps/opensearch_web/templates/overview.html
+++ b/apps/opensearch_web/templates/overview.html
@@ -16,7 +16,12 @@ <h1>Cross-Protocol IP Activity</h1>
   Click a cell count to drill into that protocol. Click an IP to pivot.
 </p>
 
-{% if rows %}
+{% if error %}
+<div class="query-error-banner">
+  <i class="fa-solid fa-triangle-exclamation"></i>
+  <strong>OpenSearch unavailable</strong> — {{ error }}
+</div>
+{% elif rows %}
 <div class="table-wrap">
   <table id="overview-table" class="no-resize">
     <thead>
diff --git a/apps/opensearch_web/templates/partials/device_card.html b/apps/opensearch_web/templates/partials/device_card.html
index 13ea137..58de743 100644
--- a/apps/opensearch_web/templates/partials/device_card.html
+++ b/apps/opensearch_web/templates/partials/device_card.html
@@ -30,6 +30,19 @@
     {% endif %}
   </div>
 
+  {# Traffic summary #}
+  <div class="device-card-traffic">
+    <span class="dct-up">↑ {{ profile.bytes_sent | fmt_bytes }}</span>
+    <span class="dct-sep">·</span>
+    <span class="dct-down">↓ {{ profile.bytes_received | fmt_bytes }}</span>
+    <span class="dct-sep">·</span>
+    <span class="dct-dests">{{ profile.unique_dest_count }} dest{{ 's' if profile.unique_dest_count != 1 else '' }}</span>
+    {% if profile.conn_status %}
+    <span class="dct-sep">·</span>
+    <span class="dct-status">{{ profile.conn_status }}</span>
+    {% endif %}
+  </div>
+
   {# Signal grid #}
   <div class="device-card-grid">
 
@@ -149,6 +162,7 @@ <h4><i class="fa-solid fa-cube"></i> Software</h4>
 
   {# Footer #}
   <div class="device-card-footer">
+    <button class="btn-link expand-all-btn" onclick="toggleDetailsAll(this)">Expand all</button>
     {% if profile.first_seen %}
     First: {{ profile.first_seen[:16] }} · Last: {{ profile.last_seen[:16] }}
     {% endif %}
diff --git a/apps/opensearch_web/templates/partials/investigate_auth.html b/apps/opensearch_web/templates/partials/investigate_auth.html
new file mode 100644
index 0000000..3059aba
--- /dev/null
+++ b/apps/opensearch_web/templates/partials/investigate_auth.html
@@ -0,0 +1,106 @@
+{# Investigate — authentication history partial.
+   Receives: kerberos_history, ntlm_history, src_ip, dest_ip, error #}
+
+{% if error %}
+<p class="investigate-error"><i class="fa-solid fa-triangle-exclamation"></i> {{ error }}</p>
+{% else %}
+
+{# Kerberos #}
+<div class="investigate-auth-protocol">
+  <h3 class="investigate-auth-proto-label">
+    <i class="fa-solid fa-shield-halved"></i> Kerberos
+    <span class="count-note">{{ kerberos_history | length }} record(s)</span>
+  </h3>
+  {% if kerberos_history %}
+  <div class="table-wrap">
+    <table class="no-resize">
+      <thead>
+        <tr>
+          <th class="sortable">Time</th>
+          <th class="sortable">Sensor</th>
+          <th class="sortable">Client</th>
+          <th class="sortable">Service</th>
+          <th class="sortable">Type</th>
+          <th class="sortable">Auth</th>
+          <th class="sortable">Error</th>
+        </tr>
+      </thead>
+      <tbody>
+        {% for rec in kerberos_history %}
+        <tr>
+          <td class="ts-cell" data-iso="{{ rec.get('timestamp', '') }}" onclick="copyTimestamp(this)" title="Click to copy">
+            {{ rec.get('timestamp') | fmt_ts(full=True) }}
+          </td>
+          <td>{{ rec.get('sensor', '—') }}</td>
+          <td>{{ rec.get('client', '—') or '—' }}</td>
+          <td>{{ rec.get('service', '—') or '—' }}</td>
+          <td>{{ rec.get('request_type', '—') or '—' }}</td>
+          <td>
+            {% if rec.get('success') == True %}
+            <span class="badge badge-green">✓ OK</span>
+            {% elif rec.get('success') == False %}
+            <span class="badge badge-red">✗ Fail</span>
+            {% else %}
+            <span class="badge badge-gray">—</span>
+            {% endif %}
+          </td>
+          <td class="mono" style="font-size:0.75rem">{{ rec.get('error_msg', '—') or '—' }}</td>
+        </tr>
+        {% endfor %}
+      </tbody>
+    </table>
+  </div>
+  {% else %}
+  <p class="empty-note">No Kerberos records between {{ src_ip }} ↔ {{ dest_ip }} in this window.</p>
+  {% endif %}
+</div>
+
+{# NTLM #}
+<div class="investigate-auth-protocol">
+  <h3 class="investigate-auth-proto-label">
+    <i class="fa-solid fa-lock"></i> NTLM
+    <span class="count-note">{{ ntlm_history | length }} record(s)</span>
+  </h3>
+  {% if ntlm_history %}
+  <div class="table-wrap">
+    <table class="no-resize">
+      <thead>
+        <tr>
+          <th class="sortable">Time</th>
+          <th class="sortable">Sensor</th>
+          <th class="sortable">Username</th>
+          <th class="sortable">Client Host</th>
+          <th class="sortable">Domain</th>
+          <th class="sortable">Auth</th>
+        </tr>
+      </thead>
+      <tbody>
+        {% for rec in ntlm_history %}
+        <tr>
+          <td class="ts-cell" data-iso="{{ rec.get('timestamp', '') }}" onclick="copyTimestamp(this)" title="Click to copy">
+            {{ rec.get('timestamp') | fmt_ts(full=True) }}
+          </td>
+          <td>{{ rec.get('sensor', '—') }}</td>
+          <td>{{ rec.get('username', '—') or '—' }}</td>
+          <td>{{ rec.get('client_hostname', '—') or '—' }}</td>
+          <td>{{ rec.get('domain', '—') or '—' }}</td>
+          <td>
+            {% if rec.get('success') == True %}
+            <span class="badge badge-green">✓ OK</span>
+            {% elif rec.get('success') == False %}
+            <span class="badge badge-red">✗ Fail</span>
+            {% else %}
+            <span class="badge badge-gray">—</span>
+            {% endif %}
+          </td>
+        </tr>
+        {% endfor %}
+      </tbody>
+    </table>
+  </div>
+  {% else %}
+  <p class="empty-note">No NTLM records between {{ src_ip }} ↔ {{ dest_ip }} in this window.</p>
+  {% endif %}
+</div>
+
+{% endif %}
diff --git a/apps/opensearch_web/templates/partials/investigate_chain.html b/apps/opensearch_web/templates/partials/investigate_chain.html
new file mode 100644
index 0000000..97cef27
--- /dev/null
+++ b/apps/opensearch_web/templates/partials/investigate_chain.html
@@ -0,0 +1,50 @@
+{# Investigate — attack chain partial.
+   Receives: attack_chain (list[dict]), src_ip, error #}
+
+{% if error %}
+<p class="investigate-error"><i class="fa-solid fa-triangle-exclamation"></i> {{ error }}</p>
+{% elif not attack_chain %}
+<p class="empty-note">No ATTACK::* notices detected for {{ src_ip }} in this window.</p>
+{% else %}
+<div class="table-wrap">
+  <table class="no-resize">
+    <thead>
+      <tr>
+        <th class="num">#</th>
+        <th class="sortable">Time</th>
+        <th class="sortable">Sensor</th>
+        <th class="sortable">Dst IP</th>
+        <th class="sortable">Notice</th>
+        <th class="sortable">Message</th>
+      </tr>
+    </thead>
+    <tbody>
+      {% for rec in attack_chain %}
+      <tr>
+        <td class="num">{{ loop.index }}</td>
+        <td class="ts-cell" data-iso="{{ rec.get('timestamp', '') }}" onclick="copyTimestamp(this)" title="Click to copy">
+          {{ rec.get('timestamp') | fmt_ts(full=True) }}
+        </td>
+        <td>{{ rec.get('sensor', '—') }}</td>
+        <td>
+          {% if rec.get('dest_ip') %}
+          <a class="ip-link" href="{{ script_name }}/ip/{{ rec.dest_ip }}?{{ request.query_string.decode() }}">
+            {{ rec.dest_ip }}
+          </a>
+          {% else %}—{% endif %}
+        </td>
+        <td>
+          <span class="attack-note-badge">{{ rec.get('notice_note', '—') }}</span>
+        </td>
+        <td style="font-size:0.8rem; color:var(--on-surface-dim)">
+          {{ (rec.get('notice_msg', '') or '')[:100] or '—' }}
+        </td>
+      </tr>
+      {% endfor %}
+    </tbody>
+  </table>
+</div>
+<p style="font-size:0.75rem; color:var(--on-surface-dim); margin-top:6px;">
+  {{ attack_chain | length }} notice{{ 's' if attack_chain | length != 1 else '' }}
+</p>
+{% endif %}
diff --git a/apps/opensearch_web/templates/partials/investigate_log_counts.html b/apps/opensearch_web/templates/partials/investigate_log_counts.html
new file mode 100644
index 0000000..6b51bd6
--- /dev/null
+++ b/apps/opensearch_web/templates/partials/investigate_log_counts.html
@@ -0,0 +1,22 @@
+{% for cat in category_order %}
+  {% set lts = modules_by_category.get(cat, []) %}
+  {% if lts %}
+  <div class="log-count-group">
+    <div class="log-count-group-label">
+      <i class="fa-solid {{ category_icons[cat] }}"></i>
+      {{ category_labels[cat] }}
+    </div>
+    <div class="log-count-btns">
+      {% for lt in lts %}
+        {% set cnt = counts.get(lt, 0) %}
+        <a href="{{ script_name }}/log/{{ lt }}?src_ip={{ src_ip }}&sensor={{ sensor }}&time_range={{ time_range }}"
+           class="log-count-btn{% if cnt == 0 %} log-count-btn--empty{% endif %}">
+          <i class="fa-solid {{ proto_icons[lt] }}"></i>
+          {{ lt.replace('_', ' ').title() }}
+          <span class="log-count-badge">{{ cnt }}</span>
+        </a>
+      {% endfor %}
+    </div>
+  </div>
+  {% endif %}
+{% endfor %}
diff --git a/apps/opensearch_web/templates/partials/investigate_notices.html b/apps/opensearch_web/templates/partials/investigate_notices.html
new file mode 100644
index 0000000..63d2534
--- /dev/null
+++ b/apps/opensearch_web/templates/partials/investigate_notices.html
@@ -0,0 +1,42 @@
+{# Investigate — Zeek notices partial.
+   Receives: notices (list[dict]), src_ip, dest_ip, error #}
+
+{% if error %}
+<p class="investigate-error"><i class="fa-solid fa-triangle-exclamation"></i> {{ error }}</p>
+{% elif not notices %}
+<p class="empty-note">No Zeek notices between {{ src_ip }} and {{ dest_ip }} in this window.</p>
+{% else %}
+<div class="table-wrap">
+  <table class="no-resize">
+    <thead>
+      <tr>
+        <th class="num">#</th>
+        <th class="sortable">Time</th>
+        <th class="sortable">Sensor</th>
+        <th class="sortable">Src IP</th>
+        <th class="sortable">Dst IP</th>
+        <th class="sortable">Notice</th>
+        <th class="sortable">Message</th>
+      </tr>
+    </thead>
+    <tbody>
+      {% for rec in notices %}
+      <tr>
+        <td class="num">{{ loop.index }}</td>
+        <td class="ts-cell" data-iso="{{ rec.get('timestamp', '') }}" onclick="copyTimestamp(this)" title="Click to copy">
+          {{ rec.get('timestamp') | fmt_ts(full=True) }}
+        </td>
+        <td>{{ rec.get('sensor', '—') }}</td>
+        <td>{{ rec.get('src_ip', '—') }}</td>
+        <td>{{ rec.get('dest_ip', '—') }}</td>
+        <td><span class="attack-note-badge">{{ rec.get('notice_note', '—') }}</span></td>
+        <td style="font-size:0.8rem; color:var(--on-surface-dim)">{{ (rec.get('notice_msg', '') or '')[:100] or '—' }}</td>
+      </tr>
+      {% endfor %}
+    </tbody>
+  </table>
+</div>
+<p style="font-size:0.75rem; color:var(--on-surface-dim); margin-top:6px;">
+  {{ notices | length }} notice{{ 's' if notices | length != 1 else '' }}
+</p>
+{% endif %}
diff --git a/apps/opensearch_web/templates/partials/investigate_profiles.html b/apps/opensearch_web/templates/partials/investigate_profiles.html
new file mode 100644
index 0000000..07feb5c
--- /dev/null
+++ b/apps/opensearch_web/templates/partials/investigate_profiles.html
@@ -0,0 +1,66 @@
+{# Investigate — device profiles partial.
+   Receives: src_ip, dest_ip, src_profile, dest_profile,
+             src_enrichment, dest_enrichment, src_error, dest_error #}
+<div class="investigate-profiles-grid">
+
+  {# Source IP #}
+  <div class="investigate-profile-col">
+    <div class="investigate-profile-label">
+      <i class="fa-solid fa-arrow-right-from-bracket"></i> Source
+      <a class="ip-link" href="{{ script_name }}/ip/{{ src_ip }}?{{ request.query_string.decode() }}">{{ src_ip }}</a>
+    </div>
+    {% if src_error %}
+    <p class="investigate-error"><i class="fa-solid fa-triangle-exclamation"></i> {{ src_error }}</p>
+    {% elif src_profile %}
+      {% if is_private(src_ip) %}
+        {% with profile=src_profile, compact=False %}
+        {% include "partials/device_card.html" %}
+        {% endwith %}
+      {% else %}
+        {% with profile=src_profile, compact=False %}
+        {% include "partials/public_device_card.html" %}
+        {% endwith %}
+      {% endif %}
+    {% else %}
+    <p class="empty-note">No profile data available.</p>
+    {% endif %}
+    {% if src_enrichment %}
+    <div class="investigate-enrichment-inline">
+      {% with result=src_enrichment, urls=src_urls, ip=src_ip %}
+      {% include "partials/enrich_card.html" ignore missing %}
+      {% endwith %}
+    </div>
+    {% endif %}
+  </div>
+
+  {# Destination IP #}
+  <div class="investigate-profile-col">
+    <div class="investigate-profile-label">
+      <i class="fa-solid fa-arrow-right-to-bracket"></i> Destination
+      <a class="ip-link" href="{{ script_name }}/ip/{{ dest_ip }}?{{ request.query_string.decode() }}">{{ dest_ip }}</a>
+    </div>
+    {% if dest_error %}
+    <p class="investigate-error"><i class="fa-solid fa-triangle-exclamation"></i> {{ dest_error }}</p>
+    {% elif dest_profile %}
+      {% if is_private(dest_ip) %}
+        {% with profile=dest_profile, compact=False %}
+        {% include "partials/device_card.html" %}
+        {% endwith %}
+      {% else %}
+        {% with profile=dest_profile, compact=False %}
+        {% include "partials/public_device_card.html" %}
+        {% endwith %}
+      {% endif %}
+    {% else %}
+    <p class="empty-note">No profile data available.</p>
+    {% endif %}
+    {% if dest_enrichment %}
+    <div class="investigate-enrichment-inline">
+      {% with result=dest_enrichment, urls=dest_urls, ip=dest_ip %}
+      {% include "partials/enrich_card.html" ignore missing %}
+      {% endwith %}
+    </div>
+    {% endif %}
+  </div>
+
+</div>
diff --git a/apps/opensearch_web/templates/partials/investigate_suricata.html b/apps/opensearch_web/templates/partials/investigate_suricata.html
new file mode 100644
index 0000000..66541dc
--- /dev/null
+++ b/apps/opensearch_web/templates/partials/investigate_suricata.html
@@ -0,0 +1,44 @@
+{# Investigate — Suricata alerts partial.
+   Receives: alerts (list[dict]), src_ip, dest_ip, error #}
+
+{% if error %}
+<p class="investigate-error"><i class="fa-solid fa-triangle-exclamation"></i> {{ error }}</p>
+{% elif not alerts %}
+<p class="empty-note">No Suricata alerts between {{ src_ip }} and {{ dest_ip }} in this window.</p>
+{% else %}
+<div class="table-wrap">
+  <table class="no-resize">
+    <thead>
+      <tr>
+        <th class="num">#</th>
+        <th class="sortable">Time</th>
+        <th class="sortable">Sensor</th>
+        <th class="sortable">Src IP</th>
+        <th class="sortable">Dst IP</th>
+        <th class="sortable num">Sev</th>
+        <th class="sortable">Rule</th>
+        <th class="sortable">Category</th>
+      </tr>
+    </thead>
+    <tbody>
+      {% for rec in alerts %}
+      <tr>
+        <td class="num">{{ loop.index }}</td>
+        <td class="ts-cell" data-iso="{{ rec.get('timestamp', '') }}" onclick="copyTimestamp(this)" title="Click to copy">
+          {{ rec.get('timestamp') | fmt_ts(full=True) }}
+        </td>
+        <td>{{ rec.get('sensor', '—') }}</td>
+        <td>{{ rec.get('src_ip', '—') }}</td>
+        <td>{{ rec.get('dest_ip', '—') }}</td>
+        <td class="num">{{ rec.get('severity', '—') }}</td>
+        <td style="font-size:0.8rem">{{ (rec.get('rule_name', '') or '')[:80] or '—' }}</td>
+        <td style="font-size:0.8rem; color:var(--on-surface-dim)">{{ rec.get('rule_category', '—') }}</td>
+      </tr>
+      {% endfor %}
+    </tbody>
+  </table>
+</div>
+<p style="font-size:0.75rem; color:var(--on-surface-dim); margin-top:6px;">
+  {{ alerts | length }} alert{{ 's' if alerts | length != 1 else '' }}
+</p>
+{% endif %}
diff --git a/apps/opensearch_web/templates/partials/investigate_tickets.html b/apps/opensearch_web/templates/partials/investigate_tickets.html
new file mode 100644
index 0000000..449c0e0
--- /dev/null
+++ b/apps/opensearch_web/templates/partials/investigate_tickets.html
@@ -0,0 +1,76 @@
+{# Investigate — related Mantis tickets partial.
+   Receives: src_ip, dest_ip, src_tickets, dest_tickets, error #}
+
+{% if error %}
+<p class="investigate-error"><i class="fa-solid fa-triangle-exclamation"></i> Mantis unavailable: {{ error }}</p>
+{% else %}
+<div class="investigate-tickets-grid">
+
+  {# Source IP tickets #}
+  <div class="investigate-ticket-col">
+    <h3 class="investigate-auth-proto-label">
+      <i class="fa-solid fa-arrow-right-from-bracket"></i> {{ src_ip }}
+      <span class="count-note">{{ src_tickets | length }} ticket(s)</span>
+    </h3>
+    {% if src_tickets %}
+    <div class="mantis-ticket-list">
+      {% for t in src_tickets %}
+      <div class="mantis-ticket-card {{ 'mantis-ticket-escalated' if t.is_escalated else '' }}">
+        <div class="mantis-ticket-header">
+          <a class="mantis-ticket-id" href="{{ t.url }}" target="_blank" rel="noopener">#{{ t.id }}</a>
+          <span class="mantis-ticket-summary" title="{{ t.summary }}">{{ t.summary }}</span>
+          {% if t.is_escalated %}<span class="badge badge-red"><i class="fa-solid fa-arrow-up"></i> Escalated{% if t.escalated_by %} by {{ t.escalated_by }}{% endif %}</span>{% endif %}
+          <span class="badge {{ mantis_status_badge(t.status) }}">{{ t.status or '—' }}</span>
+          {% if t.severity %}<span class="badge {{ mantis_sev_badge(t.severity) }}">{{ t.severity }}</span>{% endif %}
+        </div>
+        <div class="mantis-ticket-meta">
+          {% if t.handler %}<span><i class="fa-solid fa-shield-halved"></i> {{ t.handler.name }}</span>{% endif %}
+          {% if t.project %}<span>{{ t.project }}</span>{% endif %}
+          <span><i class="fa-regular fa-clock"></i> {{ t.last_updated or t.updated_at or '—' }}</span>
+        </div>
+        {% for n in t.notes %}{% if n.is_admin_note %}
+        <div class="mantis-admin-note"><strong>★ {{ n.reporter.name }}:</strong> {{ n.text[:200] }}{% if n.text|length > 200 %}…{% endif %}</div>
+        {% endif %}{% endfor %}
+      </div>
+      {% endfor %}
+    </div>
+    {% else %}
+    <p class="empty-note">No tickets found for {{ src_ip }}.</p>
+    {% endif %}
+  </div>
+
+  {# Destination IP tickets #}
+  <div class="investigate-ticket-col">
+    <h3 class="investigate-auth-proto-label">
+      <i class="fa-solid fa-arrow-right-to-bracket"></i> {{ dest_ip }}
+      <span class="count-note">{{ dest_tickets | length }} ticket(s)</span>
+    </h3>
+    {% if dest_tickets %}
+    <div class="mantis-ticket-list">
+      {% for t in dest_tickets %}
+      <div class="mantis-ticket-card {{ 'mantis-ticket-escalated' if t.is_escalated else '' }}">
+        <div class="mantis-ticket-header">
+          <a class="mantis-ticket-id" href="{{ t.url }}" target="_blank" rel="noopener">#{{ t.id }}</a>
+          <span class="mantis-ticket-summary" title="{{ t.summary }}">{{ t.summary }}</span>
+          {% if t.is_escalated %}<span class="badge badge-red"><i class="fa-solid fa-arrow-up"></i> Escalated{% if t.escalated_by %} by {{ t.escalated_by }}{% endif %}</span>{% endif %}
+          <span class="badge {{ mantis_status_badge(t.status) }}">{{ t.status or '—' }}</span>
+          {% if t.severity %}<span class="badge {{ mantis_sev_badge(t.severity) }}">{{ t.severity }}</span>{% endif %}
+        </div>
+        <div class="mantis-ticket-meta">
+          {% if t.handler %}<span><i class="fa-solid fa-shield-halved"></i> {{ t.handler.name }}</span>{% endif %}
+          {% if t.project %}<span>{{ t.project }}</span>{% endif %}
+          <span><i class="fa-regular fa-clock"></i> {{ t.last_updated or t.updated_at or '—' }}</span>
+        </div>
+        {% for n in t.notes %}{% if n.is_admin_note %}
+        <div class="mantis-admin-note"><strong>★ {{ n.reporter.name }}:</strong> {{ n.text[:200] }}{% if n.text|length > 200 %}…{% endif %}</div>
+        {% endif %}{% endfor %}
+      </div>
+      {% endfor %}
+    </div>
+    {% else %}
+    <p class="empty-note">No tickets found for {{ dest_ip }}.</p>
+    {% endif %}
+  </div>
+
+</div>
+{% endif %}
diff --git a/apps/opensearch_web/templates/partials/investigate_timeline.html b/apps/opensearch_web/templates/partials/investigate_timeline.html
new file mode 100644
index 0000000..038dc8b
--- /dev/null
+++ b/apps/opensearch_web/templates/partials/investigate_timeline.html
@@ -0,0 +1,72 @@
+{# Investigate — merged chronological timeline partial.
+   Receives: timeline (list[dict]), errors (dict) #}
+
+{% if errors %}
+<div class="investigate-error-list">
+  {% for track, msg in errors.items() %}
+  <p class="investigate-error"><i class="fa-solid fa-triangle-exclamation"></i> {{ track }}: {{ msg }}</p>
+  {% endfor %}
+</div>
+{% endif %}
+
+{% if not timeline %}
+<p class="empty-note">No timeline events found in this window.</p>
+{% else %}
+<div class="table-wrap">
+  <table class="no-resize">
+    <thead>
+      <tr>
+        <th class="num">#</th>
+        <th class="sortable">Time</th>
+        <th class="sortable">Type</th>
+        <th class="sortable">Sensor</th>
+        <th class="sortable">Src IP</th>
+        <th class="sortable">Dst IP</th>
+        <th class="sortable">Detail</th>
+      </tr>
+    </thead>
+    <tbody>
+      {% for evt in timeline %}
+      <tr>
+        <td class="num">{{ loop.index }}</td>
+        <td class="ts-cell" data-iso="{{ evt.get('timestamp', '') }}" onclick="copyTimestamp(this)" title="Click to copy">
+          {{ evt.get('timestamp') | fmt_ts(full=True) }}
+        </td>
+        <td>
+          {% set etype = evt.get('type', '') %}
+          {% if etype == 'kerberos' %}
+          <span class="badge badge-blue"><i class="fa-solid fa-shield-halved"></i> Kerberos</span>
+          {% elif etype == 'ntlm' %}
+          <span class="badge badge-yellow"><i class="fa-solid fa-lock"></i> NTLM</span>
+          {% elif etype == 'notice' %}
+          <span class="badge badge-red"><i class="fa-solid fa-bell"></i> Notice</span>
+          {% else %}
+          <span class="badge badge-gray">{{ etype or '—' }}</span>
+          {% endif %}
+        </td>
+        <td>{{ evt.get('sensor', '—') }}</td>
+        <td>{{ evt.get('src_ip', '—') }}</td>
+        <td>{{ evt.get('dest_ip', '—') }}</td>
+        <td style="font-size:0.8rem; color:var(--on-surface-dim)">
+          {% set etype = evt.get('type', '') %}
+          {% if etype == 'kerberos' %}
+            {{ evt.get('client', '') or '' }}{% if evt.get('client') and evt.get('request_type') %} · {% endif %}{{ evt.get('request_type', '') or '' }}
+            {% if evt.get('success') == True %}<span class="badge badge-green" style="margin-left:4px">✓</span>{% elif evt.get('success') == False %}<span class="badge badge-red" style="margin-left:4px">✗</span>{% endif %}
+          {% elif etype == 'ntlm' %}
+            {{ evt.get('domain', '') or '' }}{% if evt.get('domain') and evt.get('username') %}\{% endif %}{{ evt.get('username', '') or '' }}
+            {% if evt.get('success') == True %}<span class="badge badge-green" style="margin-left:4px">✓</span>{% elif evt.get('success') == False %}<span class="badge badge-red" style="margin-left:4px">✗</span>{% endif %}
+          {% elif etype == 'notice' %}
+            {{ evt.get('notice_note', '') or '' }}
+          {% else %}
+            —
+          {% endif %}
+        </td>
+      </tr>
+      {% endfor %}
+    </tbody>
+  </table>
+</div>
+<p style="font-size:0.75rem; color:var(--on-surface-dim); margin-top:6px;">
+  {{ timeline | length }} event{{ 's' if timeline | length != 1 else '' }}
+</p>
+{% endif %}
diff --git a/apps/opensearch_web/templates/partials/log_rows.html b/apps/opensearch_web/templates/partials/log_rows.html
index a68a4fe..d91e2e7 100644
--- a/apps/opensearch_web/templates/partials/log_rows.html
+++ b/apps/opensearch_web/templates/partials/log_rows.html
@@ -1,3 +1,9 @@
+{% if error %}
+<tr><td colspan="20" class="query-error-cell">
+  <i class="fa-solid fa-triangle-exclamation"></i>
+  OpenSearch unavailable — {{ error }}
+</td></tr>
+{% else %}
 {% for rec in records %}
 {% set idx = loop.index %}
 <tr id="row-{{ idx }}"
@@ -48,3 +54,4 @@
 {% else %}
 <tr><td colspan="20" style="text-align:center; color: var(--text-dim); padding: 16px;">No records.</td></tr>
 {% endfor %}
+{% endif %}
diff --git a/apps/opensearch_web/templates/partials/public_device_card.html b/apps/opensearch_web/templates/partials/public_device_card.html
new file mode 100644
index 0000000..7b7c0d8
--- /dev/null
+++ b/apps/opensearch_web/templates/partials/public_device_card.html
@@ -0,0 +1,169 @@
+{# Public IP profile card — network-perspective view of an external host.
+   Receives: profile (PublicIPProfile), compact (bool, optional) #}
+{% set compact = compact|default(false) %}
+<div class="device-card device-card-public {{ 'device-card-compact' if compact else '' }}">
+
+  {# Header #}
+  <div class="device-card-header">
+    <div class="device-card-identity">
+      <i class="fa-solid fa-{{ public_role_icon(profile.role) }}"></i>
+      <strong>{{ profile.ip }}</strong>
+      {% if profile.org %}
+        <span class="device-card-domain">· {{ profile.org.get('name', '') }}
+          {% if profile.org.get('category') %}({{ profile.org.get('category') }}){% endif %}
+        </span>
+      {% endif %}
+    </div>
+    <div class="device-card-meta">
+      <span class="role-badge role-{{ profile.role }}">
+        {{ profile.role | replace('_', ' ') | title }}
+        <span class="confidence">{{ (profile.confidence * 100) | int }}%</span>
+      </span>
+    </div>
+  </div>
+
+  {# Signal grid #}
+  <div class="device-card-grid">
+
+    {# Sensor presence #}
+    <div class="device-card-section">
+      <h4><i class="fa-solid fa-satellite-dish"></i> Seen by {{ profile.sensors | length }} sensor{{ 's' if profile.sensors | length != 1 else '' }}</h4>
+      {% if profile.sensors %}
+      <table class="mini-table">
+        <thead><tr><th>Sensor</th><th>#</th></tr></thead>
+        <tbody>
+          {% for s in profile.sensors %}
+          <tr><td>{{ s.sensor }}</td><td>{{ "{:,}".format(s.count) }}</td></tr>
+          {% endfor %}
+        </tbody>
+      </table>
+      {% endif %}
+    </div>
+
+    {# Reverse DNS #}
+    {% if profile.reverse_dns %}
+    <div class="device-card-section">
+      <h4><i class="fa-solid fa-globe"></i> Reverse DNS</h4>
+      <table class="mini-table">
+        <thead><tr><th>Domain</th><th>#</th></tr></thead>
+        <tbody>
+          {% for d in profile.reverse_dns %}
+          <tr><td>{{ d.domain }}</td><td>{{ "{:,}".format(d.count) }}</td></tr>
+          {% endfor %}
+        </tbody>
+      </table>
+    </div>
+    {% endif %}
+
+    {# Services exposed #}
+    <div class="device-card-section">
+      <h4><i class="fa-solid fa-server"></i> Services (our traffic TO this IP)</h4>
+      {% if profile.services %}
+      <table class="mini-table">
+        <thead><tr><th>Port</th><th>Proto</th><th>#</th></tr></thead>
+        <tbody>
+          {% for svc in profile.services %}
+          <tr><td>{{ svc.port }}</td><td>{{ svc.app_proto or '—' }}</td><td>{{ "{:,}".format(svc.count) }}</td></tr>
+          {% endfor %}
+        </tbody>
+      </table>
+      <div class="device-card-traffic">
+        <span class="dct-up">↑ {{ profile.bytes_to | fmt_bytes }}</span>
+        <span class="dct-sep">·</span>
+        <span class="dct-down">↓ {{ profile.bytes_from | fmt_bytes }}</span>
+        <span class="dct-sep">·</span>
+        <span class="dct-dests">{{ "{:,}".format(profile.internal_client_count) }} internal client{{ 's' if profile.internal_client_count != 1 else '' }}</span>
+        {% if profile.conn_status %}
+        <span class="dct-sep">·</span>
+        <span class="dct-status">{{ profile.conn_status }}</span>
+        {% endif %}
+      </div>
+      {% else %}
+      <p class="empty-note">No outbound connections to this IP</p>
+      {% endif %}
+    </div>
+
+    {% set open_attr = '' if compact else 'open' %}
+
+    {# TLS #}
+    {% if profile.tls_versions or profile.ssl_issuers %}
+    <details class="device-card-section" {{ open_attr }}>
+      <summary><i class="fa-solid fa-lock"></i> TLS</summary>
+      {% if profile.tls_versions %}
+      <p class="empty-note">
+        {% for v in profile.tls_versions %}{{ v.version }} ({{ v.count }}){{ ', ' if not loop.last else '' }}{% endfor %}
+      </p>
+      {% endif %}
+      {% if profile.ssl_issuers %}
+      <p class="mini-label">Issuer:</p>
+      <ul class="tag-list">{% for iss in profile.ssl_issuers %}<li class="tag mono">{{ iss }}</li>{% endfor %}</ul>
+      {% endif %}
+      {% if profile.ja4s_fingerprints %}
+      <table class="mini-table">
+        <thead><tr><th>JA4S</th><th>#</th></tr></thead>
+        <tbody>
+          {% for fp in profile.ja4s_fingerprints %}
+          <tr><td class="mono">{{ fp.hash[:24] }}…</td><td>{{ fp.count }}</td></tr>
+          {% endfor %}
+        </tbody>
+      </table>
+      {% endif %}
+    </details>
+    {% endif %}
+
+    {# HTTP #}
+    {% if profile.http_top_uris %}
+    <details class="device-card-section" {{ open_attr }}>
+      <summary><i class="fa-solid fa-cloud"></i> HTTP ({{ profile.http_top_uris | length }} URIs)</summary>
+      <table class="mini-table">
+        <thead><tr><th>URI</th><th>#</th></tr></thead>
+        <tbody>
+          {% for u in profile.http_top_uris %}
+          <tr><td class="mono">{{ u.uri }}</td><td>{{ u.count }}</td></tr>
+          {% endfor %}
+        </tbody>
+      </table>
+    </details>
+    {% endif %}
+
+    {# Inbound attack signals #}
+    {% if profile.inbound_ports_targeted or profile.ssh_inbound or profile.rdp_inbound %}
+    <details class="device-card-section" {{ open_attr }}>
+      <summary><i class="fa-solid fa-triangle-exclamation"></i> Inbound FROM this IP</summary>
+      {% if profile.inbound_ports_targeted %}
+      <table class="mini-table">
+        <thead><tr><th>Port targeted</th><th>#</th></tr></thead>
+        <tbody>
+          {% for p in profile.inbound_ports_targeted %}
+          <tr><td>{{ p.port }}</td><td>{{ "{:,}".format(p.count) }}</td></tr>
+          {% endfor %}
+        </tbody>
+      </table>
+      <p class="empty-note">{{ "{:,}".format(profile.internal_targets_count) }} internal host{{ 's' if profile.internal_targets_count != 1 else '' }} targeted</p>
+      {% endif %}
+      {% if profile.ssh_inbound %}
+      <p>SSH inbound{% if profile.ssh_server_versions %}: {{ profile.ssh_server_versions | join(', ') }}{% endif %}</p>
+      {% endif %}
+      {% if profile.rdp_inbound %}
+      <p>RDP inbound{% if profile.rdp_usernames %}: {{ profile.rdp_usernames | join(', ') }}{% endif %}</p>
+      {% endif %}
+    </details>
+    {% elif not compact %}
+    <div class="device-card-section">
+      <h4><i class="fa-solid fa-triangle-exclamation"></i> Inbound FROM this IP</h4>
+      <p class="empty-note">No inbound connections detected</p>
+    </div>
+    {% endif %}
+
+  </div>
+
+  {# Footer #}
+  <div class="device-card-footer">
+    <button class="btn-link expand-all-btn" onclick="toggleDetailsAll(this)">Expand all</button>
+    {% if profile.first_seen %}
+    First: {{ profile.first_seen[:16] }} · Last: {{ profile.last_seen[:16] }}
+    {% endif %}
+    · {{ "{:,}".format(profile.total_records) }} total records
+  </div>
+
+</div>
diff --git a/apps/opensearch_web/templates/partials/record_detail.html b/apps/opensearch_web/templates/partials/record_detail.html
index 09a0773..63c18f4 100644
--- a/apps/opensearch_web/templates/partials/record_detail.html
+++ b/apps/opensearch_web/templates/partials/record_detail.html
@@ -24,6 +24,16 @@
     </div>
     {% if supports_fp is not defined or supports_fp %}
     <div class="filter-action-row">
+      {% if record.get('src_ip') and record.get('dest_ip') %}
+      <a class="btn btn-sm"
+         href="{{ script_name }}/investigate/{{ record.get('src_ip') }}/{{ record.get('dest_ip') }}?{{ request.query_string.decode() }}">
+        <i class="fa-solid fa-magnifying-glass-chart"></i> Investigate
+      </a>
+      {% else %}
+      <button class="btn btn-sm" disabled title="Requires both source and destination IP">
+        <i class="fa-solid fa-magnifying-glass-chart"></i> Investigate
+      </button>
+      {% endif %}
       <button class="btn btn-sm"
               hx-get="/api/filter/form?src_ip={{ record.get('src_ip','') }}&dest_ip={{ record.get('dest_ip','') }}&notice_note={{ record.get('notice_note','') | urlencode }}&log_type={{ log_type }}&idx={{ idx }}"
               hx-target="#filter-zone-{{ idx }}"
@@ -80,12 +90,13 @@
   <div class="enrich-cols">
     <div class="enrich-col">
       {% if src_ip %}
-      <div class="enrich-col-header">
+      <div class="enrich-col-header enrich-col-src">
         <i class="fa-solid fa-arrow-right-from-bracket"></i>
         Source —
         <a class="ip-link" href="{{ script_name }}/ip/{{ src_ip }}?{{ request.query_string.decode() }}">{{ src_ip }}</a>
       </div>
       {% if is_private(src_ip) %}
+      <div class="mantis-lookup-btns">
       <button class="btn btn-sm"
               hx-post="/api/profile/{{ src_ip }}?{{ request.query_string.decode() }}&compact=1"
               hx-target="#enrich-src-{{ idx }}"
@@ -96,24 +107,39 @@
           <i class="fa-solid fa-spinner fa-spin"></i>
         </span>
       </button>
+      </div>
       {% else %}
+      <div class="mantis-lookup-btns">
+      <button class="btn btn-sm"
+              hx-post="/api/profile/{{ src_ip }}?{{ request.query_string.decode() }}&compact=1"
+              hx-target="#profile-src-{{ idx }}"
+              hx-swap="innerHTML"
+              hx-indicator="#profile-src-spinner-{{ idx }}">
+        <i class="fa-solid fa-fingerprint"></i> Profile
+        <span id="profile-src-spinner-{{ idx }}" class="htmx-indicator">
+          <i class="fa-solid fa-spinner fa-spin"></i>
+        </span>
+      </button>
       <button class="btn btn-sm"
               hx-post="/api/enrich/{{ src_ip }}"
               hx-target="#enrich-src-{{ idx }}" hx-swap="innerHTML">
         <i class="fa-solid fa-shield-halved"></i> Enrich
       </button>
+      </div>
       {% endif %}
+      <div id="profile-src-{{ idx }}"></div>
       <div id="enrich-src-{{ idx }}"></div>
       {% endif %}
     </div>
     <div class="enrich-col">
       {% if dest_ip %}
-      <div class="enrich-col-header">
+      <div class="enrich-col-header enrich-col-dst">
         <i class="fa-solid fa-arrow-right-to-bracket"></i>
         Destination —
         <a class="ip-link" href="{{ script_name }}/ip/{{ dest_ip }}?{{ request.query_string.decode() }}">{{ dest_ip }}</a>
       </div>
       {% if is_private(dest_ip) %}
+      <div class="mantis-lookup-btns">
       <button class="btn btn-sm"
               hx-post="/api/profile/{{ dest_ip }}?{{ request.query_string.decode() }}&compact=1"
               hx-target="#enrich-dst-{{ idx }}"
@@ -124,13 +150,27 @@
           <i class="fa-solid fa-spinner fa-spin"></i>
         </span>
       </button>
+      </div>
       {% else %}
+      <div class="mantis-lookup-btns">
+      <button class="btn btn-sm"
+              hx-post="/api/profile/{{ dest_ip }}?{{ request.query_string.decode() }}&compact=1"
+              hx-target="#profile-dst-{{ idx }}"
+              hx-swap="innerHTML"
+              hx-indicator="#profile-dst-spinner-{{ idx }}">
+        <i class="fa-solid fa-fingerprint"></i> Profile
+        <span id="profile-dst-spinner-{{ idx }}" class="htmx-indicator">
+          <i class="fa-solid fa-spinner fa-spin"></i>
+        </span>
+      </button>
       <button class="btn btn-sm"
               hx-post="/api/enrich/{{ dest_ip }}"
               hx-target="#enrich-dst-{{ idx }}" hx-swap="innerHTML">
         <i class="fa-solid fa-shield-halved"></i> Enrich
       </button>
+      </div>
       {% endif %}
+      <div id="profile-dst-{{ idx }}"></div>
       <div id="enrich-dst-{{ idx }}"></div>
       {% endif %}
     </div>
diff --git a/apps/shared/blueprints.py b/apps/shared/blueprints.py
index 15bc367..f9eb5de 100644
--- a/apps/shared/blueprints.py
+++ b/apps/shared/blueprints.py
@@ -71,9 +71,15 @@ def api_mantis_search() -> Any:
         query = request.args.get("query", "").strip()
         idx = request.args.get("idx", "0")
         city = resolve_city(request)
-        tickets = search(query, city=city) if query else []
+        error = None
+        tickets: list = []
+        if query:
+            try:
+                tickets = search(query, city=city)
+            except Exception as exc:
+                error = str(exc)
         return render_template(
-            "partials/mantis_results.html", tickets=tickets, query=query, idx=idx
+            "partials/mantis_results.html", tickets=tickets, query=query, idx=idx, error=error
         )
 
     return bp
diff --git a/apps/shared/jinja_globals.py b/apps/shared/jinja_globals.py
index 26f3ba6..5a47553 100644
--- a/apps/shared/jinja_globals.py
+++ b/apps/shared/jinja_globals.py
@@ -23,6 +23,18 @@ def register_shared_helpers(app: Flask) -> None:
         "unknown": "circle-question",
     }.get(role, "circle-question")
 
+    app.jinja_env.globals["public_role_icon"] = lambda role: {
+        "web_server": "globe",
+        "scanner": "radar",
+        "cdn_node": "cloud",
+        "mail_server": "envelope",
+        "dns_server": "server",
+        "ssh_server": "terminal",
+        "vpn_endpoint": "shield-halved",
+        "c2_suspect": "skull-crossbones",
+        "unknown": "circle-question",
+    }.get(role, "circle-question")
+
     from src.profiler.ja4_decoder import decode_ja4
 
     app.jinja_env.globals["decode_ja4"] = decode_ja4
diff --git a/apps/shared/templates/partials/mantis_results.html b/apps/shared/templates/partials/mantis_results.html
index 375c255..5a55e5c 100644
--- a/apps/shared/templates/partials/mantis_results.html
+++ b/apps/shared/templates/partials/mantis_results.html
@@ -1,4 +1,9 @@
-{% if not tickets %}
+{% if error %}
+<p class="investigate-error">
+  <i class="fa-solid fa-triangle-exclamation"></i>
+  Mantis unavailable: {{ error }}
+</p>
+{% elif not tickets %}
 <p class="empty-note">
   <i class="fa-solid fa-ticket"></i>
   {% if query %}No tickets found for <strong>{{ query }}</strong>.{% else %}Enter a query above.{% endif %}
diff --git a/apps/threat_model/app.py b/apps/threat_model/app.py
index 99a25e3..66a24ce 100644
--- a/apps/threat_model/app.py
+++ b/apps/threat_model/app.py
@@ -9,12 +9,14 @@
     ALL_BLOCKLISTS,
     ALL_FP_CATEGORIES,
     ALL_INFRA_CATEGORIES,
+    DATA_AVAILABLE,
     DNS_RESOLVER_ROWS,
     FP_BY_IP,
     FP_ROWS,
     INFRA_ROWS,
     MALICIOUS_BY_IP,
     MALICIOUS_ROWS,
+    PROFILES_BY_IP,
     TICKETS_BY_ID,
     UNDETERMINED_ROWS,
     _fp_row,
@@ -187,6 +189,7 @@ def index():
             infra_total=len(INFRA_ROWS),
             dns_resolver_total=len(DNS_RESOLVER_ROWS),
             undetermined_total=len(UNDETERMINED_ROWS),
+            data_available=DATA_AVAILABLE,
         )
 
     # ------------------------------------------------------------------
@@ -203,12 +206,14 @@ def api_search():
         ticket_slice = tickets[:TICKETS_PER_CARD_PAGE]
         raw_mal = MALICIOUS_BY_IP.get(ip)
         raw_fp = FP_BY_IP.get(ip)
+        verdict = classify_ip(ip)
         return render_template(
             "partials/threat_card.html",
             ip=ip,
-            verdict=classify_ip(ip),
+            verdict=verdict,
             malicious=_malicious_row(raw_mal) if raw_mal else None,
             fp=_fp_row(raw_fp) if raw_fp else None,
+            device_profile=PROFILES_BY_IP.get(ip) if verdict == "infra" else None,
             tickets=ticket_slice,
             ticket_page=1,
             ticket_pages=ticket_pages,
@@ -237,12 +242,45 @@ def api_ip_card(ip: str):
             verdict=verdict,
             malicious=_malicious_row(raw_mal) if raw_mal and verdict != "fp" else None,
             fp=_fp_row(raw_fp) if raw_fp else None,
+            device_profile=PROFILES_BY_IP.get(ip) if verdict == "infra" else None,
             tickets=ticket_slice,
             ticket_page=1,
             ticket_pages=ticket_pages,
             ticket_total=len(tickets),
         )
 
+    # ------------------------------------------------------------------
+    # GET /api/ip/<ip>/profile  — HTMX: live device profile for private IPs
+    # ------------------------------------------------------------------
+    @app.route("/api/ip/<ip>/profile")
+    def api_ip_profile(ip: str):
+        from dataclasses import asdict
+
+        from src.profiler.device_profiler import profile_device
+        from src.querier.zeek_modules.base import is_private
+
+        if not is_private(ip):
+            return (
+                "<p style='color:var(--on-surface-dim);font-size:0.82rem'>Not a private IP.</p>"
+            ), 400
+
+        time_range = request.args.get("time_range", "now-7d")
+        sensor = request.args.get("sensor", "all")
+
+        try:
+            profile = profile_device(ip, time_range=time_range, sensor=sensor)
+            dp = asdict(profile)
+            dp["dest_port_distribution"] = {
+                str(k): v for k, v in dp["dest_port_distribution"].items()
+            }
+        except Exception as exc:
+            app.logger.warning("device profile failed for %s: %s", ip, exc)
+            return (
+                "<p style='color:var(--on-surface-dim);font-size:0.82rem'>Profile unavailable.</p>"
+            ), 200
+
+        return render_template("partials/device_profile_card.html", device_profile=dp)
+
     # ------------------------------------------------------------------
     # GET /api/ip/<ip>/tickets?page=N  — HTMX: paginate ticket list
     # ------------------------------------------------------------------
diff --git a/apps/threat_model/data.py b/apps/threat_model/data.py
index 6c414b2..404b16c 100644
--- a/apps/threat_model/data.py
+++ b/apps/threat_model/data.py
@@ -57,6 +57,10 @@ def _load_optional(name: str) -> list:
 _raw_infra = _load_optional("enriched/known_infra_ips.json")
 _raw_dns_resolvers = _load_optional("enriched/dns_resolver_ips.json")
 _raw_undetermined = _load_optional("enriched/undetermined_ips.json")
+_raw_profiles = _load_optional("enriched/private_ip_profiles.json")
+
+# True when the pipeline has been run and data files exist.
+DATA_AVAILABLE: bool = bool(_raw_tickets or _raw_malicious or _raw_fp)
 
 # ---------------------------------------------------------------------------
 # Indices
@@ -72,6 +76,7 @@ def _load_optional(name: str) -> list:
 FP_BY_IP: dict[str, dict] = {r["ip"]: r for r in _raw_fp}
 INFRA_BY_IP: dict[str, dict] = {r["ip"]: r for r in _raw_infra}
 UNDETERMINED_BY_IP: dict[str, dict] = {r["ip"]: r for r in _raw_undetermined}
+PROFILES_BY_IP: dict[str, dict] = {r["ip"]: r for r in _raw_profiles}
 
 # Build DNS resolver index from enriched file; fall back to known-list entries
 # for any resolver not yet in the enriched file.
@@ -199,6 +204,7 @@ def _fp_row(r: dict) -> dict:
 def _infra_row(r: dict) -> dict:
     _org = r.get("org") or {}
     org = _org if isinstance(_org, dict) else {}
+    profile = PROFILES_BY_IP.get(r["ip"])
     return {
         "ip": r["ip"],
         "org_name": org.get("name") or "—",
@@ -210,6 +216,10 @@ def _infra_row(r: dict) -> dict:
         "ticket_count": len(r.get("ticket_ids") or []),
         "protocols_str": ", ".join(r.get("protocols_seen") or []),
         "attacks_count": len(r.get("attacks_against") or []),
+        "has_profile": profile is not None,
+        "profile_hostname": profile.get("hostname") if profile else None,
+        "profile_role": profile.get("role") if profile else None,
+        "profile_os": profile.get("os_family") if profile else None,
     }
 
 
diff --git a/apps/threat_model/run.py b/apps/threat_model/run.py
index bf20c93..64bbdd8 100755
--- a/apps/threat_model/run.py
+++ b/apps/threat_model/run.py
@@ -14,7 +14,9 @@
 
 app = create_app()
 
-if __name__ == "__main__":
+
+def main() -> None:
+    """Entry point for `pisces-threat-model` console script."""
     print(
         f"Loaded: {len(TICKETS_BY_ID):,} tickets  |  "
         f"{len(MALICIOUS_ROWS):,} malicious IPs  |  "
@@ -22,3 +24,7 @@
     )
     print("Threat Modeling → http://0.0.0.0:5003/")
     app.run(host="0.0.0.0", port=5003, debug=False, threaded=True)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/apps/threat_model/static/tm.css b/apps/threat_model/static/tm.css
index 3839631..af6bd77 100644
--- a/apps/threat_model/static/tm.css
+++ b/apps/threat_model/static/tm.css
@@ -1189,3 +1189,29 @@ tr.ticket-row-active {
 .org-icon.org-scanner  { color: var(--yellow); }
 .org-icon.org-research { color: var(--purple); }
 .org-icon.org-private  { color: var(--on-surface-dim); }
+
+/* ── No-data banner ────────────────────────────────────── */
+.tm-no-data-banner {
+  display: flex;
+  align-items: flex-start;
+  gap: .7rem;
+  padding: .9rem 1.2rem;
+  margin: 0 0 1rem;
+  background: color-mix(in srgb, var(--yellow) 10%, var(--surface));
+  border: 1px solid color-mix(in srgb, var(--yellow) 35%, transparent);
+  border-radius: var(--radius-card);
+  font-size: .875rem;
+  line-height: 1.55;
+}
+.tm-no-data-banner i {
+  color: var(--yellow);
+  margin-top: .2rem;
+  flex-shrink: 0;
+}
+.tm-no-data-banner code {
+  font-family: var(--font-mono, monospace);
+  font-size: .8rem;
+  background: color-mix(in srgb, var(--on-surface) 10%, transparent);
+  padding: .1rem .35rem;
+  border-radius: 3px;
+}
diff --git a/apps/threat_model/templates/index.html b/apps/threat_model/templates/index.html
index 7e2487c..ca7cabb 100644
--- a/apps/threat_model/templates/index.html
+++ b/apps/threat_model/templates/index.html
@@ -4,6 +4,17 @@
 
 {% block content %}
 
+{% if not data_available %}
+<div class="tm-no-data-banner">
+  <i class="fa-solid fa-circle-info"></i>
+  <div>
+    <strong>No threat model data found.</strong>
+    The enrichment pipeline hasn't been run yet, or the data files are missing from
+    <code>data/tickets/</code>. Run the indexing and enrichment scripts to populate this view.
+  </div>
+</div>
+{% endif %}
+
 {# ── Search bar ────────────────────────────────────────────── #}
 <div class="tm-search-bar">
   <i class="fa-solid fa-magnifying-glass" style="color:var(--on-surface-dim)"></i>
diff --git a/apps/threat_model/templates/partials/device_profile_card.html b/apps/threat_model/templates/partials/device_profile_card.html
new file mode 100644
index 0000000..f42934f
--- /dev/null
+++ b/apps/threat_model/templates/partials/device_profile_card.html
@@ -0,0 +1,120 @@
+{% set dp = device_profile %}
+<div style="display:grid;grid-template-columns:1fr 1fr;gap:0 2rem">
+
+  {# ── Left column ── #}
+  <div>
+
+    {# Identity #}
+    {% if dp.hostname or dp.dhcp_hostname or dp.mac or dp.users %}
+    <div class="threat-kv">
+      <span class="k">Hostname</span>
+      <span class="v">{{ dp.hostname or dp.dhcp_hostname or '—' }}{% if dp.ad_domain %}<span style="color:var(--on-surface-dim)">.{{ dp.ad_domain }}</span>{% endif %}</span>
+    </div>
+    {% if dp.mac %}
+    <div class="threat-kv">
+      <span class="k">MAC</span>
+      <span class="v" style="font-family:monospace">{{ dp.mac }}</span>
+    </div>
+    {% endif %}
+    {% if dp.users %}
+    <div class="threat-kv">
+      <span class="k">Users</span>
+      <span class="v">{{ dp.users | join(', ') }}</span>
+    </div>
+    {% endif %}
+    {% endif %}
+
+    {# Classification #}
+    <div class="threat-kv">
+      <span class="k">Role</span>
+      <span class="v">
+        {% if dp.role and dp.role != 'unknown' %}
+          <span class="badge-cat">{{ dp.role | replace('_', ' ') | title }}</span>
+          <span style="color:var(--on-surface-dim);font-size:0.78rem"> {{ (dp.confidence * 100) | int }}%</span>
+        {% else %}
+          —
+        {% endif %}
+      </span>
+    </div>
+    <div class="threat-kv">
+      <span class="k">OS</span>
+      <span class="v">{{ dp.os_family or '—' }}</span>
+    </div>
+    {% if dp.software %}
+    <div class="threat-kv">
+      <span class="k">Software</span>
+      <span class="v" style="font-size:0.8rem">{{ dp.software | join(', ') }}</span>
+    </div>
+    {% endif %}
+
+    {# Network summary #}
+    <div class="threat-kv" style="margin-top:0.4rem">
+      <span class="k">Bytes Out</span>
+      <span class="v">{{ dp.bytes_sent | filesizeformat if dp.bytes_sent else '—' }}</span>
+    </div>
+    <div class="threat-kv">
+      <span class="k">Bytes In</span>
+      <span class="v">{{ dp.bytes_received | filesizeformat if dp.bytes_received else '—' }}</span>
+    </div>
+    <div class="threat-kv">
+      <span class="k">Unique Dests</span>
+      <span class="v">{{ dp.unique_dest_count or '—' }}</span>
+    </div>
+
+  </div>
+
+  {# ── Right column ── #}
+  <div>
+
+    {# Inbound services #}
+    {% if dp.inbound_services %}
+    <div style="margin-bottom:0.5rem">
+      <span class="k" style="display:block;margin-bottom:2px">Inbound Services</span>
+      <table style="width:100%;font-size:0.78rem;border-collapse:collapse">
+        {% for svc in dp.inbound_services[:6] %}
+        <tr>
+          <td style="color:var(--on-surface-dim);padding:1px 6px 1px 0">{{ svc.port }}/{{ svc.app_proto or 'tcp' }}</td>
+          <td style="color:var(--on-surface-dim);padding:1px 0">{{ svc.count }} conns</td>
+        </tr>
+        {% endfor %}
+      </table>
+    </div>
+    {% endif %}
+
+    {# Risk signals #}
+    {% set risk = [] %}
+    {% if dp.rdp_inbound %}{% set _ = risk.append('RDP inbound' + (' (' + dp.rdp_usernames[:3]|join(', ') + ')' if dp.rdp_usernames else '')) %}{% endif %}
+    {% if dp.ssh_inbound %}{% set _ = risk.append('SSH inbound') %}{% endif %}
+    {% if dp.admin_targets %}{% set _ = risk.append('RDP admin → ' + dp.admin_targets[:3]|join(', ')) %}{% endif %}
+    {% if dp.ssh_admin_targets %}{% set _ = risk.append('SSH admin → ' + dp.ssh_admin_targets[:3]|join(', ')) %}{% endif %}
+    {% if risk %}
+    <div class="threat-kv" style="margin-bottom:0.4rem">
+      <span class="k">Risk Signals</span>
+      <span class="v" style="font-size:0.8rem;color:var(--warning,#e8a44b)">
+        {% for r in risk %}<span style="display:block">{{ r }}</span>{% endfor %}
+      </span>
+    </div>
+    {% endif %}
+
+    {# Top DNS domains #}
+    {% if dp.dns_top_domains %}
+    <div>
+      <span class="k" style="display:block;margin-bottom:2px">Top DNS Domains</span>
+      <ul style="list-style:none;padding:0;margin:0;font-size:0.78rem;color:var(--on-surface-dim)">
+        {% for d in dp.dns_top_domains[:5] %}
+        <li>{{ d.domain }} <span style="color:var(--on-surface-dimmer,#666)">×{{ d.count }}</span></li>
+        {% endfor %}
+      </ul>
+    </div>
+    {% endif %}
+
+  </div>
+
+</div>
+
+{# Footer: profiled-at metadata #}
+<div style="margin-top:0.6rem;font-size:0.72rem;color:var(--on-surface-dim)">
+  Profiled {{ dp.profiled_at[:10] if dp.profiled_at else '?' }}
+  &nbsp;·&nbsp; sensor={{ dp.sensor }}
+  &nbsp;·&nbsp; range={{ dp.time_range }}
+</div>
diff --git a/apps/threat_model/templates/partials/infra_rows.html b/apps/threat_model/templates/partials/infra_rows.html
index 4caca81..5af3103 100644
--- a/apps/threat_model/templates/partials/infra_rows.html
+++ b/apps/threat_model/templates/partials/infra_rows.html
@@ -1,6 +1,10 @@
 {% for r in rows %}
 <tr data-ip="{{ r.ip }}" onclick="handleInfraRowClick(this)" style="cursor:pointer">
-  <td><span style="font-weight:600">{{ r.ip }}</span></td>
+  <td>
+    <span style="font-weight:600">{{ r.ip }}</span>
+    {% if r.profile_hostname %}<span style="font-size:0.75rem;color:var(--on-surface-dim)"> · {{ r.profile_hostname }}</span>{% endif %}
+    {% if r.profile_role and r.profile_role != 'unknown' %}<span class="badge-cat" style="margin-left:4px">{{ r.profile_role | replace('_',' ') | title }}</span>{% endif %}
+  </td>
   <td style="font-size:0.82rem">{% if r.org_icon %}<i class="{{ r.org_icon }} org-icon org-{{ r.org_category }}" title="{{ r.org_name }}"></i>{% endif %}{{ r.org_name }}</td>
   <td><span class="badge-cat">{{ r.org_category|replace('_',' ')|title }}</span></td>
   <td>{{ r.actor|replace('_',' ')|title if r.actor else '—' }}</td>
diff --git a/apps/threat_model/templates/partials/threat_card.html b/apps/threat_model/templates/partials/threat_card.html
index 3f4d3b7..f0e517a 100644
--- a/apps/threat_model/templates/partials/threat_card.html
+++ b/apps/threat_model/templates/partials/threat_card.html
@@ -8,6 +8,8 @@
         <i class="fa-solid fa-circle-check"></i> FALSE POSITIVE
       {% elif verdict == 'observed' %}
         <i class="fa-solid fa-eye"></i> OBSERVED
+      {% elif verdict == 'infra' %}
+        <i class="fa-solid fa-server"></i> INTERNAL
       {% else %}
         <i class="fa-solid fa-circle-question"></i> UNKNOWN
       {% endif %}
@@ -26,6 +28,8 @@
       <span style="color:var(--on-surface-dim);font-size:0.78rem">score: {{ fp.score }}</span>
     {% elif verdict == 'observed' %}
       <span class="badge badge-yellow">{{ ticket_total }} ticket{{ 's' if ticket_total != 1 else '' }}</span>
+    {% elif verdict == 'infra' %}
+      {% if ticket_total > 0 %}<span class="badge badge-blue">{{ ticket_total }} ticket{{ 's' if ticket_total != 1 else '' }}</span>{% endif %}
     {% else %}
       <span class="badge badge-gray">not in database</span>
     {% endif %}
@@ -97,6 +101,20 @@
       </div>
     </div>
   </div>
+  {% elif verdict == 'infra' %}
+  <div class="threat-card-body">
+    {% if device_profile %}
+      {% include "partials/device_profile_card.html" %}
+    {% else %}
+      <div hx-get="{{ script_name }}/api/ip/{{ ip }}/profile"
+           hx-trigger="load"
+           hx-swap="outerHTML">
+        <p style="color:var(--on-surface-dim);font-size:0.82rem">
+          <i class="fa-solid fa-spinner fa-spin"></i> Loading device profile&hellip;
+        </p>
+      </div>
+    {% endif %}
+  </div>
   {% endif %}
 
   {# Ticket section #}
diff --git a/mcp/enrichment/requirements.txt b/mcp_servers/enrichment/requirements.txt
similarity index 100%
rename from mcp/enrichment/requirements.txt
rename to mcp_servers/enrichment/requirements.txt
diff --git a/mcp/enrichment/server.py b/mcp_servers/enrichment/server.py
similarity index 100%
rename from mcp/enrichment/server.py
rename to mcp_servers/enrichment/server.py
diff --git a/mcp/mantis/requirements.txt b/mcp_servers/mantis/requirements.txt
similarity index 100%
rename from mcp/mantis/requirements.txt
rename to mcp_servers/mantis/requirements.txt
diff --git a/mcp/mantis/server.py b/mcp_servers/mantis/server.py
similarity index 100%
rename from mcp/mantis/server.py
rename to mcp_servers/mantis/server.py
diff --git a/mcp/opensearch/requirements.txt b/mcp_servers/opensearch/requirements.txt
similarity index 100%
rename from mcp/opensearch/requirements.txt
rename to mcp_servers/opensearch/requirements.txt
diff --git a/mcp/opensearch/server.py b/mcp_servers/opensearch/server.py
similarity index 54%
rename from mcp/opensearch/server.py
rename to mcp_servers/opensearch/server.py
index 46055bf..97e42a6 100644
--- a/mcp/opensearch/server.py
+++ b/mcp_servers/opensearch/server.py
@@ -36,13 +36,25 @@
 from mcp.server.fastmcp import FastMCP
 
 from src.enricher.threat_intel import enrich_ip
+from src.querier.histogram import query_histogram
 from src.querier.fp_manager import (
     append_clauses_to_file,
+    delete_ip_from_filter,
     ensure_subcategory,
     filter_file_path,
+    load_categories,
+    load_filter_file,
 )
+from src.querier.runner import FILTERS_DIR, load_with_remap
 from src.querier.zeek_modules import MODULES
-from src.querier.zeek_modules.base import INDEX, is_private, query_opensearch, run_query
+from src.querier.zeek_modules.base import (
+    INDEX,
+    build_base_query,
+    is_private,
+    query_opensearch,
+    run_query,
+    source_terms_script,
+)
 from src.utils.ip_org import lookup_org
 
 mcp = FastMCP("pisces")
@@ -63,6 +75,15 @@ def _serialise_records(records: list) -> list:
     return out
 
 
+def _search_result(records: list, limit: int) -> dict:
+    """Build a standard search response dict with a truncation hint."""
+    return {
+        "count": len(records),
+        "truncated": len(records) >= limit,
+        "records": _serialise_records(records),
+    }
+
+
 def _ok(data) -> str:
     return json.dumps({"status": "ok", "data": data}, default=str)
 
@@ -73,12 +94,15 @@ def _err(msg: str) -> str:
 
 def _base_params(
     time_range: str,
-    sensor: str,
+    sensor: str | list[str],
     limit: int,
     public_only: bool,
-    src_ip: Optional[str],
+    src_ip: str | list[str] | None,
     direction: Optional[str],
     no_filters: bool,
+    dest_ip: str | list[str] | None = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> dict:
     params: dict = {
         "time_range": time_range,
@@ -90,18 +114,17 @@ def _base_params(
     }
     if src_ip:
         params["src_ip"] = src_ip
+    if dest_ip:
+        params["dest_ip"] = dest_ip
     if direction:
         params["direction"] = direction
+    if time_from:
+        params["time_from"] = time_from
+    if time_to:
+        params["time_to"] = time_to
     return params
 
 
-def _apply_dest_ip_filter(records: list, dest_ip: Optional[str]) -> list:
-    """Post-filter records by destination IP (base.py only natively filters src_ip)."""
-    if not dest_ip:
-        return records
-    return [r for r in records if r.get("dest_ip") == dest_ip]
-
-
 # ---------------------------------------------------------------------------
 # 10 Zeek protocol tools
 # ---------------------------------------------------------------------------
@@ -110,24 +133,52 @@ def _apply_dest_ip_filter(records: list, dest_ip: Optional[str]) -> list:
 @mcp.tool()
 def search_conn(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     direction: Optional[str] = None,
     no_filters: bool = False,
+    dest_port: Optional[int] = None,
+    src_port: Optional[int] = None,
+    proto: Optional[str] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek conn (connection) logs from Malcolm/OpenSearch.
 
     Returns deduplicated connection records sorted by frequency.
     Common fields: src_ip, dest_ip, dest_port, proto, bytes, duration, sensor.
+
+    Args:
+        dest_port: Destination port to filter by, e.g. 443.
+        src_port: Source port to filter by.
+        proto: Transport protocol to filter by, e.g. "tcp", "udp", "icmp".
+        time_from: Absolute start timestamp (ISO 8601), e.g. "2026-04-19T00:00:00Z".
+        time_to: Absolute end timestamp (ISO 8601). Overrides time_range when both are set.
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, direction, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            direction,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
+        if dest_port is not None:
+            params["dest_port"] = dest_port
+        if src_port is not None:
+            params["src_port"] = src_port
+        if proto:
+            params["proto"] = proto
         records = run_query(MODULES["conn"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -135,16 +186,18 @@ def search_conn(
 @mcp.tool()
 def search_dns(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     direction: Optional[str] = None,
     no_filters: bool = False,
     dns_query: Optional[str] = None,
     dns_rcode: Optional[str] = None,
     dns_qtype: Optional[str] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek DNS logs from Malcolm/OpenSearch.
 
@@ -152,9 +205,22 @@ def search_dns(
         dns_query: Domain name to filter by (substring match).
         dns_rcode: Response code to filter by, e.g. "NXDOMAIN".
         dns_qtype: Query type to filter by, e.g. "A", "MX", "TXT".
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, direction, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            direction,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if dns_query:
             params["dns_query"] = dns_query
         if dns_rcode:
@@ -162,8 +228,7 @@ def search_dns(
         if dns_qtype:
             params["qtype"] = dns_qtype
         records = run_query(MODULES["dns"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -171,17 +236,20 @@ def search_dns(
 @mcp.tool()
 def search_http(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     direction: Optional[str] = None,
     no_filters: bool = False,
     http_method: Optional[str] = None,
     http_host: Optional[str] = None,
     http_uri: Optional[str] = None,
     status_code: Optional[int] = None,
+    dest_port: Optional[int] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek HTTP logs from Malcolm/OpenSearch.
 
@@ -190,9 +258,23 @@ def search_http(
         http_host: Virtual host header to filter by.
         http_uri: URI path substring to filter by.
         status_code: HTTP response status code to filter by.
+        dest_port: Destination port to filter by (default 80/8080, but not enforced).
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, direction, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            direction,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if http_method:
             params["http_method"] = http_method
         if http_host:
@@ -201,9 +283,10 @@ def search_http(
             params["http_uri"] = http_uri
         if status_code is not None:
             params["status_code"] = status_code
+        if dest_port is not None:
+            params["dest_port"] = dest_port
         records = run_query(MODULES["http"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -211,31 +294,49 @@ def search_http(
 @mcp.tool()
 def search_ssl(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     direction: Optional[str] = None,
     no_filters: bool = False,
     ssl_sni: Optional[str] = None,
     ssl_invalid_only: bool = False,
+    dest_port: Optional[int] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek SSL/TLS logs from Malcolm/OpenSearch.
 
     Args:
         ssl_sni: Server Name Indication hostname to filter by.
         ssl_invalid_only: If True, return only connections with invalid/self-signed certs.
+        dest_port: Destination port to filter by (commonly 443, 8443).
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, direction, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            direction,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if ssl_sni:
             params["ssl_sni"] = ssl_sni
         if ssl_invalid_only:
             params["ssl_invalid_only"] = True
+        if dest_port is not None:
+            params["dest_port"] = dest_port
         records = run_query(MODULES["ssl"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -243,16 +344,18 @@ def search_ssl(
 @mcp.tool()
 def search_smtp(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     direction: Optional[str] = None,
     no_filters: bool = False,
     smtp_mail_from: Optional[str] = None,
     smtp_rcpt_to: Optional[str] = None,
     smtp_subject: Optional[str] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek SMTP logs from Malcolm/OpenSearch.
 
@@ -260,9 +363,22 @@ def search_smtp(
         smtp_mail_from: Sender address to filter by.
         smtp_rcpt_to: Recipient address to filter by.
         smtp_subject: Subject line substring to filter by.
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, direction, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            direction,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if smtp_mail_from:
             params["smtp_mail_from"] = smtp_mail_from
         if smtp_rcpt_to:
@@ -270,8 +386,7 @@ def search_smtp(
         if smtp_subject:
             params["smtp_subject"] = smtp_subject
         records = run_query(MODULES["smtp"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -279,31 +394,49 @@ def search_smtp(
 @mcp.tool()
 def search_rdp(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     direction: Optional[str] = None,
     no_filters: bool = False,
     rdp_result: Optional[str] = None,
     rdp_cookie: Optional[str] = None,
+    dest_port: Optional[int] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek RDP logs from Malcolm/OpenSearch.
 
     Args:
         rdp_result: RDP result string to filter by, e.g. "encrypted".
         rdp_cookie: RDP cookie/username string to filter by.
+        dest_port: Destination port to filter by (commonly 3389).
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, direction, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            direction,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if rdp_result:
             params["rdp_result"] = rdp_result
         if rdp_cookie:
             params["rdp_cookie"] = rdp_cookie
+        if dest_port is not None:
+            params["dest_port"] = dest_port
         records = run_query(MODULES["rdp"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -311,31 +444,49 @@ def search_rdp(
 @mcp.tool()
 def search_smb(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     direction: Optional[str] = None,
     no_filters: bool = False,
     smb_share: Optional[str] = None,
     smb_action: Optional[str] = None,
+    dest_port: Optional[int] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek SMB logs from Malcolm/OpenSearch.
 
     Args:
         smb_share: SMB share name to filter by.
         smb_action: SMB action verb to filter by, e.g. "SMB::FILE_OPEN".
+        dest_port: Destination port to filter by (commonly 445).
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, direction, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            direction,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if smb_share:
             params["smb_share"] = smb_share
         if smb_action:
             params["smb_action"] = smb_action
+        if dest_port is not None:
+            params["dest_port"] = dest_port
         records = run_query(MODULES["smb"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -343,31 +494,49 @@ def search_smb(
 @mcp.tool()
 def search_ssh(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     direction: Optional[str] = None,
     no_filters: bool = False,
     ssh_failed_only: bool = False,
     ssh_auth_result: Optional[str] = None,
+    dest_port: Optional[int] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek SSH logs from Malcolm/OpenSearch.
 
     Args:
         ssh_failed_only: If True, return only failed authentication attempts.
         ssh_auth_result: Auth result string to filter by, e.g. "failure", "success".
+        dest_port: Destination port to filter by (commonly 22).
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, direction, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            direction,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if ssh_failed_only:
             params["ssh_failed_only"] = True
         if ssh_auth_result is not None:
             params["ssh_auth_result"] = ssh_auth_result
+        if dest_port is not None:
+            params["dest_port"] = dest_port
         records = run_query(MODULES["ssh"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -375,14 +544,16 @@ def search_ssh(
 @mcp.tool()
 def search_notice(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     direction: Optional[str] = None,
     no_filters: bool = False,
     notice_note: Optional[str] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek Notice logs from Malcolm/OpenSearch.
 
@@ -390,15 +561,28 @@ def search_notice(
     SSH brute-force detected, etc.).
 
     Args:
-        notice_note: Notice type to filter by, e.g. "Scan::Port_Scan".
+        notice_note: Notice type to filter by, e.g. "Scan::Port_Scan". Use a trailing
+            wildcard to match a namespace, e.g. "Scan::*" or "SSH::*".
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, direction, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            direction,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if notice_note:
             params["notice_note"] = notice_note
         records = run_query(MODULES["notice"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -406,14 +590,16 @@ def search_notice(
 @mcp.tool()
 def search_weird(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     direction: Optional[str] = None,
     no_filters: bool = False,
     weird_name: Optional[str] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek Weird logs from Malcolm/OpenSearch.
 
@@ -421,15 +607,28 @@ def search_weird(
     couldn't classify normally.
 
     Args:
-        weird_name: Weird event name to filter by, e.g. "bad_HTTP_reply".
+        weird_name: Weird event name to filter by, e.g. "bad_HTTP_reply". Supports
+            wildcards, e.g. "bad_*".
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, direction, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            direction,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if weird_name:
             params["weird_name"] = weird_name
         records = run_query(MODULES["weird"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -437,11 +636,11 @@ def search_weird(
 @mcp.tool()
 def search_suricata_alert(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     direction: Optional[str] = None,
     no_filters: bool = False,
     rule_name: Optional[str] = None,
@@ -450,6 +649,8 @@ def search_suricata_alert(
     sid: Optional[int] = None,
     exclude_stream: bool = False,
     tag: Optional[str] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Suricata IDS alert records from Malcolm/OpenSearch.
 
@@ -464,9 +665,22 @@ def search_suricata_alert(
         sid: Suricata rule ID (SID) to filter by.
         exclude_stream: Exclude noisy SURICATA STREAM/QUIC protocol anomaly rules.
         tag: Filter by tag, e.g. "CISA_KEV", "Exploit", "RAT".
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, direction, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            direction,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if rule_name:
             params["rule_name"] = rule_name
         if rule_category:
@@ -480,8 +694,7 @@ def search_suricata_alert(
         if tag:
             params["tag"] = tag
         records = run_query(MODULES["suricata_alert"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -494,15 +707,17 @@ def search_suricata_alert(
 @mcp.tool()
 def search_radius(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     no_filters: bool = False,
     username: Optional[str] = None,
     mac: Optional[str] = None,
     failed_only: bool = False,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek RADIUS authentication logs — VPN/802.1X auth records.
 
@@ -510,9 +725,22 @@ def search_radius(
         username: Filter by username (substring match).
         mac: Filter by MAC address (exact match).
         failed_only: Show only failed authentication attempts.
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, None, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            None,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if username:
             params["username"] = username
         if mac:
@@ -520,8 +748,7 @@ def search_radius(
         if failed_only:
             params["failed_only"] = failed_only
         records = run_query(MODULES["radius"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -529,15 +756,17 @@ def search_radius(
 @mcp.tool()
 def search_sip(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     no_filters: bool = False,
     method: Optional[str] = None,
     status_code: Optional[str] = None,
     user_agent: Optional[str] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek SIP/VoIP session logs.
 
@@ -545,9 +774,22 @@ def search_sip(
         method: Filter by SIP method (INVITE, REGISTER, OPTIONS, etc.).
         status_code: Filter by SIP status code (exact match).
         user_agent: Filter by User-Agent (substring match).
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, None, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            None,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if method:
             params["method"] = method
         if status_code:
@@ -555,8 +797,7 @@ def search_sip(
         if user_agent:
             params["user_agent"] = user_agent
         records = run_query(MODULES["sip"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -564,26 +805,40 @@ def search_sip(
 @mcp.tool()
 def search_tunnel(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     no_filters: bool = False,
     tunnel_type: Optional[str] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek tunnel logs — protocol encapsulation / covert channel detection.
 
     Args:
         tunnel_type: Filter by tunnel type (Tunnel::IP, Tunnel::GRE, etc.).
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, None, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            None,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if tunnel_type:
             params["tunnel_type"] = tunnel_type
         records = run_query(MODULES["tunnel"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -591,30 +846,44 @@ def search_tunnel(
 @mcp.tool()
 def search_ntp(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     no_filters: bool = False,
     mode: Optional[int] = None,
     version: Optional[int] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek NTP logs — time synchronisation and amplification detection.
 
     Args:
         mode: Filter by NTP mode (3=client, 4=server, 6=control, 7=private).
         version: Filter by NTP version (exact match, integer).
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, None, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            None,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if mode is not None:
             params["mode"] = mode
         if version is not None:
             params["version"] = version
         records = run_query(MODULES["ntp"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -622,30 +891,44 @@ def search_ntp(
 @mcp.tool()
 def search_modbus(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     no_filters: bool = False,
     function: Optional[str] = None,
     exceptions_only: bool = False,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek Modbus/TCP logs — OT/SCADA protocol for PLCs and RTUs.
 
     Args:
         function: Filter by Modbus function (e.g. "Read Coils", "Write Single Register").
         exceptions_only: Show only records with exception codes.
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, None, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            None,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if function:
             params["function"] = function
         if exceptions_only:
             params["exceptions_only"] = True
         records = run_query(MODULES["modbus"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
@@ -653,100 +936,171 @@ def search_modbus(
 @mcp.tool()
 def search_dnp3(
     time_range: str = "now-24h",
-    sensor: str = "all",
+    sensor: str | list[str] = "all",
     limit: int = 500,
     public_only: bool = False,
-    src_ip: Optional[str] = None,
-    dest_ip: Optional[str] = None,
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
     no_filters: bool = False,
     function: Optional[str] = None,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
 ) -> str:
     """Search Zeek DNP3 logs — SCADA protocol for utilities (electric, water, gas).
 
     Args:
         function: Filter by DNP3 function request (substring match).
+        time_from: Absolute start timestamp (ISO 8601). Overrides time_range when both are set.
+        time_to: Absolute end timestamp (ISO 8601).
     """
     try:
-        params = _base_params(time_range, sensor, limit, public_only, src_ip, None, no_filters)
+        params = _base_params(
+            time_range,
+            sensor,
+            limit,
+            public_only,
+            src_ip,
+            None,
+            no_filters,
+            dest_ip,
+            time_from,
+            time_to,
+        )
         if function:
             params["function"] = function
         records = run_query(MODULES["dnp3"], params)
-        records = _apply_dest_ip_filter(records, dest_ip)
-        return _ok({"count": len(records), "records": _serialise_records(records)})
+        return _ok(_search_result(records, limit))
     except Exception as exc:
         return _err(str(exc))
 
 
 # ---------------------------------------------------------------------------
-# Pivot tools
+# Pivot tool (§2.1)
 # ---------------------------------------------------------------------------
 
 
 @mcp.tool()
-def pivot_ip(
+def pivot(
     ip: str,
-    time_range: str = "now-24h",
+    mode: str = "records",
+    dest_ip: Optional[str] = None,
     sensor: str = "all",
+    time_range: str = "now-24h",
     limit: int = 500,
     public_only: bool = False,
     no_filters: bool = False,
 ) -> str:
-    """Run all 10 Zeek protocol queries in parallel for a single IP address.
+    """IP-centric investigation tool with three operating modes.
+
+    Choose ``mode`` based on the question you are trying to answer:
+
+    * **records** — Cross-protocol raw records for *ip* (as src or dest).
+      Returns per-protocol counts plus full deduplicated records.  Also runs
+      ``lookup_org`` to surface cloud/CDN/scanner ownership.  Use when you
+      want to see what an IP was actually doing.
+
+    * **profile** — Aggregated device card for *ip*.  For private IPs: role,
+      OS, software, inbound services, hostnames, fingerprints.  For public
+      IPs: sensor presence, reverse DNS, exposed services, TLS/cert info,
+      inbound attack signals.  Use when you want to understand what a device
+      is, not just what it did.
 
-    Returns per-protocol record counts plus full records for every protocol where
-    the IP appeared (as either source or destination).  Also runs lookup_org to
-    identify cloud/CDN/scanner ownership.
+    * **incident** — Full incident bundle for a src/dest pair.  Requires
+      ``dest_ip``.  Runs device profiling, auth history, attack chain, Mantis
+      ticket search, and threat-intel enrichment in parallel.  Use for
+      alert triage or incident response.
 
-    This is the primary pivot tool for IP-centric investigations.
+    Args:
+        ip: IP address to pivot on (actor / attacker for ``mode="incident"``).
+        mode: One of "records", "profile", or "incident".
+        dest_ip: Destination IP — required when ``mode="incident"``.
+        sensor: Sensor hostname.  Required for private-IP profiling; "all" for
+                ``mode="records"``.
+        time_range: ES date-math range, e.g. "now-24h" or "now-7d".
+        limit: Max records per protocol (``mode="records"`` only).
+        public_only: Exclude RFC-1918 addresses (``mode="records"`` only).
+        no_filters: Bypass FP filter files (``mode="records"`` only).
     """
     try:
-        base = _base_params(time_range, sensor, limit, public_only, ip, None, no_filters)
-
-        org = lookup_org(ip)
-
-        def _run(log_type: str) -> tuple[str, list]:
-            try:
-                params = dict(base)
-                records = run_query(MODULES[log_type], params)
-                # Also include records where IP is destination
-                dest_hits = []
-                if ip:
-                    dest_params = _base_params(
-                        time_range, sensor, limit, public_only, None, None, no_filters
-                    )
-                    dest_records = run_query(MODULES[log_type], dest_params)
-                    dest_hits = [r for r in dest_records if r.get("dest_ip") == ip]
-                # Merge, deduplicate by identity
-                seen_keys: set = set()
-                merged = []
-                for r in records + dest_hits:
-                    k = MODULES[log_type].dedup_key(r)
-                    if k not in seen_keys:
-                        seen_keys.add(k)
-                        merged.append(r)
-                return log_type, merged
-            except Exception:
-                return log_type, []
-
-        results: dict = {}
-        with ThreadPoolExecutor(max_workers=10) as pool:
-            futures = {pool.submit(_run, lt): lt for lt in MODULES}
-            for future in as_completed(futures):
-                log_type, records = future.result()
-                results[log_type] = {
-                    "count": len(records),
-                    "records": _serialise_records(records),
-                }
+        if mode == "records":
+            base = _base_params(time_range, sensor, limit, public_only, ip, None, no_filters)
+
+            org = lookup_org(ip)
+
+            def _run(log_type: str) -> tuple[str, list]:
+                try:
+                    params = dict(base)
+                    records = run_query(MODULES[log_type], params)
+                    dest_hits: list = []
+                    if ip:
+                        dest_params = _base_params(
+                            time_range, sensor, limit, public_only, None, None, no_filters
+                        )
+                        dest_records = run_query(MODULES[log_type], dest_params)
+                        dest_hits = [r for r in dest_records if r.get("dest_ip") == ip]
+                    seen_keys: set = set()
+                    merged = []
+                    for r in records + dest_hits:
+                        k = MODULES[log_type].dedup_key(r)
+                        if k not in seen_keys:
+                            seen_keys.add(k)
+                            merged.append(r)
+                    return log_type, merged
+                except Exception:
+                    return log_type, []
+
+            results: dict = {}
+            with ThreadPoolExecutor(max_workers=10) as pool:
+                futures = {pool.submit(_run, lt): lt for lt in MODULES}
+                for future in as_completed(futures):
+                    lt, recs = future.result()
+                    results[lt] = {
+                        "count": len(recs),
+                        "records": _serialise_records(recs),
+                    }
 
-        summary = {lt: r["count"] for lt, r in results.items()}
-        return _ok(
-            {
-                "ip": ip,
-                "org": org,
-                "summary": summary,
-                "protocols": results,
-            }
-        )
+            summary = {lt: r["count"] for lt, r in results.items()}
+            return _ok({"ip": ip, "org": org, "summary": summary, "protocols": results})
+
+        elif mode == "profile":
+            from dataclasses import asdict
+
+            if is_private(ip):
+                from src.profiler.device_profiler import profile_device as _profile_device
+
+                profile = _profile_device(ip, time_range=time_range, sensor=sensor)
+            else:
+                from src.profiler.public_ip_profiler import profile_public_ip
+
+                profile = profile_public_ip(ip, time_range=time_range)
+            return _ok(asdict(profile))
+
+        elif mode == "incident":
+            if not dest_ip:
+                return _err("dest_ip is required when mode='incident'")
+            from dataclasses import asdict
+
+            from src.correlator.incident_context import investigate as _investigate
+
+            ctx = _investigate(ip, dest_ip, sensor, time_range)
+            data = asdict(ctx)
+            for key in ("src_profile", "dest_profile"):
+                p = data.get(key)
+                if p is not None:
+                    data[key] = {
+                        "ip": p["ip"],
+                        "hostname": p.get("hostname"),
+                        "role": p["role"],
+                        "confidence": p["confidence"],
+                        "os_family": p.get("os_family"),
+                        "software": p.get("software", []),
+                        "users": p.get("users", []),
+                        "inbound_services": p.get("inbound_services", []),
+                    }
+            return _ok(data)
+
+        else:
+            return _err(f"Unknown mode '{mode}'. Must be 'records', 'profile', or 'incident'.")
     except Exception as exc:
         return _err(str(exc))
 
@@ -821,7 +1175,7 @@ def get_notice_summary(
             "aggs": {
                 "notice_types": {
                     "terms": {
-                        "field": "zeek.notice.note",
+                        "script": source_terms_script("zeek.notice.note"),
                         "size": limit,
                         "order": {"_count": "desc"},
                     }
@@ -878,36 +1232,49 @@ def raw_opensearch_search(
 
 
 @mcp.tool()
-def aggregate_by_source_ip(
-    notice_type: str,
+def aggregate(
+    field: str,
+    log_type: Optional[str] = None,
+    notice_type: Optional[str] = None,
     time_range: str = "now-24h",
     sensor: str = "all",
     limit: int = 25,
 ) -> str:
-    """Rank source IPs by how many times they triggered a specific Zeek notice type.
+    """Rank any ES field by frequency across Zeek logs.
 
-    Complements get_notice_summary (which ranks by notice type) — this ranks by
-    source IP *within* a single notice type.
+    Generic aggregation primitive.  Common uses:
+
+    * Top source IPs for a notice:
+      ``field="source.ip", log_type="notice", notice_type="Scan::Port_Scan"``
+    * Top destination IPs overall: ``field="destination.ip"``
+    * Top destination ports: ``field="destination.port", log_type="conn"``
+    * Top user agents: ``field="zeek.http.user_agent", log_type="http"``
 
     Args:
-        notice_type: Exact notice type to filter by, e.g. "Scan::Port_Scan".
-        limit: Maximum number of source IPs to return.
+        field: ES field name to aggregate on, e.g. "source.ip", "destination.port".
+        log_type: Scope to a single Zeek module's datasets, e.g. "conn", "notice",
+                  "http".  Omit to aggregate across all datasets.
+        notice_type: Filter by exact Zeek notice type (only meaningful with
+                     ``log_type="notice"``), e.g. "Scan::Port_Scan".
+        time_range: ES date-math range, e.g. "now-24h".
+        sensor: Sensor hostname or "all".
+        limit: Maximum number of buckets to return.
     """
     try:
-        must: list = [
-            {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}},
-            {"terms": {"event.dataset": MODULES["notice"].DATASETS}},
-            {"term": {"zeek.notice.note": notice_type}},
-        ]
+        must: list = [{"range": {"@timestamp": {"gte": time_range, "lte": "now"}}}]
+        if log_type and log_type in MODULES:
+            must.append({"terms": {"event.dataset": MODULES[log_type].DATASETS}})
+        if notice_type:
+            must.append({"term": {"zeek.notice.note": notice_type}})
         if sensor != "all":
             must.append({"terms": {"host.name": [s.strip() for s in sensor.split(",")]}})
         body = {
             "size": 0,
             "query": {"bool": {"must": must}},
             "aggs": {
-                "top_sources": {
+                "buckets": {
                     "terms": {
-                        "field": "source.ip",
+                        "script": source_terms_script(field),
                         "size": limit,
                         "order": {"_count": "desc"},
                     }
@@ -918,9 +1285,17 @@ def aggregate_by_source_ip(
         raw = query_opensearch(body, params)
         if raw is None:
             return _err("OpenSearch query failed — check credentials and OPENSEARCH_URL")
-        buckets = raw.get("aggregations", {}).get("top_sources", {}).get("buckets", [])
-        sources = [{"ip": b["key"], "count": b["doc_count"]} for b in buckets]
-        return _ok({"notice_type": notice_type, "time_range": time_range, "sources": sources})
+        buckets = raw.get("aggregations", {}).get("buckets", {}).get("buckets", [])
+        results = [{"value": b["key"], "count": b["doc_count"]} for b in buckets]
+        return _ok(
+            {
+                "field": field,
+                "log_type": log_type,
+                "notice_type": notice_type,
+                "time_range": time_range,
+                "results": results,
+            }
+        )
     except Exception as exc:
         return _err(str(exc))
 
@@ -1029,6 +1404,116 @@ def _enrich_one(item: tuple) -> dict:
         return _err(str(exc))
 
 
+@mcp.tool()
+def bulk_enrich_ips(ips: list[str]) -> str:
+    """Enrich a list of IP addresses through the full threat-intelligence pipeline.
+
+    Runs GreyNoise → AbuseIPDB → Shodan → VirusTotal concurrently for each public IP.
+    Private/RFC-1918 IPs are skipped — no enrichment data is available for them.
+    Results are returned in the same order as the input list.
+
+    Args:
+        ips: List of IP addresses to enrich.
+    """
+    try:
+        ip_order = {ip: i for i, ip in enumerate(ips)}
+        public = [ip for ip in ips if not is_private(ip)]
+        private_count = len(ips) - len(public)
+
+        def _enrich_one(ip: str) -> dict:
+            return {"ip": ip, "enrichment": enrich_ip(ip, offer_fp=False)}
+
+        results: list = []
+        if public:
+            with ThreadPoolExecutor(max_workers=min(len(public), 5)) as pool:
+                futures = {pool.submit(_enrich_one, ip): ip for ip in public}
+                for future in as_completed(futures):
+                    results.append(future.result())
+            results.sort(key=lambda x: ip_order.get(x["ip"], len(ips)))
+
+        return _ok(
+            {
+                "total_requested": len(ips),
+                "enriched_count": len(results),
+                "skipped_private": private_count,
+                "results": results,
+            }
+        )
+    except Exception as exc:
+        return _err(str(exc))
+
+
+@mcp.tool()
+def count(
+    log_type: str,
+    time_range: str = "now-24h",
+    sensor: str | list[str] = "all",
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
+    no_filters: bool = False,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
+) -> str:
+    """Count matching events without fetching records — cheaper than search for pure counts.
+
+    Hits the ``_count`` endpoint so no documents are shipped.  Use this when you
+    only need a number, e.g. to check whether an IP is active before pivoting, or
+    to compare volume across time windows.
+
+    Args:
+        log_type: Zeek log type, e.g. "conn", "notice", "dns". Use "all" for all datasets.
+        time_range: ES date-math range, ignored when time_from/time_to are set.
+        sensor: Sensor hostname or "all".
+        src_ip: Source IP or list of source IPs to filter by.
+        dest_ip: Destination IP or list of destination IPs to filter by.
+        no_filters: Skip FP filters.
+        time_from: Absolute start timestamp (ISO 8601).
+        time_to: Absolute end timestamp (ISO 8601).
+    """
+    try:
+        if no_filters:
+            must_not: list = []
+        else:
+            must_not, _fc, _errs = load_with_remap(FILTERS_DIR)
+
+        sensors: list | None = None
+        if isinstance(sensor, list):
+            sensors = [s.strip() for s in sensor]
+        elif str(sensor).lower() != "all":
+            sensors = [s.strip() for s in str(sensor).split(",")]
+
+        datasets = MODULES[log_type].DATASETS if log_type in MODULES and log_type != "all" else []
+
+        body, _params = build_base_query(
+            must_not=must_not,
+            extra_must=[],
+            source_fields=[],
+            limit=0,
+            time_range=time_range,
+            sensors=sensors,
+            datasets=datasets,
+            src_ip_filter=src_ip,
+            dest_ip_filter=dest_ip,
+            time_from=time_from,
+            time_to=time_to,
+            sort=False,
+        )
+        count_body = {"query": body["query"]}
+        params = {"path": f"{INDEX}/_count", "method": "POST"}
+        raw = query_opensearch(count_body, params)
+        if raw is None:
+            return _err("OpenSearch query failed — check credentials and OPENSEARCH_URL")
+        return _ok(
+            {
+                "log_type": log_type,
+                "time_range": time_range,
+                "count": raw.get("count", 0),
+            }
+        )
+    except Exception as exc:
+        return _err(str(exc))
+
+
 @mcp.tool()
 def compare_to_baseline(
     notice_type: str,
@@ -1206,38 +1691,117 @@ def create_fp_filter(
         return _err(str(exc))
 
 
-# ---------------------------------------------------------------------------
-# Device profiler
-# ---------------------------------------------------------------------------
+@mcp.tool()
+def list_filter_categories() -> str:
+    """List all valid filter category / subcategory pairs from categories.yaml.
+
+    Returns a mapping of category → list[subcategory].  Use this before calling
+    create_fp_filter so you can supply a valid category and subcategory.
+    """
+    try:
+        data = load_categories()
+        cats = data.get("categories", {})
+        return _ok(cats)
+    except Exception as exc:
+        return _err(str(exc))
 
 
 @mcp.tool()
-def profile_device(
-    ip: str,
-    sensor: str,
-    time_range: str = "now-7d",
+def list_fp_filters(
+    category: Optional[str] = None,
+    subcategory: Optional[str] = None,
 ) -> str:
-    """Profile a private IP by aggregating cross-protocol Zeek signals into a device card.
-
-    Runs 9 parallel aggregation queries (conn, DNS, SSL, HTTP, SMB, RDP, SSH)
-    to identify the device's role, OS, installed software, inbound services,
-    hostnames, fingerprints, and behavioral patterns — all from network
-    telemetry without endpoint agents.
+    """Read existing false-positive filter clauses.
 
-    The sensor parameter is required because private IPs overlap across sensors.
+    When called with no arguments returns a summary of all filter files.
+    When called with only category returns all files in that category.
+    When called with both category and subcategory returns the full clause list
+    for that file so you can inspect what is already suppressed.
 
     Args:
-        ip: Private IP address to profile (e.g. 10.0.0.50).
-        sensor: Sensor hostname — required, not optional.
-        time_range: ES date-math range (default: now-7d).
+        category: Filter category directory, e.g. "ips" or "notices".
+        subcategory: Filter subcategory (filename without .yaml), e.g. "false_positives".
     """
     try:
-        from dataclasses import asdict
+        import os
 
-        from src.profiler.device_profiler import profile_device as _profile_device
+        if category and subcategory:
+            path = filter_file_path(category, subcategory)
+            if not os.path.exists(path):
+                return _err(f"Filter file not found: filters/{category}/{subcategory}.yaml")
+            data = load_filter_file(path)
+            return _ok(
+                {
+                    "category": category,
+                    "subcategory": subcategory,
+                    "enabled": data.get("enabled", True),
+                    "description": data.get("description", ""),
+                    "clause_count": len(data.get("must_not", [])),
+                    "clauses": data.get("must_not", []),
+                }
+            )
+
+        results = []
+        cats = load_categories().get("categories", {})
+
+        for cat, cat_data in sorted(cats.items()):
+            if category and cat != category:
+                continue
+            for sub in sorted(cat_data.get("subcategories", [])):
+                path = filter_file_path(cat, sub)
+                if os.path.exists(path):
+                    fdata = load_filter_file(path)
+                    results.append(
+                        {
+                            "category": cat,
+                            "subcategory": sub,
+                            "enabled": fdata.get("enabled", True),
+                            "clause_count": len(fdata.get("must_not", [])),
+                        }
+                    )
+                else:
+                    results.append(
+                        {"category": cat, "subcategory": sub, "enabled": None, "clause_count": 0}
+                    )
 
-        profile = _profile_device(ip, time_range=time_range, sensor=sensor)
-        return _ok(asdict(profile))
+        return _ok(results)
+    except Exception as exc:
+        return _err(str(exc))
+
+
+@mcp.tool()
+def delete_fp_filter(
+    category: str,
+    subcategory: str,
+    ip: str,
+) -> str:
+    """Remove false-positive filter clauses that match an IP address.
+
+    Removes every must_not clause in filters/{category}/{subcategory}.yaml
+    where the given IP appears as a src_ip or dest_ip value (handles both
+    single-value ``term`` and multi-value ``terms`` clauses).  For ``terms``
+    clauses with multiple IPs, only the matching IP is removed; the clause is
+    kept with the remaining IPs.
+
+    Args:
+        category: Filter category directory, e.g. "ips".
+        subcategory: Filter subcategory (filename without .yaml), e.g. "false_positives".
+        ip: IP address to remove from the filter file.
+    """
+    try:
+        path = filter_file_path(category, subcategory)
+        removed = delete_ip_from_filter(path, ip)
+        data = load_filter_file(path)
+        return _ok(
+            {
+                "deleted": removed,
+                "remaining_clauses": len(data.get("must_not", [])),
+                "file": path,
+                "ip": ip,
+            }
+        )
+    except (FileNotFoundError, ValueError) as exc:
+        return _err(str(exc))
     except Exception as exc:
         return _err(str(exc))
 
@@ -1340,6 +1904,65 @@ def build_share_urls(
         return _err(str(exc))
 
 
+# ---------------------------------------------------------------------------
+# §4.9 Date-histogram primitive
+# ---------------------------------------------------------------------------
+
+
+@mcp.tool()
+def histogram(
+    log_type: str,
+    interval: str = "1h",
+    time_range: str = "now-24h",
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
+    sensor: str | list[str] = "all",
+    no_filters: bool = False,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
+) -> str:
+    """Return a date histogram of event volume over time for a Zeek log type.
+
+    Buckets are sorted chronologically. Use this to spot traffic spikes, quiet
+    periods, or to establish a baseline before diving into per-record searches.
+
+    Args:
+        log_type: Zeek log type (e.g. "conn", "notice", "dns") or "all" for all datasets.
+        interval: Bucket width in ES fixed_interval notation, e.g. "15m", "1h", "6h", "1d".
+        time_range: ES date-math range (default: now-24h). Ignored when time_from/time_to are set.
+        src_ip: Filter to a source IP or list of source IPs.
+        dest_ip: Filter to a destination IP or list of destination IPs.
+        sensor: Sensor hostname or list of hostnames; "all" returns all sensors.
+        no_filters: Skip false-positive YAML filters (useful for debugging).
+        time_from: Absolute start timestamp (ISO 8601), e.g. "2026-04-19T00:00:00Z".
+        time_to: Absolute end timestamp (ISO 8601).
+    """
+    try:
+        buckets = query_histogram(
+            log_type=log_type,
+            interval=interval,
+            time_range=time_range,
+            src_ip=src_ip,
+            dest_ip=dest_ip,
+            sensor=sensor,
+            no_filters=no_filters,
+            time_from=time_from,
+            time_to=time_to,
+        )
+        total = sum(b["doc_count"] for b in buckets)
+        return _ok(
+            {
+                "log_type": log_type,
+                "interval": interval,
+                "bucket_count": len(buckets),
+                "total_events": total,
+                "buckets": buckets,
+            }
+        )
+    except Exception as exc:
+        return _err(str(exc))
+
+
 # ---------------------------------------------------------------------------
 # Entrypoint
 # ---------------------------------------------------------------------------
diff --git a/mcp/requirements.txt b/mcp_servers/requirements.txt
similarity index 100%
rename from mcp/requirements.txt
rename to mcp_servers/requirements.txt
diff --git a/pyproject.toml b/pyproject.toml
index 26991a2..950c487 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "pisces-scripts"
-version = "1.0.0"
+version = "1.1.0"
 requires-python = ">=3.12"
 dependencies = [
     "requests>=2.31.0",
@@ -8,16 +8,33 @@ dependencies = [
     "pyyaml>=6.0.3",
     "rich>=15.0.0",
     "beautifulsoup4>=4.14.3",
-    "flask>=3.0",
-    "geoip2>=5.2.0",
+    "flask[async]>=3.0",
     "orjson>=3.11.8",
     "plotext>=5.3.2",
-    "cryptography>=46.0.7",
     "pygments>=2.20.0",
-    "pytest>=9.0.3",
     "python-multipart>=0.0.26",
+    "httpx>=0.28.1",
 ]
 
+[project.scripts]
+# CLI tools
+pisces-query         = "src.querier.opensearch_querier:main"
+pisces-enrich        = "src.enricher.threat_intel:main"
+pisces-mantis        = "src.mantis.mantis_search:main"
+pisces-mantis-index  = "src.mantis.mantis_index:main"
+pisces-mantis-report = "src.mantis.activity_report:main"
+pisces-threat-model  = "src.mantis.mantis_threat_model:main"
+pisces-fleet-scan    = "src.profiler.fleet_scanner:main"
+pisces-profile       = "src.profiler.device_profiler:main"
+pisces-histogram     = "src.querier.histogram_cli:main"
+# Web servers (standalone)
+pisces-all              = "run_all:main"
+pisces-opensearch       = "apps.opensearch_web.run:main"
+pisces-dashboard        = "apps.dashboard_web.run:main"
+pisces-hub              = "apps.hub.run:main"
+pisces-threat-model-web = "apps.threat_model.run:main"
+pisces-mantis-explorer  = "apps.mantis_explorer.run:main"
+
 [project.optional-dependencies]
 # AI assistant integration via MCP servers (Claude Code, Claude Desktop, kiro-cli)
 mcp = ["mcp[cli]>=1.0.0"]
@@ -27,10 +44,12 @@ nlp = [
     "spacy>=3.7",
 ]
 
-# Offline ASN/BGP reputation lookup (requires a BGP dump at data/asn_table.dat)
-# Download a dump via: python -m pyasn.scripts.pyasn_util_download
+# Offline ASN/BGP reputation lookup and GeoIP (requires data files)
+#   ASN: python -m pyasn.scripts.pyasn_util_download → data/asn_table.dat
+#   GeoIP: download GeoLite2-City.mmdb from MaxMind → data/
 offline-enrichment = [
     "pyasn>=1.6.2",
+    "geoip2>=5.2.0",
 ]
 
 # Everything
@@ -38,6 +57,7 @@ all = [
     "mcp[cli]>=1.0.0",
     "spacy>=3.7",
     "pyasn>=1.6.2",
+    "geoip2>=5.2.0",
 ]
 
 [dependency-groups]
@@ -69,7 +89,7 @@ select = ["E", "F", "W", "I"]
 "*_web_run.py" = ["E402"]
 "tests/*" = ["E402"]
 "apps/*/run.py" = ["E402"]
-"mcp/*/server.py" = ["E402", "I001"]
+"mcp_servers/*/server.py" = ["E402", "I001"]
 "src/utils/banner.py" = ["E501"]
 
 [tool.bandit]
diff --git a/run_all.py b/run_all.py
index 9becd38..f859687 100755
--- a/run_all.py
+++ b/run_all.py
@@ -36,7 +36,9 @@
     },
 )
 
-if __name__ == "__main__":
+
+def main() -> None:
+    """Entry point for `pisces-all` console script."""
     parser = argparse.ArgumentParser(description="PISCES Combined Web UI")
     parser.add_argument("--host", default="0.0.0.0")
     parser.add_argument("--port", type=int, default=5000)
@@ -50,3 +52,7 @@
         use_debugger=args.debug,
         threaded=True,
     )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/correlator/__init__.py b/src/correlator/__init__.py
new file mode 100644
index 0000000..555157a
--- /dev/null
+++ b/src/correlator/__init__.py
@@ -0,0 +1 @@
+"""Correlation engine — incident context builder."""
diff --git a/src/correlator/incident_context.py b/src/correlator/incident_context.py
new file mode 100644
index 0000000..a138afe
--- /dev/null
+++ b/src/correlator/incident_context.py
@@ -0,0 +1,203 @@
+"""Incident context builder — correlates device profiles, auth history, attack chains,
+related tickets, and threat intel enrichment into a unified investigation view.
+"""
+
+from __future__ import annotations
+
+from concurrent.futures import ThreadPoolExecutor, as_completed
+from dataclasses import dataclass, field
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from src.profiler.device_profiler import DeviceProfile
+    from src.profiler.public_ip_profiler import PublicIPProfile
+
+
+@dataclass
+class IncidentContext:
+    """All context gathered for an incident investigation."""
+
+    # Trigger
+    trigger_type: str  # "notice", "ip_pair", "ticket"
+    trigger: dict
+    src_ip: str
+    dest_ip: str
+    sensor: str
+    time_range: str
+
+    # Device profiles (None if profiling failed)
+    src_profile: DeviceProfile | PublicIPProfile | None = None
+    dest_profile: DeviceProfile | PublicIPProfile | None = None
+
+    # Auth history between src ↔ dest
+    kerberos_history: list[dict] = field(default_factory=list)
+    ntlm_history: list[dict] = field(default_factory=list)
+
+    # Attack chain (ATTACK::* notices for src_ip)
+    attack_chain: list[dict] = field(default_factory=list)
+
+    # Related Mantis tickets
+    src_tickets: list[dict] = field(default_factory=list)
+    dest_tickets: list[dict] = field(default_factory=list)
+
+    # Threat intel enrichment (None if IP is private)
+    src_enrichment: dict | None = None
+    dest_enrichment: dict | None = None
+
+    # Merged chronological timeline
+    timeline: list[dict] = field(default_factory=list)
+
+    # Errors from individual tracks (track_name → error message)
+    errors: dict[str, str] = field(default_factory=dict)
+
+
+# ---------------------------------------------------------------------------
+# Module-level imports — placed here so unit tests can patch them cleanly
+# ---------------------------------------------------------------------------
+
+from src.enricher.threat_intel import enrich_ip  # noqa: E402
+from src.mantis.mantis_search import search as search_tickets  # noqa: E402
+from src.profiler.device_profiler import profile_device  # noqa: E402
+from src.profiler.public_ip_profiler import profile_public_ip  # noqa: E402
+from src.querier.zeek_modules import MODULES  # noqa: E402
+from src.querier.zeek_modules.base import (  # noqa: E402
+    INDEX,
+    is_private,
+    query_opensearch,
+    run_query,
+)
+
+
+def query_auth_history(
+    src_ip: str,
+    dest_ip: str,
+    sensor: str,
+    time_range: str,
+) -> tuple[list[dict], list[dict]]:
+    """Fetch Kerberos + NTLM records between src and dest IPs."""
+    sp = {
+        "src_ip": src_ip,
+        "dest_ip": dest_ip,
+        "sensor": sensor,
+        "time_range": time_range,
+        "limit": 200,
+        "no_filters": False,
+        "public_only": False,
+        "raise_on_error": False,
+    }
+    krb = run_query(MODULES["kerberos"], dict(sp))
+    ntlm = run_query(MODULES["ntlm"], dict(sp))
+    return krb, ntlm
+
+
+def query_attack_chain(src_ip: str, sensor: str, time_range: str) -> list[dict]:
+    """Fetch ATTACK::* notices originating from src_ip in the time window."""
+    notice_mod = MODULES["notice"]
+    must: list = [
+        {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}},
+        {"terms": {"event.dataset": notice_mod.DATASETS}},
+        {"term": {"source.ip": src_ip}},
+        {"prefix": {"zeek.notice.note": "ATTACK::"}},
+    ]
+    if sensor != "all":
+        must.append({"terms": {"host.name": [s.strip() for s in sensor.split(",")]}})
+    body = {
+        "size": 500,
+        "query": {"bool": {"must": must}},
+        "sort": [{"@timestamp": {"order": "asc"}}],
+        "_source": notice_mod.SOURCE_FIELDS,
+    }
+    raw = query_opensearch(body, {"path": f"{INDEX}/_search", "method": "POST"})
+    if not raw:
+        return []
+    hits = raw.get("hits", {}).get("hits", [])
+    return [notice_mod.parse_hit(h["_source"]) for h in hits]
+
+
+def build_timeline(ctx: IncidentContext) -> list[dict]:
+    """Merge kerberos, ntlm, and attack chain events into chronological order."""
+    events: list[dict] = []
+
+    for rec in ctx.kerberos_history:
+        events.append({**rec, "type": "kerberos", "timestamp": rec.get("timestamp", "")})
+    for rec in ctx.ntlm_history:
+        events.append({**rec, "type": "ntlm", "timestamp": rec.get("timestamp", "")})
+    for rec in ctx.attack_chain:
+        events.append({**rec, "type": "notice", "timestamp": rec.get("timestamp", "")})
+
+    events.sort(key=lambda e: e.get("timestamp", ""))
+    return events
+
+
+def investigate(
+    src_ip: str,
+    dest_ip: str,
+    sensor: str,
+    time_range: str = "now-24h",
+    *,
+    trigger_type: str = "ip_pair",
+    trigger: dict | None = None,
+) -> IncidentContext:
+    """Build full incident context for an IP pair.
+
+    Runs 5 parallel tracks: src profile, dest profile, auth history,
+    attack chain, and context gather (tickets + enrichment).
+    Each track failure is caught and stored in ctx.errors — the context is
+    always returned even with partial data.
+    """
+    ctx = IncidentContext(
+        trigger_type=trigger_type,
+        trigger=trigger or {"src_ip": src_ip, "dest_ip": dest_ip},
+        src_ip=src_ip,
+        dest_ip=dest_ip,
+        sensor=sensor,
+        time_range=time_range,
+    )
+
+    def _profile_src() -> None:
+        if is_private(src_ip):
+            ctx.src_profile = profile_device(src_ip, time_range=time_range, sensor=sensor)
+        else:
+            ctx.src_profile = profile_public_ip(src_ip, time_range=time_range)
+
+    def _profile_dest() -> None:
+        if is_private(dest_ip):
+            ctx.dest_profile = profile_device(dest_ip, time_range=time_range, sensor=sensor)
+        else:
+            ctx.dest_profile = profile_public_ip(dest_ip, time_range=time_range)
+
+    def _auth_history() -> None:
+        ctx.kerberos_history, ctx.ntlm_history = query_auth_history(
+            src_ip, dest_ip, sensor, time_range
+        )
+
+    def _attack_chain() -> None:
+        ctx.attack_chain = query_attack_chain(src_ip, sensor, time_range)
+
+    def _context_gather() -> None:
+        ctx.src_tickets = search_tickets(src_ip)
+        ctx.dest_tickets = search_tickets(dest_ip)
+        if not is_private(src_ip):
+            ctx.src_enrichment = enrich_ip(src_ip, offer_fp=False)
+        if not is_private(dest_ip):
+            ctx.dest_enrichment = enrich_ip(dest_ip, offer_fp=False)
+
+    tracks = {
+        "src_profile": _profile_src,
+        "dest_profile": _profile_dest,
+        "auth_history": _auth_history,
+        "attack_chain": _attack_chain,
+        "context_gather": _context_gather,
+    }
+
+    with ThreadPoolExecutor(max_workers=5) as pool:
+        futures = {pool.submit(fn): name for name, fn in tracks.items()}
+        for future in as_completed(futures):
+            name = futures[future]
+            try:
+                future.result()
+            except Exception as exc:
+                ctx.errors[name] = str(exc)
+
+    ctx.timeline = build_timeline(ctx)
+    return ctx
diff --git a/src/enricher/abuseipdb.py b/src/enricher/abuseipdb.py
index 6f0dab1..7d28140 100644
--- a/src/enricher/abuseipdb.py
+++ b/src/enricher/abuseipdb.py
@@ -4,18 +4,26 @@
 Returns raw API data for analyst interpretation — no threshold logic applied.
 """
 
+import atexit
 import os
-import sys
 
 import requests
+import urllib3
 from rich import box
-from rich.console import Console
 from rich.table import Table
 
+from src.utils.terminal import console
+
 _BASE_URL = "https://api.abuseipdb.com/api/v2/check"
 URL = "https://www.abuseipdb.com/check/{ip}"
 
-console = Console(file=sys.stderr)
+_retry = urllib3.util.Retry(total=2, backoff_factor=0.5, status_forcelist=(429, 502, 503, 504))
+_session = requests.Session()
+_session.mount(
+    "https://",
+    requests.adapters.HTTPAdapter(max_retries=_retry, pool_connections=4, pool_maxsize=8),
+)
+atexit.register(_session.close)
 
 
 def check_ip(ip: str, max_age_days: int = 90) -> dict:
@@ -43,7 +51,7 @@ def check_ip(ip: str, max_age_days: int = 90) -> dict:
     params = {"ipAddress": ip, "maxAgeInDays": max_age_days, "verbose": True}
 
     try:
-        resp = requests.get(_BASE_URL, headers=headers, params=params, timeout=10)
+        resp = _session.get(_BASE_URL, headers=headers, params=params, timeout=10)
     except requests.RequestException as exc:
         return _error_result(f"Request failed: {exc}")
 
diff --git a/src/enricher/greynoise.py b/src/enricher/greynoise.py
index 02e33c1..5040fc4 100644
--- a/src/enricher/greynoise.py
+++ b/src/enricher/greynoise.py
@@ -4,18 +4,26 @@
 Returns classification: benign | malicious | not_found
 """
 
+import atexit
 import os
-import sys
 
 import requests
+import urllib3
 from rich import box
-from rich.console import Console
 from rich.table import Table
 
+from src.utils.terminal import console
+
 _BASE_URL = "https://api.greynoise.io/v3/community"
 URL = "https://viz.greynoise.io/ip/{ip}"
 
-console = Console(file=sys.stderr)
+_retry = urllib3.util.Retry(total=2, backoff_factor=0.5, status_forcelist=(429, 502, 503, 504))
+_session = requests.Session()
+_session.mount(
+    "https://",
+    requests.adapters.HTTPAdapter(max_retries=_retry, pool_connections=4, pool_maxsize=8),
+)
+atexit.register(_session.close)
 
 
 def check_ip(ip: str) -> dict:
@@ -33,7 +41,7 @@ def check_ip(ip: str) -> dict:
     headers = {"key": api_key} if api_key else {}
 
     try:
-        resp = requests.get(f"{_BASE_URL}/{ip}", headers=headers, timeout=10)
+        resp = _session.get(f"{_BASE_URL}/{ip}", headers=headers, timeout=10)
     except requests.RequestException as exc:
         return {
             "classification": "not_found",
diff --git a/src/enricher/shodan.py b/src/enricher/shodan.py
index d55d0a8..da45d71 100644
--- a/src/enricher/shodan.py
+++ b/src/enricher/shodan.py
@@ -4,18 +4,26 @@
 Returns open ports, org, country, ISP, OS, hostnames, and known vulns.
 """
 
+import atexit
 import os
-import sys
 
 import requests
+import urllib3
 from rich import box
-from rich.console import Console
 from rich.table import Table
 
+from src.utils.terminal import console
+
 _BASE_URL = "https://api.shodan.io/shodan/host"
 URL = "https://www.shodan.io/search?query={ip}"
 
-console = Console(file=sys.stderr)
+_retry = urllib3.util.Retry(total=2, backoff_factor=0.5, status_forcelist=(429, 502, 503, 504))
+_session = requests.Session()
+_session.mount(
+    "https://",
+    requests.adapters.HTTPAdapter(max_retries=_retry, pool_connections=4, pool_maxsize=8),
+)
+atexit.register(_session.close)
 
 
 def check_ip(ip: str) -> dict:
@@ -39,7 +47,7 @@ def check_ip(ip: str) -> dict:
         return _error_result("SHODAN_API_KEY not set")
 
     try:
-        resp = requests.get(f"{_BASE_URL}/{ip}", params={"key": api_key}, timeout=10)
+        resp = _session.get(f"{_BASE_URL}/{ip}", params={"key": api_key}, timeout=10)
     except requests.RequestException as exc:
         return _error_result(f"Request failed: {exc}")
 
diff --git a/src/enricher/threat_intel.py b/src/enricher/threat_intel.py
index 215a96e..dc447df 100755
--- a/src/enricher/threat_intel.py
+++ b/src/enricher/threat_intel.py
@@ -17,7 +17,9 @@
 import argparse
 import os
 import sys
+import time
 from concurrent.futures import ThreadPoolExecutor, as_completed
+from threading import Lock
 
 from dotenv import load_dotenv
 from rich.console import Console
@@ -31,6 +33,47 @@
 
 console = Console(file=sys.stderr)
 
+_ENRICH_TTL = 6 * 3600  # seconds; web path only
+_enrich_cache: dict[str, tuple[float, dict]] = {}
+_enrich_lock = Lock()
+
+
+def _cache_get(ip: str) -> dict | None:
+    with _enrich_lock:
+        entry = _enrich_cache.get(ip)
+        if entry and time.time() - entry[0] < _ENRICH_TTL:
+            return entry[1]
+        return None
+
+
+def _cache_put(ip: str, result: dict) -> None:
+    with _enrich_lock:
+        _enrich_cache[ip] = (time.time(), result)
+
+
+def prewarm_enrichment_cache(ips: list[str], max_ips: int = 50) -> None:
+    """Submit background enrichment for IPs not already in the cache.
+
+    Runs as fire-and-forget in daemon threads so it never blocks the caller.
+    Limited to the first *max_ips* uncached IPs to avoid hammering rate-limited APIs.
+    """
+    from src.querier.builder import is_private
+
+    uncached = [ip for ip in ips if ip and not is_private(ip) and _cache_get(ip) is None][:max_ips]
+
+    if not uncached:
+        return
+
+    def _warm(ip: str) -> None:
+        try:
+            enrich_ip(ip, offer_fp=False)
+        except Exception:
+            pass  # best-effort; errors are silently skipped for pre-warming
+
+    with ThreadPoolExecutor(max_workers=4, thread_name_prefix="enrich-prewarm") as pool:
+        for ip in uncached:
+            pool.submit(_warm, ip)
+
 
 def enrich_ip(ip: str, offer_fp: bool = True, urls_only: bool = False) -> dict:
     """Run the full enrichment pipeline for a single IP.
@@ -49,6 +92,11 @@ def enrich_ip(ip: str, offer_fp: bool = True, urls_only: bool = False) -> dict:
             "virustotal": dict | None,
         }
     """
+    if not urls_only and not offer_fp:
+        cached = _cache_get(ip)
+        if cached is not None:
+            return cached
+
     result: dict = {
         "ip": ip,
         "greynoise": {},
@@ -61,29 +109,41 @@ def enrich_ip(ip: str, offer_fp: bool = True, urls_only: bool = False) -> dict:
         _display_urls(ip)
         return result
 
+    if not offer_fp:
+        # Web path: fire all four providers in parallel — no early-exit benefit here
+        # since there is no FP-filter prompt to show the analyst.
+        providers = {
+            "greynoise": greynoise.check_ip,
+            "abuseipdb": abuseipdb.check_ip,
+            "shodan": shodan.check_ip,
+            "virustotal": virustotal.check_ip,
+        }
+        with ThreadPoolExecutor(max_workers=4) as pool:
+            futures = {pool.submit(fn, ip): name for name, fn in providers.items()}
+            for future in as_completed(futures):
+                result[futures[future]] = future.result()
+        _cache_put(ip, result)
+        return result
+
+    # CLI path: GreyNoise first so we can offer an FP filter on benign IPs.
     console.print(f"\n[bold cyan]Enriching {ip}...[/bold cyan]")
 
-    # ---- Step 1: GreyNoise ----
     gn = greynoise.check_ip(ip)
     result["greynoise"] = gn
     classification = gn["classification"]
-
     greynoise.display(ip, gn)
 
     if classification == "benign":
-        if offer_fp:
-            add_fp = (
-                input("\nGreyNoise classifies this as benign. Add FP filter? [y/N]: ")
-                .strip()
-                .lower()
-            )
-            if add_fp == "y":
-                # Lazy import to avoid circular dependency when called from querier
-                from src.querier.fp_manager import create_filter_interactive
-
-                name = gn.get("name", "")
-                hint = f"{name} — GreyNoise benign" if name else ""
-                create_filter_interactive(alert={"src_ip": ip}, comment_hint=hint)
+        add_fp = (
+            input("\nGreyNoise classifies this as benign. Add FP filter? [y/N]: ").strip().lower()
+        )
+        if add_fp == "y":
+            # Lazy import to avoid circular dependency when called from querier
+            from src.querier.fp_manager import create_filter_interactive
+
+            name = gn.get("name", "")
+            hint = f"{name} — GreyNoise benign" if name else ""
+            create_filter_interactive(alert={"src_ip": ip}, comment_hint=hint)
         _display_urls(ip)
         return result
 
@@ -105,12 +165,9 @@ def enrich_ip(ip: str, offer_fp: bool = True, urls_only: bool = False) -> dict:
         for future in as_completed(futures):
             result[futures[future]] = future.result()
 
-    # Display in canonical order
     abuseipdb.display(ip, result["abuseipdb"])
     shodan.display(ip, result["shodan"])
     virustotal.display(ip, result["virustotal"])
-
-    # ---- Step 5: Reference URLs (always) ----
     _display_urls(ip)
 
     return result
diff --git a/src/enricher/virustotal.py b/src/enricher/virustotal.py
index 6629f08..43d3196 100644
--- a/src/enricher/virustotal.py
+++ b/src/enricher/virustotal.py
@@ -8,20 +8,28 @@
   display_hash()— Rich table for hash results
 """
 
+import atexit
 import os
-import sys
 
 import requests
+import urllib3
 from rich import box
-from rich.console import Console
 from rich.table import Table
 
+from src.utils.terminal import console
+
 _BASE_URL = "https://www.virustotal.com/api/v3/ip_addresses"
 _HASH_BASE_URL = "https://www.virustotal.com/api/v3/files"
 URL = "https://www.virustotal.com/gui/ip-address/{ip}"
 HASH_URL = "https://www.virustotal.com/gui/file/{hash}"
 
-console = Console(file=sys.stderr)
+_retry = urllib3.util.Retry(total=2, backoff_factor=0.5, status_forcelist=(429, 502, 503, 504))
+_session = requests.Session()
+_session.mount(
+    "https://",
+    requests.adapters.HTTPAdapter(max_retries=_retry, pool_connections=4, pool_maxsize=8),
+)
+atexit.register(_session.close)
 
 
 def check_ip(ip: str) -> dict:
@@ -47,7 +55,7 @@ def check_ip(ip: str) -> dict:
     headers = {"x-apikey": api_key}
 
     try:
-        resp = requests.get(f"{_BASE_URL}/{ip}", headers=headers, timeout=10)
+        resp = _session.get(f"{_BASE_URL}/{ip}", headers=headers, timeout=10)
     except requests.RequestException as exc:
         return _error_result(f"Request failed: {exc}")
 
@@ -125,7 +133,7 @@ def check_hash(hash_value: str) -> dict:
 
     headers = {"x-apikey": api_key}
     try:
-        resp = requests.get(f"{_HASH_BASE_URL}/{hash_value}", headers=headers, timeout=10)
+        resp = _session.get(f"{_HASH_BASE_URL}/{hash_value}", headers=headers, timeout=10)
     except requests.RequestException as exc:
         return _hash_error_result(f"Request failed: {exc}")
 
diff --git a/src/mantis/__init__.py b/src/mantis/__init__.py
index e69de29..edde1a9 100644
--- a/src/mantis/__init__.py
+++ b/src/mantis/__init__.py
@@ -0,0 +1,3 @@
+import urllib3
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
diff --git a/src/mantis/activity_report.py b/src/mantis/activity_report.py
index 5de7891..1e19d3d 100644
--- a/src/mantis/activity_report.py
+++ b/src/mantis/activity_report.py
@@ -34,15 +34,12 @@
 
 sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))))
 
-import urllib3
 from dotenv import load_dotenv
 from rich import box
 from rich.console import Console
 from rich.rule import Rule
 from rich.table import Table
 
-urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
-
 _BASE = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
 DEFAULT_INDEX = os.path.join(_BASE, "data", "tickets", "indexed", "tickets_index.json")
 
diff --git a/src/mantis/mantis_index.py b/src/mantis/mantis_index.py
index 349b3ea..0fcd9bf 100755
--- a/src/mantis/mantis_index.py
+++ b/src/mantis/mantis_index.py
@@ -17,7 +17,6 @@
 from concurrent.futures import ThreadPoolExecutor, as_completed
 
 import requests
-import urllib3
 from dotenv import load_dotenv
 from rich.console import Console
 from rich.progress import (
@@ -36,7 +35,6 @@
 from src.utils.dns import setup_dns
 
 console = Console()
-urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
 _BASE = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
 _FETCH_WORKERS = 8
diff --git a/src/mantis/mantis_search.py b/src/mantis/mantis_search.py
index 2871068..ea81030 100755
--- a/src/mantis/mantis_search.py
+++ b/src/mantis/mantis_search.py
@@ -19,7 +19,6 @@
 import sys
 
 import requests
-import urllib3
 from dotenv import load_dotenv
 from rich import box
 from rich.console import Console
@@ -31,7 +30,6 @@
 from src.utils.dns import setup_dns
 
 console = Console(file=sys.stderr)
-urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
 
 def sensor_to_project(sensor_val: str) -> str | None:
diff --git a/src/mantis/mantis_threat_model.py b/src/mantis/mantis_threat_model.py
index 00b3021..1dbd70d 100644
--- a/src/mantis/mantis_threat_model.py
+++ b/src/mantis/mantis_threat_model.py
@@ -26,6 +26,7 @@
     generate_infra_registry,
     generate_threat_db,
     generate_undetermined_registry,
+    profile_private_ips,
 )
 from src.mantis.threat_model._shared import _PROGRESS_INTERVAL, console
 from src.mantis.ticket_enrichment import (
@@ -298,6 +299,49 @@ def main() -> None:
             "all registries are regenerated with the updated signals."
         ),
     )
+    parser.add_argument(
+        "--profile-private-ips",
+        action="store_true",
+        default=False,
+        dest="profile_private_ips",
+        help=(
+            "Batch-profile private IPs from the infra registry using device_profiler. "
+            "Results are written to --profile-output (default: private_ip_profiles.json). "
+            "Already-profiled IPs are skipped unless --profile-force is set."
+        ),
+    )
+    parser.add_argument(
+        "--profile-output",
+        default=os.path.join(_BASE, "data", "tickets", "enriched", "private_ip_profiles.json"),
+        dest="profile_output",
+        help="Output path for the device profile sidecar (JSON)",
+    )
+    parser.add_argument(
+        "--profile-time-range",
+        default="now-7d",
+        dest="profile_time_range",
+        help="Elasticsearch date-math range for profiling queries (default: now-7d)",
+    )
+    parser.add_argument(
+        "--profile-sensor",
+        default="all",
+        dest="profile_sensor",
+        help="Sensor hostname to profile against, or 'all' for cross-sensor aggregate (default: all)",  # noqa: E501
+    )
+    parser.add_argument(
+        "--profile-workers",
+        type=int,
+        default=5,
+        dest="profile_workers",
+        help="Number of concurrent IP profilers (each runs 11 parallel ES queries, default: 5)",
+    )
+    parser.add_argument(
+        "--profile-force",
+        action="store_true",
+        default=False,
+        dest="profile_force",
+        help="Re-profile IPs that already exist in the sidecar",
+    )
     args = parser.parse_args()
 
     if not os.path.exists(args.input):
@@ -333,6 +377,17 @@ def main() -> None:
     generate_dns_resolver_registry(tickets, args.dns_output)
     generate_undetermined_registry(tickets, args.undetermined_output, provider)
 
+    if args.profile_private_ips:
+        console.print("\n[bold cyan]Private IP profiling pass (--profile-private-ips)[/bold cyan]")
+        profile_private_ips(
+            infra_path=args.infra_output,
+            output_path=args.profile_output,
+            time_range=args.profile_time_range,
+            sensor=args.profile_sensor,
+            workers=args.profile_workers,
+            force=args.profile_force,
+        )
+
     if args.enrich:
         console.print("\n[bold cyan]API enrichment pass (--enrich)[/bold cyan]")
         enrich_undetermined_ips(args.undetermined_output, provider)
diff --git a/src/mantis/threat_model/__init__.py b/src/mantis/threat_model/__init__.py
index 7402292..2448527 100644
--- a/src/mantis/threat_model/__init__.py
+++ b/src/mantis/threat_model/__init__.py
@@ -12,6 +12,7 @@
 from src.mantis.threat_model.false_positives import generate_fp_candidates
 from src.mantis.threat_model.infrastructure import generate_infra_registry
 from src.mantis.threat_model.malicious import generate_threat_db
+from src.mantis.threat_model.private_ip_profiles import profile_private_ips
 from src.mantis.threat_model.undetermined import (
     enrich_undetermined_ips,
     generate_undetermined_registry,
@@ -24,4 +25,5 @@
     "generate_threat_db",
     "generate_undetermined_registry",
     "enrich_undetermined_ips",
+    "profile_private_ips",
 ]
diff --git a/src/mantis/threat_model/private_ip_profiles.py b/src/mantis/threat_model/private_ip_profiles.py
new file mode 100644
index 0000000..616cc60
--- /dev/null
+++ b/src/mantis/threat_model/private_ip_profiles.py
@@ -0,0 +1,139 @@
+"""Batch device profiling for private IPs in the infrastructure registry.
+
+Reads the infra registry (known_infra_ips.json), filters to RFC1918 addresses,
+and runs profile_device() for each using a thread pool.  Results are written to
+a sidecar file (private_ip_profiles.json) that the web app loads at startup.
+
+Supports incremental re-runs: IPs already in the sidecar are skipped unless
+force=True is passed.
+"""
+
+from __future__ import annotations
+
+import ipaddress
+import os
+from concurrent.futures import ThreadPoolExecutor, as_completed
+from dataclasses import asdict
+from datetime import datetime
+
+from src.mantis.threat_model._shared import console
+from src.utils.cache import dump_json, load_json
+
+_PROGRESS_INTERVAL = 50
+
+
+def _is_rfc1918(ip: str) -> bool:
+    """Return True for RFC1918/link-local/loopback addresses that profile_device() accepts."""
+    try:
+        addr = ipaddress.ip_address(ip)
+        return addr.is_private and not addr.is_unspecified
+    except ValueError:
+        return False
+
+
+def _profile_one(
+    ip: str,
+    time_range: str,
+    sensor: str,
+) -> dict | None:
+    """Run profile_device() for one IP, returning a serialisable dict or None on error."""
+    try:
+        from src.profiler.device_profiler import profile_device
+
+        profile = profile_device(ip, time_range=time_range, sensor=sensor)
+        record = asdict(profile)
+        # orjson requires string dict keys — port distributions use int keys
+        record["dest_port_distribution"] = {
+            str(k): v for k, v in record["dest_port_distribution"].items()
+        }
+        record["profiled_at"] = datetime.now().isoformat(timespec="seconds")
+        return record
+    except Exception as exc:
+        console.print(f"[yellow]  profile skipped {ip}: {exc}[/yellow]")
+        return None
+
+
+def profile_private_ips(
+    infra_path: str,
+    output_path: str,
+    time_range: str = "now-7d",
+    sensor: str = "all",
+    workers: int = 5,
+    force: bool = False,
+) -> None:
+    """Batch-profile private IPs from the infra registry and write a sidecar file.
+
+    Args:
+        infra_path: Path to known_infra_ips.json.
+        output_path: Destination path for private_ip_profiles.json.
+        time_range: Elasticsearch date-math range string (default: now-7d).
+        sensor: Sensor hostname or "all" for cross-sensor aggregate.
+        workers: Number of concurrent IP profilers (each spawns 11 ES queries internally).
+        force: Re-profile IPs already present in the sidecar.
+    """
+    if not os.path.exists(infra_path):
+        console.print(f"[red]Infra registry not found: {infra_path}[/red]")
+        console.print("[dim]Run the threat model generator first.[/dim]")
+        return
+
+    infra: list[dict] = load_json(infra_path)  # type: ignore[assignment]
+    private_ips = [r["ip"] for r in infra if _is_rfc1918(r["ip"])]
+
+    console.print(
+        f"[dim]Found {len(private_ips):,} private IPs in infra registry "
+        f"(total infra records: {len(infra):,})[/dim]"
+    )
+
+    # Load existing sidecar for incremental skip.
+    existing: dict[str, dict] = {}
+    if os.path.exists(output_path):
+        loaded: list[dict] = load_json(output_path)  # type: ignore[assignment]
+        existing = {r["ip"]: r for r in loaded if "ip" in r}
+        console.print(f"[dim]Existing sidecar: {len(existing):,} profiles loaded[/dim]")
+
+    to_profile = [ip for ip in private_ips if force or ip not in existing]
+    skipped = len(private_ips) - len(to_profile)
+
+    if skipped:
+        console.print(
+            f"[dim]Skipping {skipped:,} already-profiled IPs (use --profile-force to re-run)[/dim]"
+        )
+
+    if not to_profile:
+        console.print("[green]All private IPs already profiled — nothing to do.[/green]")
+        return
+
+    console.print(
+        f"[bold]Profiling {len(to_profile):,} private IPs[/bold]"
+        f"  workers={workers}  sensor={sensor}  range={time_range}"
+    )
+
+    done = 0
+    errors = 0
+
+    with ThreadPoolExecutor(max_workers=workers) as pool:
+        futures = {pool.submit(_profile_one, ip, time_range, sensor): ip for ip in to_profile}
+        for future in as_completed(futures):
+            ip = futures[future]
+            result = future.result()
+            done += 1
+            if result is not None:
+                existing[ip] = result
+            else:
+                errors += 1
+
+            if done % _PROGRESS_INTERVAL == 0 or done == len(to_profile):
+                console.print(
+                    f"[dim]  profiled: {done:,}/{len(to_profile):,}  errors: {errors}[/dim]"
+                )
+
+    # Write sidecar atomically.
+    records = sorted(existing.values(), key=lambda r: r["ip"])
+    tmp = output_path + ".tmp"
+    dump_json(records, tmp)
+    os.rename(tmp, output_path)
+
+    console.print(
+        f"[green]Done — {len(records):,} profiles written to {output_path}[/green]"
+        f"  ({errors} errors skipped)"
+    )
diff --git a/src/profiler/device_profiler.py b/src/profiler/device_profiler.py
index 93315a2..3518f81 100644
--- a/src/profiler/device_profiler.py
+++ b/src/profiler/device_profiler.py
@@ -28,6 +28,26 @@
 
 _PARAMS = {"path": f"{INDEX}/_search", "method": "POST"}
 
+_CONN_BLOCKED = {"S0", "RSTOS0", "SH"}
+_CONN_REJECTED = {"REJ", "RSTR", "RSTRH"}
+_CONN_NORMAL = {"SF", "S2", "S3"}
+
+
+def _derive_conn_status(state_dist: dict[str, int]) -> str:
+    """Translate a conn_state frequency map into a plain-English firewall signal."""
+    if not state_dist:
+        return ""
+    dominant = max(state_dist, key=lambda k: state_dist[k])
+    if dominant in _CONN_BLOCKED:
+        return "No response — likely blocked"
+    if dominant in _CONN_REJECTED:
+        return "Actively rejected"
+    if dominant in _CONN_NORMAL:
+        return "Connections completed"
+    if dominant == "S1":
+        return "Active connections"
+    return f"Mostly {dominant}"
+
 
 # ---------------------------------------------------------------------------
 # DeviceProfile dataclass
@@ -57,6 +77,8 @@ class DeviceProfile:
     protocol_mix: dict[str, int] = field(default_factory=dict)
     unique_dest_count: int = 0
     bytes_sent: int = 0
+    conn_state_distribution: dict[str, int] = field(default_factory=dict)
+    conn_status: str = ""
     ja4t_fingerprints: list[dict] = field(default_factory=list)
 
     # Inbound conn (device as server)
@@ -125,6 +147,7 @@ def _conn_outbound_query(ip: str, time_range: str, sensor: str) -> dict:
             "app_protos": {"terms": {"field": "network.application", "size": 10}},
             "unique_dests": {"cardinality": {"field": "destination.ip"}},
             "total_bytes": {"sum": {"field": "source.bytes"}},
+            "conn_states": {"terms": {"field": "zeek.conn.conn_state", "size": 10}},
             "ja4t_fingerprints": {"terms": {"field": "zeek.conn.ja4t", "size": 5}},
             "time_range": {"stats": {"field": "@timestamp"}},
         },
@@ -393,12 +416,16 @@ def _parse_outbound(aggs: dict) -> dict:
         {"hash": b["key"], "count": b["doc_count"]}
         for b in aggs.get("ja4t_fingerprints", {}).get("buckets", [])
     ]
+    conn_state_dist = {
+        b["key"]: b["doc_count"] for b in aggs.get("conn_states", {}).get("buckets", [])
+    }
     ts = aggs.get("time_range", {})
     return {
         "dest_port_distribution": dest_ports,
         "protocol_mix": app_protos,
         "unique_dest_count": int(aggs.get("unique_dests", {}).get("value", 0)),
         "bytes_sent": int(aggs.get("total_bytes", {}).get("value", 0)),
+        "conn_state_distribution": conn_state_dist,
         "ja4t_fingerprints": ja4t,
         "first_seen": ts.get("min_as_string", ""),
         "last_seen": ts.get("max_as_string", ""),
@@ -611,6 +638,8 @@ def profile_device(
         protocol_mix=out["protocol_mix"],
         unique_dest_count=out["unique_dest_count"],
         bytes_sent=out["bytes_sent"],
+        conn_state_distribution=out["conn_state_distribution"],
+        conn_status=_derive_conn_status(out["conn_state_distribution"]),
         ja4t_fingerprints=out["ja4t_fingerprints"],
         inbound_services=inb["inbound_services"],
         inbound_client_count=inb["inbound_client_count"],
diff --git a/src/profiler/fleet_scanner.py b/src/profiler/fleet_scanner.py
index 08a96b6..89d2416 100644
--- a/src/profiler/fleet_scanner.py
+++ b/src/profiler/fleet_scanner.py
@@ -19,7 +19,13 @@
 
 sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))))
 
-from src.querier.zeek_modules.base import INDEX, is_private, query_opensearch
+from src.querier.zeek_modules.base import (
+    INDEX,
+    OpenSearchAuthError,
+    OpenSearchConnectionError,
+    is_private,
+    query_opensearch,
+)
 
 _PARAMS = {"path": f"{INDEX}/_search", "method": "POST"}
 
@@ -128,7 +134,11 @@ def scan_fleet(
     Returns:
         List of DeviceClusters sorted by size descending.
     """
-    raw = query_opensearch(_fleet_ja4_query(sensor, time_range), _PARAMS)
+    try:
+        raw = query_opensearch(_fleet_ja4_query(sensor, time_range), _PARAMS)
+    except (OpenSearchConnectionError, OpenSearchAuthError):
+        return []
+
     if not raw:
         return []
 
diff --git a/src/profiler/public_ip_profiler.py b/src/profiler/public_ip_profiler.py
new file mode 100644
index 0000000..9ea2bd5
--- /dev/null
+++ b/src/profiler/public_ip_profiler.py
@@ -0,0 +1,473 @@
+"""Public IP profiler — network-perspective profiles for external hosts.
+
+Runs 8 parallel aggregation queries against OpenSearch to build a
+PublicIPProfile: sensor presence, reverse DNS, services exposed,
+TLS/cert info, HTTP server headers, and inbound attack signals.
+"""
+
+from __future__ import annotations
+
+from concurrent.futures import ThreadPoolExecutor, as_completed
+from dataclasses import dataclass, field
+
+from src.querier.zeek_modules.base import INDEX, query_opensearch
+from src.utils.ip_org import lookup_org
+
+_PARAMS = {"path": f"{INDEX}/_search", "method": "POST"}
+
+_CONN_BLOCKED = {"S0", "RSTOS0", "SH"}
+_CONN_REJECTED = {"REJ", "RSTR", "RSTRH"}
+_CONN_NORMAL = {"SF", "S2", "S3"}
+
+
+def _derive_conn_status(state_dist: dict[str, int]) -> str:
+    """Translate a conn_state frequency map into a plain-English firewall signal."""
+    if not state_dist:
+        return ""
+    dominant = max(state_dist, key=lambda k: state_dist[k])
+    if dominant in _CONN_BLOCKED:
+        return "No response — likely blocked"
+    if dominant in _CONN_REJECTED:
+        return "Actively rejected"
+    if dominant in _CONN_NORMAL:
+        return "Connections completed"
+    if dominant == "S1":
+        return "Active connections"
+    return f"Mostly {dominant}"
+
+
+# ---------------------------------------------------------------------------
+# PublicIPProfile dataclass
+# ---------------------------------------------------------------------------
+
+
+@dataclass
+class PublicIPProfile:
+    """Network-perspective profile for a public IP address."""
+
+    ip: str
+    time_range: str
+
+    # Sensor presence
+    sensors: list[dict] = field(default_factory=list)
+    total_records: int = 0
+
+    # Identity
+    org: dict | None = None
+    reverse_dns: list[dict] = field(default_factory=list)
+
+    # Services exposed (our traffic TO this IP)
+    services: list[dict] = field(default_factory=list)
+    internal_client_count: int = 0
+    bytes_to: int = 0
+    bytes_from: int = 0
+    conn_state_distribution: dict[str, int] = field(default_factory=dict)
+    conn_status: str = ""
+
+    # TLS (server-side)
+    ja4s_fingerprints: list[dict] = field(default_factory=list)
+    tls_versions: list[dict] = field(default_factory=list)
+    ssl_subjects: list[str] = field(default_factory=list)
+    ssl_issuers: list[str] = field(default_factory=list)
+
+    # HTTP (server-side)
+    http_server_headers: list[str] = field(default_factory=list)
+    http_top_uris: list[dict] = field(default_factory=list)
+
+    # Inbound activity FROM this IP (scanner/attacker signals)
+    inbound_ports_targeted: list[dict] = field(default_factory=list)
+    internal_targets_count: int = 0
+    ssh_inbound: bool = False
+    ssh_server_versions: list[str] = field(default_factory=list)
+    rdp_inbound: bool = False
+    rdp_usernames: list[str] = field(default_factory=list)
+
+    # Classification
+    role: str = "unknown"
+    confidence: float = 0.0
+
+    # Timestamps
+    first_seen: str = ""
+    last_seen: str = ""
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+
+def _buckets(aggs: dict, key: str) -> list[dict]:
+    """Extract buckets from an aggregation."""
+    return aggs.get(key, {}).get("buckets", [])
+
+
+def _ip_should(ip: str) -> list[dict]:
+    """Match IP as either source or destination."""
+    return [{"term": {"source.ip": ip}}, {"term": {"destination.ip": ip}}]
+
+
+# ---------------------------------------------------------------------------
+# Query builders (8 queries)
+# ---------------------------------------------------------------------------
+
+
+def _sensor_presence_query(ip: str, time_range: str) -> dict:
+    """Which sensors have seen this IP, and how many records each."""
+    return {
+        "size": 0,
+        "query": {
+            "bool": {
+                "must": [
+                    {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}},
+                    {"bool": {"should": _ip_should(ip)}},
+                ]
+            }
+        },
+        "aggs": {
+            "sensors": {"terms": {"field": "host.name", "size": 50}},
+            "time_range": {"stats": {"field": "@timestamp"}},
+        },
+    }
+
+
+def _reverse_dns_query(ip: str, time_range: str) -> dict:
+    """Domains that resolved to this IP (from DNS answer logs)."""
+    return {
+        "size": 0,
+        "query": {
+            "bool": {
+                "must": [
+                    {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}},
+                    {"term": {"event.dataset": "dns"}},
+                    {"term": {"zeek.dns.answers": ip}},
+                ]
+            }
+        },
+        "aggs": {"domains": {"terms": {"field": "zeek.dns.query", "size": 20}}},
+    }
+
+
+def _conn_to_query(ip: str, time_range: str) -> dict:
+    """Conn records where this IP is the destination (our traffic TO it)."""
+    return {
+        "size": 0,
+        "query": {
+            "bool": {
+                "must": [
+                    {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}},
+                    {"term": {"event.dataset": "conn"}},
+                    {"term": {"destination.ip": ip}},
+                ]
+            }
+        },
+        "aggs": {
+            "dest_ports": {
+                "terms": {"field": "destination.port", "size": 20},
+                "aggs": {"app_proto": {"terms": {"field": "network.application", "size": 1}}},
+            },
+            "unique_clients": {"cardinality": {"field": "source.ip"}},
+            "bytes_to": {"sum": {"field": "destination.bytes"}},
+            "bytes_from": {"sum": {"field": "source.bytes"}},
+            "conn_states": {"terms": {"field": "zeek.conn.conn_state", "size": 10}},
+            "time_range": {"stats": {"field": "@timestamp"}},
+        },
+    }
+
+
+def _conn_from_query(ip: str, time_range: str) -> dict:
+    """Conn records where this IP is the source (inbound from it)."""
+    return {
+        "size": 0,
+        "query": {
+            "bool": {
+                "must": [
+                    {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}},
+                    {"term": {"event.dataset": "conn"}},
+                    {"term": {"source.ip": ip}},
+                ]
+            }
+        },
+        "aggs": {
+            "inbound_ports": {
+                "terms": {"field": "destination.port", "size": 20},
+            },
+            "unique_targets": {"cardinality": {"field": "destination.ip"}},
+        },
+    }
+
+
+def _ssl_to_query(ip: str, time_range: str) -> dict:
+    """SSL/TLS records where this IP is the server (destination)."""
+    return {
+        "size": 0,
+        "query": {
+            "bool": {
+                "must": [
+                    {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}},
+                    {"term": {"event.dataset": "ssl"}},
+                    {"term": {"destination.ip": ip}},
+                ]
+            }
+        },
+        "aggs": {
+            "ja4s": {"terms": {"field": "tls.ja4s", "size": 10}},
+            "tls_versions": {"terms": {"field": "network.protocol_version", "size": 5}},
+            "subjects": {"terms": {"field": "zeek.ssl.subject", "size": 10}},
+            "issuers": {"terms": {"field": "zeek.ssl.issuer", "size": 10}},
+        },
+    }
+
+
+def _http_to_query(ip: str, time_range: str) -> dict:
+    """HTTP records where this IP is the server (destination)."""
+    return {
+        "size": 0,
+        "query": {
+            "bool": {
+                "must": [
+                    {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}},
+                    {"term": {"event.dataset": "http"}},
+                    {"term": {"destination.ip": ip}},
+                ]
+            }
+        },
+        "aggs": {
+            "server_headers": {"terms": {"field": "zeek.http.server_header_names", "size": 10}},
+            "top_uris": {"terms": {"field": "zeek.http.uri", "size": 10}},
+        },
+    }
+
+
+def _ssh_from_query(ip: str, time_range: str) -> dict:
+    """SSH records where this IP is the source (inbound SSH from it)."""
+    return {
+        "size": 0,
+        "query": {
+            "bool": {
+                "must": [
+                    {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}},
+                    {"term": {"event.dataset": "ssh"}},
+                    {"term": {"source.ip": ip}},
+                ]
+            }
+        },
+        "aggs": {
+            "server_versions": {"terms": {"field": "zeek.ssh.server", "size": 5}},
+        },
+    }
+
+
+def _rdp_from_query(ip: str, time_range: str) -> dict:
+    """RDP records where this IP is the source (inbound RDP from it)."""
+    return {
+        "size": 0,
+        "query": {
+            "bool": {
+                "must": [
+                    {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}},
+                    {"term": {"event.dataset": "rdp"}},
+                    {"term": {"source.ip": ip}},
+                ]
+            }
+        },
+        "aggs": {
+            "cookies": {"terms": {"field": "zeek.rdp.cookie", "size": 10}},
+        },
+    }
+
+
+# ---------------------------------------------------------------------------
+# Response parsers
+# ---------------------------------------------------------------------------
+
+
+def _parse_sensor_presence(aggs: dict) -> dict:
+    sensors = [{"sensor": b["key"], "count": b["doc_count"]} for b in _buckets(aggs, "sensors")]
+    total = sum(s["count"] for s in sensors)
+    ts = aggs.get("time_range", {})
+    return {
+        "sensors": sensors,
+        "total_records": total,
+        "first_seen": ts.get("min_as_string", ""),
+        "last_seen": ts.get("max_as_string", ""),
+    }
+
+
+def _parse_reverse_dns(aggs: dict) -> dict:
+    return {
+        "reverse_dns": [
+            {"domain": b["key"], "count": b["doc_count"]} for b in _buckets(aggs, "domains")
+        ]
+    }
+
+
+def _parse_conn_to(aggs: dict) -> dict:
+    services = []
+    for b in _buckets(aggs, "dest_ports"):
+        proto_buckets = b.get("app_proto", {}).get("buckets", [])
+        app_proto = proto_buckets[0]["key"] if proto_buckets else ""
+        services.append(
+            {
+                "port": int(b["key"]),
+                "app_proto": app_proto,
+                "count": b["doc_count"],
+            }
+        )
+    conn_state_dist = {b["key"]: b["doc_count"] for b in _buckets(aggs, "conn_states")}
+    ts = aggs.get("time_range", {})
+    return {
+        "services": services,
+        "internal_client_count": int(aggs.get("unique_clients", {}).get("value", 0)),
+        "bytes_to": int(aggs.get("bytes_to", {}).get("value", 0)),
+        "bytes_from": int(aggs.get("bytes_from", {}).get("value", 0)),
+        "conn_state_distribution": conn_state_dist,
+        "first_seen": ts.get("min_as_string", ""),
+        "last_seen": ts.get("max_as_string", ""),
+    }
+
+
+def _parse_conn_from(aggs: dict) -> dict:
+    return {
+        "inbound_ports_targeted": [
+            {"port": int(b["key"]), "count": b["doc_count"]}
+            for b in _buckets(aggs, "inbound_ports")
+        ],
+        "internal_targets_count": int(aggs.get("unique_targets", {}).get("value", 0)),
+    }
+
+
+def _parse_ssl_to(aggs: dict) -> dict:
+    return {
+        "ja4s_fingerprints": [
+            {"hash": b["key"], "count": b["doc_count"]} for b in _buckets(aggs, "ja4s")
+        ],
+        "tls_versions": [
+            {"version": b["key"], "count": b["doc_count"]} for b in _buckets(aggs, "tls_versions")
+        ],
+        "ssl_subjects": [b["key"] for b in _buckets(aggs, "subjects")],
+        "ssl_issuers": [b["key"] for b in _buckets(aggs, "issuers")],
+    }
+
+
+def _parse_http_to(aggs: dict) -> dict:
+    return {
+        "http_server_headers": [b["key"] for b in _buckets(aggs, "server_headers")],
+        "http_top_uris": [
+            {"uri": b["key"], "count": b["doc_count"]} for b in _buckets(aggs, "top_uris")
+        ],
+    }
+
+
+def _parse_ssh_from(aggs: dict) -> dict:
+    count = sum(b["doc_count"] for b in _buckets(aggs, "server_versions"))
+    # If no server_versions buckets, check if the query itself had hits
+    total = aggs.get("server_versions", {}).get("sum_other_doc_count", 0) + count
+    return {
+        "ssh_inbound": total > 0 or count > 0,
+        "ssh_server_versions": [b["key"] for b in _buckets(aggs, "server_versions")],
+    }
+
+
+def _parse_rdp_from(aggs: dict) -> dict:
+    cookies = _buckets(aggs, "cookies")
+    total = sum(b["doc_count"] for b in cookies)
+    return {
+        "rdp_inbound": total > 0,
+        "rdp_usernames": [b["key"] for b in cookies],
+    }
+
+
+# ---------------------------------------------------------------------------
+# Orchestrator
+# ---------------------------------------------------------------------------
+
+
+def profile_public_ip(
+    ip: str,
+    *,
+    time_range: str = "now-7d",
+) -> PublicIPProfile:
+    """Profile a public IP using 8 parallel Zeek log aggregations.
+
+    Args:
+        ip: Public IP address to profile.
+        time_range: Elasticsearch date-math range (default: now-7d).
+
+    Returns:
+        PublicIPProfile with all fields populated.
+    """
+    org = lookup_org(ip)
+
+    queries: dict[str, dict] = {
+        "sensor": _sensor_presence_query(ip, time_range),
+        "rdns": _reverse_dns_query(ip, time_range),
+        "conn_to": _conn_to_query(ip, time_range),
+        "conn_from": _conn_from_query(ip, time_range),
+        "ssl_to": _ssl_to_query(ip, time_range),
+        "http_to": _http_to_query(ip, time_range),
+        "ssh_from": _ssh_from_query(ip, time_range),
+        "rdp_from": _rdp_from_query(ip, time_range),
+    }
+
+    results: dict[str, dict] = {}
+    with ThreadPoolExecutor(max_workers=8) as ex:
+        futures = {
+            ex.submit(query_opensearch, body, _PARAMS): name for name, body in queries.items()
+        }
+        for f in as_completed(futures):
+            name = futures[f]
+            raw = f.result()
+            results[name] = raw.get("aggregations", {}) if raw else {}
+
+    sensor = _parse_sensor_presence(results.get("sensor", {}))
+    rdns = _parse_reverse_dns(results.get("rdns", {}))
+    conn_to = _parse_conn_to(results.get("conn_to", {}))
+    conn_from = _parse_conn_from(results.get("conn_from", {}))
+    ssl_to = _parse_ssl_to(results.get("ssl_to", {}))
+    http_to = _parse_http_to(results.get("http_to", {}))
+    ssh_from = _parse_ssh_from(results.get("ssh_from", {}))
+    rdp_from = _parse_rdp_from(results.get("rdp_from", {}))
+
+    first_seen = min(
+        (t for t in [sensor["first_seen"], conn_to["first_seen"]] if t),
+        default="",
+    )
+    last_seen = max(
+        (t for t in [sensor["last_seen"], conn_to["last_seen"]] if t),
+        default="",
+    )
+
+    profile = PublicIPProfile(
+        ip=ip,
+        time_range=time_range,
+        org=org,
+        sensors=sensor["sensors"],
+        total_records=sensor["total_records"],
+        reverse_dns=rdns["reverse_dns"],
+        services=conn_to["services"],
+        internal_client_count=conn_to["internal_client_count"],
+        bytes_to=conn_to["bytes_to"],
+        bytes_from=conn_to["bytes_from"],
+        conn_state_distribution=conn_to["conn_state_distribution"],
+        conn_status=_derive_conn_status(conn_to["conn_state_distribution"]),
+        ja4s_fingerprints=ssl_to["ja4s_fingerprints"],
+        tls_versions=ssl_to["tls_versions"],
+        ssl_subjects=ssl_to["ssl_subjects"],
+        ssl_issuers=ssl_to["ssl_issuers"],
+        http_server_headers=http_to["http_server_headers"],
+        http_top_uris=http_to["http_top_uris"],
+        inbound_ports_targeted=conn_from["inbound_ports_targeted"],
+        internal_targets_count=conn_from["internal_targets_count"],
+        ssh_inbound=ssh_from["ssh_inbound"],
+        ssh_server_versions=ssh_from["ssh_server_versions"],
+        rdp_inbound=rdp_from["rdp_inbound"],
+        rdp_usernames=rdp_from["rdp_usernames"],
+        first_seen=first_seen,
+        last_seen=last_seen,
+    )
+
+    from src.profiler.public_role_classifier import classify_public_role
+
+    profile.role, profile.confidence = classify_public_role(profile)
+
+    return profile
diff --git a/src/profiler/public_role_classifier.py b/src/profiler/public_role_classifier.py
new file mode 100644
index 0000000..978c922
--- /dev/null
+++ b/src/profiler/public_role_classifier.py
@@ -0,0 +1,178 @@
+"""Public IP role classification — weighted heuristics.
+
+Pure logic — operates on a populated PublicIPProfile, no I/O.
+"""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from src.profiler.public_ip_profiler import PublicIPProfile
+
+
+def _has_service(profile: PublicIPProfile, port: int) -> bool:
+    return any(s["port"] == port for s in profile.services)
+
+
+def _has_known_issuer(profile: PublicIPProfile) -> bool:
+    known = ("let's encrypt", "digicert", "comodo", "globalsign", "sectigo")
+    return any(any(k in iss.lower() for k in known) for iss in profile.ssl_issuers)
+
+
+def _low_bytes_ratio(profile: PublicIPProfile) -> bool:
+    if profile.internal_targets_count == 0:
+        return False
+    total = profile.bytes_to + profile.bytes_from
+    return (total / profile.internal_targets_count) < 1024
+
+
+_MAIL_PORTS = {25, 465, 587, 993, 143}
+
+
+PUBLIC_ROLE_HEURISTICS: dict[str, list[tuple[float, str, object]]] = {
+    "web_server": [
+        (0.30, "HTTPS service", lambda p: _has_service(p, 443)),
+        (0.20, "HTTP service", lambda p: _has_service(p, 80)),
+        (0.20, "Multiple clients", lambda p: p.internal_client_count > 5),
+        (0.15, "Valid TLS cert", lambda p: _has_known_issuer(p)),
+        (0.15, "Has reverse DNS", lambda p: len(p.reverse_dns) > 0),
+    ],
+    "scanner": [
+        (0.30, "High target count", lambda p: p.internal_targets_count > 20),
+        (
+            0.25,
+            "Many ports probed",
+            lambda p: len(p.inbound_ports_targeted) > 5,
+        ),
+        (
+            0.25,
+            "Inbound conn from IP",
+            lambda p: p.internal_targets_count > 0,
+        ),
+        (0.20, "Low bytes per target", lambda p: _low_bytes_ratio(p)),
+    ],
+    "cdn_node": [
+        (
+            0.35,
+            "Known CDN org",
+            lambda p: p.org and p.org.get("category") == "cdn",
+        ),
+        (0.25, "HTTPS primary", lambda p: _has_service(p, 443)),
+        (0.20, "High client count", lambda p: p.internal_client_count > 20),
+        (0.20, "Multiple domains", lambda p: len(p.reverse_dns) > 2),
+    ],
+    "mail_server": [
+        (
+            0.35,
+            "Mail port",
+            lambda p: any(_has_service(p, pt) for pt in _MAIL_PORTS),
+        ),
+        (
+            0.30,
+            "MX-related DNS",
+            lambda p: any(
+                "mx" in d["domain"].lower() or "mail" in d["domain"].lower() for d in p.reverse_dns
+            ),
+        ),
+        (0.20, "Has reverse DNS", lambda p: len(p.reverse_dns) > 0),
+        (0.15, "Valid TLS cert", lambda p: _has_known_issuer(p)),
+    ],
+    "dns_server": [
+        (0.40, "Port 53 service", lambda p: _has_service(p, 53)),
+        (0.30, "Many clients", lambda p: p.internal_client_count > 10),
+        (
+            0.30,
+            "No web ports",
+            lambda p: _has_service(p, 53) and not _has_service(p, 443),
+        ),
+    ],
+    "ssh_server": [
+        (0.40, "Port 22 service", lambda p: _has_service(p, 22)),
+        (
+            0.30,
+            "SSH server version",
+            lambda p: len(p.ssh_server_versions) > 0,
+        ),
+        (
+            0.30,
+            "Few clients",
+            lambda p: _has_service(p, 22) and p.internal_client_count <= 5,
+        ),
+    ],
+    "vpn_endpoint": [
+        (
+            0.30,
+            "VPN ports",
+            lambda p: any(_has_service(p, pt) for pt in (1194, 500, 4500, 51820)),
+        ),
+        (
+            0.30,
+            "High bytes bidirectional",
+            lambda p: (p.bytes_to + p.bytes_from) > 10_000_000,
+        ),
+        (0.20, "Few clients", lambda p: len(p.services) > 0 and p.internal_client_count <= 3),
+        (0.20, "HTTPS or VPN port", lambda p: _has_service(p, 443)),
+    ],
+    "c2_suspect": [
+        (
+            0.30,
+            "Self-signed cert",
+            lambda p: len(p.ssl_subjects) > 0 and not _has_known_issuer(p),
+        ),
+        (0.25, "Unusual ports", lambda p: _has_unusual_ports(p)),
+        (
+            0.25,
+            "Low client count",
+            lambda p: 0 < p.internal_client_count <= 2,
+        ),
+        (
+            0.20,
+            "No reverse DNS",
+            lambda p: len(p.services) > 0 and len(p.reverse_dns) == 0,
+        ),
+    ],
+}
+
+_COMMON_PORTS = {
+    22,
+    25,
+    53,
+    80,
+    143,
+    443,
+    465,
+    587,
+    993,
+    8080,
+    8443,
+    123,
+    500,
+    4500,
+}
+
+
+def _has_unusual_ports(profile: PublicIPProfile) -> bool:
+    return any(s["port"] not in _COMMON_PORTS for s in profile.services)
+
+
+def classify_public_role(
+    profile: PublicIPProfile,
+) -> tuple[str, float]:
+    """Classify public IP role using weighted heuristics.
+
+    Returns:
+        (role, confidence) where confidence is 0.0–1.0.
+    """
+    best_role = "unknown"
+    best_confidence = 0.0
+
+    for role, signals in PUBLIC_ROLE_HEURISTICS.items():
+        matched = sum(w for w, _, fn in signals if fn(profile))
+        total = sum(w for w, _, _ in signals)
+        confidence = matched / total if total > 0 else 0.0
+        if confidence > best_confidence:
+            best_confidence = confidence
+            best_role = role
+
+    return best_role, round(best_confidence, 2)
diff --git a/src/querier/builder.py b/src/querier/builder.py
new file mode 100644
index 0000000..943821d
--- /dev/null
+++ b/src/querier/builder.py
@@ -0,0 +1,254 @@
+#!/usr/bin/env python3
+"""OpenSearch DSL query construction: field remapping and query body building."""
+
+import ipaddress
+
+from src.querier.client import INDEX
+
+# Field name translation: Kibana convention → Malcolm/Zeek field
+FIELD_MAP = {
+    "src_ip": "source.ip",
+    "dest_ip": "destination.ip",
+    "src_port": "source.port",
+    "dest_port": "destination.port",
+    "app_proto": "network.protocol",
+    "clientID": "host.name",
+}
+
+TIME_RANGES = [
+    "now-15m",
+    "now-30m",
+    "now-1h",
+    "now-3h",
+    "now-6h",
+    "now-12h",
+    "now-24h",
+    "now-2d",
+    "now-3d",
+    "now-7d",
+    "now-14d",
+    "now-30d",
+]
+
+# Non-routable CIDRs excluded by --public-only.
+_PRIVATE_CIDRS = [
+    # IPv4
+    "10.0.0.0/8",
+    "172.16.0.0/12",
+    "192.168.0.0/16",
+    "127.0.0.0/8",
+    "169.254.0.0/16",  # link-local / APIPA
+    # IPv6
+    "::1/128",  # loopback
+    "fe80::/10",  # link-local
+    "fc00::/7",  # unique-local (fd00::/8 etc.)
+    "ff00::/8",  # multicast
+]
+
+# Precomputed once: a single must_not clause that matches any source IP in a
+# private range.  `term` does not evaluate CIDR notation on ip-typed fields —
+# range queries with explicit network/broadcast bounds are the correct DSL.
+_PRIVATE_CIDR_MUST_NOT: dict = {
+    "bool": {
+        "should": [
+            {
+                "range": {
+                    "source.ip": {
+                        "gte": str(ipaddress.ip_network(cidr, strict=False).network_address),
+                        "lte": str(ipaddress.ip_network(cidr, strict=False).broadcast_address),
+                    }
+                }
+            }
+            for cidr in _PRIVATE_CIDRS
+        ]
+    }
+}
+
+
+def source_terms_script(field: str) -> dict:
+    """Return a Painless `script` object that reads `field` from `_source`.
+
+    Drop into a ``terms`` aggregation in place of ``"field": ...`` to make the
+    agg work across indices whose mapping for the same dotted field disagrees
+    (e.g. ``keyword`` on old indices vs ``text`` + ``.keyword`` subfield on a
+    rolled-over write index — native terms aggs fail on the latter).
+
+    For list-valued fields, only the first element is bucketed; in practice the
+    fields we use this for (notice.note, rule.name, event.dataset) are scalar.
+    Slower than doc-value aggs — use only when mapping drift forces it.
+    """
+    parts = field.split(".")
+    src = ["def v = params._source;"]
+    for p in parts:
+        src.append(f"if (v == null) return null; v = v['{p}'];")
+    src.append(
+        "if (v == null) return null; "
+        "if (v instanceof List) v = v.isEmpty() ? null : v[0]; "
+        "return v == null ? null : v.toString();"
+    )
+    return {"source": " ".join(src)}
+
+
+def is_private(ip: str) -> bool:
+    """Return True if *ip* falls within any RFC-1918 / non-routable range."""
+    try:
+        addr = ipaddress.ip_address(ip)
+        return any(addr in ipaddress.ip_network(cidr) for cidr in _PRIVATE_CIDRS)
+    except ValueError:
+        return False
+
+
+def _remap_clause(clause: dict) -> dict:
+    """Recursively remap Kibana field names to Malcolm/Zeek field names.
+
+    Walks a DSL clause dict and renames any key found in FIELD_MAP.
+    Handles term, terms, range, match_phrase, bool (recurses into
+    must/must_not/should/filter). Pure function — returns a new dict.
+    """
+    if not isinstance(clause, dict):
+        return clause
+
+    result = {}
+    for key, value in clause.items():
+        if key in (
+            "term",
+            "terms",
+            "range",
+            "match_phrase",
+            "match",
+            "wildcard",
+            "prefix",
+            "regexp",
+        ):
+            remapped_inner = {}
+            for field, field_val in value.items():
+                new_field = FIELD_MAP.get(field, field)
+                remapped_inner[new_field] = field_val
+            result[key] = remapped_inner
+        elif key == "bool":
+            new_bool = {}
+            for bool_key, bool_val in value.items():
+                if bool_key in ("must", "must_not", "should", "filter"):
+                    if isinstance(bool_val, list):
+                        new_bool[bool_key] = [_remap_clause(c) for c in bool_val]
+                    else:
+                        new_bool[bool_key] = _remap_clause(bool_val)
+                else:
+                    new_bool[bool_key] = bool_val
+            result[key] = new_bool
+        else:
+            result[key] = value
+
+    return result
+
+
+def build_base_query(
+    must_not: list,
+    extra_must: list,
+    source_fields: list,
+    limit: int,
+    time_range: str,
+    sensors: list | None,
+    datasets: list,
+    public_only: bool = False,
+    src_ip_filter: str | list[str] | None = None,
+    dest_ip_filter: str | list[str] | None = None,
+    any_ip_filter: str | None = None,
+    direction: str | None = None,
+    time_from: str | None = None,
+    time_to: str | None = None,
+    sort: bool = True,
+    src_port_filter: int | list[int] | None = None,
+    dest_port_filter: int | list[int] | None = None,
+    proto_filter: str | list[str] | None = None,
+) -> tuple:
+    """Build the OpenSearch query body and request params.
+
+    datasets: list of event.dataset values, or ["all"] to omit the filter.
+    time_from/time_to: absolute ISO timestamps; when both are set they
+        override the relative *time_range* parameter.
+    """
+    if time_from and time_to:
+        ts_clause = {"range": {"@timestamp": {"gte": time_from, "lte": time_to}}}
+    else:
+        ts_clause = {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}}
+    must_clauses: list = [ts_clause]
+
+    if datasets and datasets != ["all"]:
+        must_clauses.append({"terms": {"event.dataset": datasets}})
+
+    if sensors:
+        must_clauses.append({"terms": {"host.name": sensors}})
+
+    if src_ip_filter:
+        if isinstance(src_ip_filter, list):
+            must_clauses.append({"terms": {"source.ip": src_ip_filter}})
+        else:
+            must_clauses.append({"term": {"source.ip": src_ip_filter}})
+
+    if dest_ip_filter:
+        if isinstance(dest_ip_filter, list):
+            must_clauses.append({"terms": {"destination.ip": dest_ip_filter}})
+        else:
+            must_clauses.append({"term": {"destination.ip": dest_ip_filter}})
+
+    if src_port_filter is not None:
+        if isinstance(src_port_filter, list):
+            must_clauses.append({"terms": {"source.port": src_port_filter}})
+        else:
+            must_clauses.append({"term": {"source.port": src_port_filter}})
+
+    if dest_port_filter is not None:
+        if isinstance(dest_port_filter, list):
+            must_clauses.append({"terms": {"destination.port": dest_port_filter}})
+        else:
+            must_clauses.append({"term": {"destination.port": dest_port_filter}})
+
+    if proto_filter:
+        if isinstance(proto_filter, list):
+            must_clauses.append({"terms": {"network.transport": proto_filter}})
+        else:
+            must_clauses.append({"term": {"network.transport": proto_filter}})
+
+    if any_ip_filter:
+        must_clauses.append(
+            {
+                "bool": {
+                    "should": [
+                        {"term": {"source.ip": any_ip_filter}},
+                        {"term": {"destination.ip": any_ip_filter}},
+                    ],
+                    "minimum_should_match": 1,
+                }
+            }
+        )
+
+    if direction:
+        must_clauses.append({"term": {"network.direction": direction}})
+
+    must_clauses.extend(extra_must)
+
+    effective_must_not = list(must_not)
+    if public_only:
+        effective_must_not.append(_PRIVATE_CIDR_MUST_NOT)
+
+    body: dict = {
+        "size": limit,
+        "track_total_hits": False,
+        "query": {
+            "bool": {
+                "filter": must_clauses,
+                "must_not": effective_must_not,
+            }
+        },
+        "_source": source_fields,
+    }
+    if sort:
+        body["sort"] = [{"@timestamp": {"order": "desc"}}]
+
+    params = {
+        "path": f"{INDEX}/_search?timeout=30s",
+        "method": "POST",
+    }
+
+    return body, params
diff --git a/src/querier/cli_loop.py b/src/querier/cli_loop.py
new file mode 100644
index 0000000..b209bdc
--- /dev/null
+++ b/src/querier/cli_loop.py
@@ -0,0 +1,492 @@
+#!/usr/bin/env python3
+"""Interactive CLI loop, profile display, and OpenSearch diagnostic helpers."""
+
+import json
+import readline  # noqa: F401 — enables arrow-key history in input()
+from collections import defaultdict
+
+import httpx
+from rich import box
+from rich.table import Table
+
+from src.querier.client import (
+    INDEX,
+    OpenSearchAuthError,
+    OpenSearchConnectionError,
+    _opensearch_session,
+    console,
+    query_opensearch,
+)
+from src.querier.runner import run_query
+from src.utils.terminal import confirm_exit, prompt
+
+# ---------------------------------------------------------------------------
+# Profile display
+# ---------------------------------------------------------------------------
+
+
+def _walk_clauses(node: dict, acc: list) -> None:
+    """DFS walk of an ES profile query node, collecting (type, description, time_ms)."""
+    if not isinstance(node, dict):
+        return
+    time_ms = node.get("time_in_nanos", 0) / 1_000_000
+    acc.append((node.get("type", ""), node.get("description", ""), time_ms))
+    for child in node.get("children", []):
+        _walk_clauses(child, acc)
+
+
+def display_profile(raw: dict) -> None:
+    """Render OpenSearch profile data: per-shard timing and slowest query clauses."""
+    profile = raw.get("profile")
+    if not profile:
+        console.print("[yellow]No profile data in response.[/yellow]")
+        return
+
+    shards = profile.get("shards", [])
+    if not shards:
+        console.print("[yellow]Profile present but no shard data.[/yellow]")
+        return
+
+    # --- Shard summary table ---
+    shard_table = Table(title="Profile — per-shard timing", box=box.SIMPLE_HEAVY)
+    shard_table.add_column("Shard", style="cyan", no_wrap=True)
+    shard_table.add_column("Query (ms)", justify="right")
+    shard_table.add_column("Fetch (ms)", justify="right")
+
+    total_query_ms = 0.0
+    total_fetch_ms = 0.0
+    all_clauses: list = []
+
+    for shard in shards:
+        shard_id = shard.get("id", "?")
+        query_ms = 0.0
+        fetch_ms = 0.0
+
+        for search in shard.get("searches", []):
+            for q in search.get("query", []):
+                query_ms += q.get("time_in_nanos", 0) / 1_000_000
+                _walk_clauses(q, all_clauses)
+            for collector in search.get("collector", []):
+                fetch_ms += collector.get("time_in_nanos", 0) / 1_000_000
+
+        total_query_ms += query_ms
+        total_fetch_ms += fetch_ms
+        shard_table.add_row(shard_id, f"{query_ms:.2f}", f"{fetch_ms:.2f}")
+
+    shard_table.add_section()
+    shard_table.add_row(
+        "[bold]Total[/bold]",
+        f"[bold]{total_query_ms:.2f}[/bold]",
+        f"[bold]{total_fetch_ms:.2f}[/bold]",
+    )
+    console.print(shard_table)
+
+    # --- Slowest clauses table (top 15, aggregated across shards) ---
+    clause_totals: dict = defaultdict(float)
+    clause_types: dict = {}
+    for ctype, desc, ms in all_clauses:
+        key = desc or ctype
+        clause_totals[key] += ms
+        clause_types[key] = ctype
+
+    top = sorted(clause_totals.items(), key=lambda kv: -kv[1])[:15]
+    if top:
+        clause_table = Table(
+            title="Profile — slowest clauses (all shards combined)", box=box.SIMPLE_HEAVY
+        )
+        clause_table.add_column("Type", style="dim", no_wrap=True)
+        clause_table.add_column("Description", overflow="fold")
+        clause_table.add_column("Total (ms)", justify="right")
+        for desc, ms in top:
+            clause_table.add_row(clause_types.get(desc, ""), desc, f"{ms:.2f}")
+        console.print(clause_table)
+
+
+# ---------------------------------------------------------------------------
+# Search-again prompt
+# ---------------------------------------------------------------------------
+
+
+def _search_again_prompt(current: dict, module) -> dict:
+    """Prompt for new search parameters, shared + module-specific."""
+    from src.querier.builder import TIME_RANGES
+
+    console.print(
+        "\n[bold cyan]New Search Parameters[/bold cyan] [dim](Enter to keep current)[/dim]"
+    )
+    console.print("[dim]Time ranges: " + "  ".join(TIME_RANGES) + "[/dim]")
+
+    def _ask(label: str, current_val) -> str:
+        """Prompt for a value; returns user input or preserves current (empty string for None)."""
+        display = "" if current_val is None else str(current_val)
+        try:
+            val = prompt(f"  {label} [{display}]: ").strip()
+            return val if val else display
+        except KeyboardInterrupt:
+            console.print("")
+            return display
+
+    new = dict(current)
+    new["time_range"] = _ask("Time range", current.get("time_range", "now-24h"))
+    if module.SENSOR_PARAM is not None:
+        new[module.SENSOR_PARAM] = _ask(
+            "Sensor (comma-sep or 'all')", current.get(module.SENSOR_PARAM, "all")
+        )
+
+    if module.SUPPORTS_IP_FILTER:
+        pub_raw = _ask("Public only (y/n)", "y" if current.get("public_only") else "n")
+        new["public_only"] = pub_raw.lower() in ("y", "yes")
+
+        src_raw = _ask("Src IP filter (blank to clear)", current.get("src_ip"))
+        new["src_ip"] = src_raw if src_raw else None
+
+    dir_raw = _ask(
+        "Direction filter (inbound/outbound/internal/external/blank)",
+        current.get("direction"),
+    )
+    new["direction"] = dir_raw if dir_raw else None
+
+    limit_raw = _ask("Limit", current.get("limit", 500))
+    try:
+        new["limit"] = int(limit_raw)
+    except ValueError:
+        new["limit"] = current.get("limit", 500)
+
+    # Module-specific search params
+    module.add_search_params_prompt(new, _ask)
+
+    return new
+
+
+# ---------------------------------------------------------------------------
+# Interactive loop
+# ---------------------------------------------------------------------------
+
+
+def interactive_loop(records: list, search_params: dict, module, query_fn=None) -> None:
+    """Interactive post-display prompt — dispatch to module for protocol actions.
+
+    query_fn: callable with signature (module, search_params) -> list.
+              Defaults to run_query when None.
+    """
+    _query_fn = query_fn if query_fn is not None else run_query
+
+    from src.enricher.threat_intel import enrich_ip
+    from src.mantis.mantis_search import (
+        display_results as display_mantis,
+    )
+    from src.mantis.mantis_search import (
+        search as mantis_search,
+    )
+    from src.mantis.mantis_search import (
+        sensor_to_project,
+    )
+
+    last_record: dict | None = None
+
+    while True:
+        console.print("")
+        if last_record:
+            r = last_record["record"]
+            hint = module.describe_record(r)
+            console.print(f"[dim]↩  Last: #{last_record['idx']} {hint}[/dim]")
+        console.print(
+            "[bold cyan]Action[/bold cyan] — enter record #"
+            " / \\[r]e-search / \\[p]rint (CTRL+C to exit):"
+        )
+        try:
+            raw = prompt("  > ").strip().lower()
+        except KeyboardInterrupt:
+            if confirm_exit():
+                break
+            continue
+
+        if raw in ("r", "research", "search"):
+            search_params = _search_again_prompt(search_params, module)
+            new_records = _query_fn(module, search_params)
+            if new_records:
+                records = new_records
+                module.display(records)
+            continue
+
+        if raw in ("p", "print"):
+            module.display(records)
+            continue
+
+        if not raw:
+            continue
+
+        readline.add_history(raw)
+
+        try:
+            idx = int(raw) - 1
+            if idx < 0:
+                raise ValueError
+            record = records[idx]
+        except (ValueError, IndexError):
+            console.print("[red]Invalid selection.[/red]")
+            continue
+
+        src_ip = record.get("src_ip", "")
+        module.display_detail(record, idx + 1)
+
+        # Build action menu dynamically based on module capabilities.
+        action_parts = []
+        if module.SUPPORTS_ENRICHMENT:
+            action_parts.append("\\[e]nrich")
+        if module.SUPPORTS_FP:
+            action_parts.append("\\[f]alse positive")
+        action_parts += ["\\[m]antis search", "\\[s]kip"]
+        console.print("  " + "  ".join(action_parts))
+
+        try:
+            action = prompt("  Action: ").strip().lower()
+        except KeyboardInterrupt:
+            console.print("[dim]Cancelled.[/dim]")
+            continue
+
+        key = action[:1]
+        if key:
+            readline.add_history(action)
+
+        if key == "e" and module.SUPPORTS_ENRICHMENT:
+            hash_val = record.get("sha256") or record.get("md5") or record.get("file_hash")
+            if hash_val and not src_ip:
+                # Hash-only enrichment (e.g. pe module — no IP).
+                from src.enricher.virustotal import check_hash, display_hash
+
+                console.print(f"[dim]Querying VirusTotal for {hash_val[:16]}…[/dim]")
+                display_hash(hash_val, check_hash(hash_val))
+            elif hash_val:
+                # Both hash and IP available — ask which.
+                console.print("  \\[h]ash (VirusTotal file lookup)  \\[i]p enrichment")
+                try:
+                    sub = prompt("  Choice: ").strip().lower()
+                except KeyboardInterrupt:
+                    console.print("[dim]Cancelled.[/dim]")
+                    sub = ""
+                if sub.startswith("h"):
+                    from src.enricher.virustotal import check_hash, display_hash
+
+                    console.print(f"[dim]Querying VirusTotal for {hash_val[:16]}…[/dim]")
+                    display_hash(hash_val, check_hash(hash_val))
+                else:
+                    enrich_ip(src_ip)
+            else:
+                enrich_ip(src_ip)
+        elif key == "f" and module.SUPPORTS_FP:
+            module.fp_action(record)
+        elif key == "m":
+            dest_ip = record.get("dest_ip", "")
+            queries = dict.fromkeys(ip for ip in [src_ip, dest_ip] if ip)
+            city = sensor_to_project(record.get("sensor", "all"))
+            if city:
+                console.print(f"[dim]Filtering Mantis to project '{city}'[/dim]")
+            combined: list = []
+            seen_ids: set = set()
+            for q in queries:
+                console.print(f"[dim]Searching Mantis for '{q}'...[/dim]")
+                for r in mantis_search(q, city=city):
+                    if r["id"] not in seen_ids:
+                        combined.append(r)
+                        seen_ids.add(r["id"])
+            display_mantis(combined)
+        last_record = {"idx": idx + 1, "record": record}
+
+
+# ---------------------------------------------------------------------------
+# Diagnostic helpers
+# ---------------------------------------------------------------------------
+
+
+def list_sensors(time_range: str = "now-7d") -> None:
+    """Aggregate on host.name and print all known sensors."""
+    body = {
+        "size": 0,
+        "query": {
+            "bool": {
+                "filter": [
+                    {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}},
+                    {"exists": {"field": "event.dataset"}},
+                ]
+            }
+        },
+        "aggs": {
+            "sensors": {
+                "terms": {
+                    "field": "host.name",
+                    "size": 500,
+                    "order": {"_count": "desc"},
+                }
+            }
+        },
+    }
+    params = {"path": f"{INDEX}/_search", "method": "POST"}
+
+    console.print(f"[dim]Querying host.name values ({time_range})...[/dim]")
+    try:
+        raw = query_opensearch(body, params)
+    except (OpenSearchConnectionError, OpenSearchAuthError) as exc:
+        console.print(f"[red]{exc}[/red]")
+        return
+
+    buckets = raw.get("aggregations", {}).get("sensors", {}).get("buckets", [])
+    if not buckets:
+        console.print("[yellow]No sensors found in the given time range.[/yellow]")
+        return
+
+    table = Table(
+        title=f"Malcolm sensors (past {time_range.replace('now-', '')})",
+        box=box.SIMPLE_HEAVY,
+    )
+    table.add_column("host.name", style="cyan")
+    table.add_column("Record count", justify="right")
+
+    for bucket in buckets:
+        table.add_row(bucket["key"], str(bucket["doc_count"]))
+
+    console.print(table)
+    console.print(
+        f"[dim]{len(buckets)} sensor(s) found. "
+        f"Pass one or more to --sensor as a comma-separated list.[/dim]"
+    )
+
+
+def list_log_types(time_range: str = "now-7d") -> None:
+    """Aggregate on event.dataset and print all Zeek log types present."""
+    body = {
+        "size": 0,
+        "query": {
+            "bool": {
+                "filter": [
+                    {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}},
+                    {"exists": {"field": "event.dataset"}},
+                ]
+            }
+        },
+        "aggs": {
+            "log_types": {
+                "terms": {
+                    "field": "event.dataset",
+                    "size": 200,
+                    "order": {"_count": "desc"},
+                }
+            }
+        },
+    }
+    params = {"path": f"{INDEX}/_search", "method": "POST"}
+
+    console.print(f"[dim]Querying event.dataset values ({time_range})...[/dim]")
+    try:
+        raw = query_opensearch(body, params)
+    except (OpenSearchConnectionError, OpenSearchAuthError) as exc:
+        console.print(f"[red]{exc}[/red]")
+        return
+
+    buckets = raw.get("aggregations", {}).get("log_types", {}).get("buckets", [])
+    if not buckets:
+        console.print("[yellow]No log types found in the given time range.[/yellow]")
+        return
+
+    table = Table(
+        title=f"Zeek log types in Malcolm (past {time_range.replace('now-', '')})",
+        box=box.SIMPLE_HEAVY,
+    )
+    table.add_column("event.dataset (log type)", style="cyan")
+    table.add_column("Record count", justify="right")
+
+    for bucket in buckets:
+        table.add_row(bucket["key"], str(bucket["doc_count"]))
+
+    console.print(table)
+    console.print(
+        f"[dim]{len(buckets)} log type(s) found. Pass one to --log-type (or 'all').[/dim]"
+    )
+
+
+def list_indices() -> None:
+    """List all indices in the cluster sorted by doc count."""
+    try:
+        base_url, session = _opensearch_session()
+    except (OpenSearchConnectionError, OpenSearchAuthError) as exc:
+        console.print(f"[red]{exc}[/red]")
+        return
+
+    try:
+        resp = session.post(
+            base_url + "/api/console/proxy",
+            params={
+                "path": (
+                    "_cat/indices?format=json&s=docs.count:desc"
+                    "&h=index,docs.count,store.size,health"
+                ),
+                "method": "GET",
+            },
+            timeout=30,
+        )
+    except httpx.RequestError as exc:
+        console.print(f"[red]Cannot reach OpenSearch at {base_url}: {exc}[/red]")
+        return
+
+    if not resp.is_success:
+        console.print(f"[red]OpenSearch error {resp.status_code}: {resp.text[:300]}[/red]")
+        return
+
+    indices = resp.json()
+    if not indices:
+        console.print("[yellow]No indices found.[/yellow]")
+        return
+
+    table = Table(title="OpenSearch indices (sorted by doc count)", box=box.SIMPLE_HEAVY)
+    table.add_column("Index", style="cyan")
+    table.add_column("Docs", justify="right")
+    table.add_column("Size", justify="right")
+    table.add_column("Health", justify="center")
+
+    for entry in indices:
+        health = entry.get("health", "")
+        health_color = {"green": "green", "yellow": "yellow", "red": "red"}.get(health, "white")
+        table.add_row(
+            entry.get("index", ""),
+            entry.get("docs.count", "—"),
+            entry.get("store.size", "—"),
+            f"[{health_color}]{health}[/{health_color}]",
+        )
+
+    console.print(table)
+    console.print(
+        f"[dim]Current INDEX pattern: '{INDEX}' — update the INDEX constant if needed.[/dim]"
+    )
+
+
+def match_all_sample(time_range: str = "now-24h", limit: int = 3) -> None:
+    """Fire a plain match_all to confirm data exists and show actual field names."""
+    body = {
+        "size": limit,
+        "sort": [{"@timestamp": {"order": "desc"}}],
+        "query": {"bool": {"must": [{"range": {"@timestamp": {"gte": time_range, "lte": "now"}}}]}},
+    }
+    params = {"path": f"{INDEX}/_search", "method": "POST"}
+
+    console.print(f"[dim]match_all against '{INDEX}' ({time_range}, limit {limit})...[/dim]")
+    try:
+        raw = query_opensearch(body, params)
+    except (OpenSearchConnectionError, OpenSearchAuthError) as exc:
+        console.print(f"[red]{exc}[/red]")
+        return
+
+    total = raw.get("hits", {}).get("total", {})
+    total_val = total.get("value", 0) if isinstance(total, dict) else total
+    console.print(f"[bold]Total hits:[/bold] {total_val}")
+
+    hits = raw.get("hits", {}).get("hits", [])
+    if not hits:
+        console.print(
+            "[yellow]No hits — index pattern may not match any indices,"
+            " or no data in this time range.[/yellow]"
+        )
+        return
+
+    for i, hit in enumerate(hits, 1):
+        console.print(f"\n[bold cyan]── Hit {i} ──[/bold cyan]")
+        console.print(json.dumps(hit.get("_source", {}), indent=2, default=str))
diff --git a/src/querier/client.py b/src/querier/client.py
new file mode 100644
index 0000000..985b679
--- /dev/null
+++ b/src/querier/client.py
@@ -0,0 +1,172 @@
+#!/usr/bin/env python3
+"""OpenSearch connection management: session lifecycle and raw query execution."""
+
+import atexit
+import os
+import sys
+
+import httpx
+from rich.console import Console
+
+console = Console(file=sys.stderr)
+
+OPENSEARCH_URL = os.environ.get("OPENSEARCH_URL", "https://pisces-opensearch.cyberrangepoulsbo.com")
+INDEX = "arkime_sessions3-*"
+
+_DEFAULT_HEADERS = {
+    "Content-Type": "application/json",
+    "osd-xsrf": "true",
+}
+
+
+class OpenSearchConnectionError(RuntimeError):
+    """Raised when OpenSearch is unreachable or the URL / credentials are not configured."""
+
+
+class OpenSearchAuthError(RuntimeError):
+    """Raised when OpenSearch rejects the supplied credentials (HTTP 401)."""
+
+
+# ---------------------------------------------------------------------------
+# Sync client (CLI + per-request web calls)
+# ---------------------------------------------------------------------------
+
+# Module-level client cache: (url, username, password, client).
+_client_cache: tuple[str, str, str, httpx.Client] | None = None
+
+
+def _opensearch_client() -> tuple[str, httpx.Client]:
+    """Return (base_url, authenticated httpx.Client).
+
+    The Client is cached at module level and reused as long as credentials
+    remain unchanged, so the connection pool stays warm across calls.
+    Raises OpenSearchConnectionError when credentials are not configured.
+    """
+    global _client_cache
+
+    opensearch_url = os.environ.get("OPENSEARCH_URL", OPENSEARCH_URL)
+    username = os.environ.get("PISCES_USERNAME", "")
+    password = os.environ.get("PISCES_PASSWORD", "")
+
+    if not username or not password:
+        raise OpenSearchConnectionError(
+            "PISCES_USERNAME and PISCES_PASSWORD must be set — check your .env file"
+        )
+
+    if _client_cache is not None:
+        cached_url, cached_user, cached_pass, cached_client = _client_cache
+        if (cached_url, cached_user, cached_pass) == (opensearch_url, username, password):
+            return opensearch_url, cached_client
+
+    client = httpx.Client(
+        auth=(username, password),
+        verify=False,
+        headers=_DEFAULT_HEADERS,
+        limits=httpx.Limits(max_connections=20, max_keepalive_connections=16),
+        timeout=60.0,
+    )
+    _client_cache = (opensearch_url, username, password, client)
+    atexit.register(client.close)
+    return opensearch_url, client
+
+
+# Keep backwards-compatible alias used by list_indices in cli_loop.py
+_opensearch_session = _opensearch_client
+
+
+def query_opensearch(body: dict, params: dict) -> dict:
+    """Submit a synchronous query to OpenSearch.
+
+    Raises OpenSearchConnectionError or OpenSearchAuthError on failure.
+    """
+    base_url, client = _opensearch_client()
+
+    try:
+        resp = client.post(
+            base_url + "/api/console/proxy",
+            params=params,
+            json=body,
+        )
+    except httpx.RequestError as exc:
+        raise OpenSearchConnectionError(
+            f"Cannot reach OpenSearch at {base_url} — are you on the VPN? ({exc})"
+        ) from exc
+
+    if resp.status_code == 401:
+        raise OpenSearchAuthError(
+            "OpenSearch rejected the credentials — check PISCES_USERNAME/PASSWORD"
+        )
+
+    if not resp.is_success:
+        raise OpenSearchConnectionError(
+            f"OpenSearch returned HTTP {resp.status_code}: {resp.text[:300]}"
+        )
+
+    return resp.json()
+
+
+# ---------------------------------------------------------------------------
+# Async client (cross-protocol fan-out on the web path)
+# ---------------------------------------------------------------------------
+
+_async_client_cache: tuple[str, str, str, httpx.AsyncClient] | None = None
+
+
+async def _get_async_client() -> tuple[str, httpx.AsyncClient]:
+    """Return (base_url, long-lived AsyncClient) — one per process per credential set."""
+    global _async_client_cache
+
+    opensearch_url = os.environ.get("OPENSEARCH_URL", OPENSEARCH_URL)
+    username = os.environ.get("PISCES_USERNAME", "")
+    password = os.environ.get("PISCES_PASSWORD", "")
+
+    if not username or not password:
+        raise OpenSearchConnectionError(
+            "PISCES_USERNAME and PISCES_PASSWORD must be set — check your .env file"
+        )
+
+    if _async_client_cache is not None:
+        cached_url, cached_user, cached_pass, cached_client = _async_client_cache
+        if (cached_url, cached_user, cached_pass) == (opensearch_url, username, password):
+            return opensearch_url, cached_client
+
+    async_client = httpx.AsyncClient(
+        auth=(username, password),
+        verify=False,
+        headers=_DEFAULT_HEADERS,
+        limits=httpx.Limits(max_connections=40, max_keepalive_connections=32),
+        timeout=60.0,
+    )
+    _async_client_cache = (opensearch_url, username, password, async_client)
+    return opensearch_url, async_client
+
+
+async def query_opensearch_async(body: dict, params: dict) -> dict:
+    """Async variant of query_opensearch — for use in the web fan-out path.
+
+    Raises OpenSearchConnectionError or OpenSearchAuthError on failure.
+    """
+    base_url, client = await _get_async_client()
+
+    try:
+        resp = await client.post(
+            base_url + "/api/console/proxy",
+            params=params,
+            json=body,
+        )
+    except httpx.RequestError as exc:
+        raise OpenSearchConnectionError(
+            f"Cannot reach OpenSearch at {base_url} — are you on the VPN? ({exc})"
+        ) from exc
+
+    if resp.status_code == 401:
+        raise OpenSearchAuthError(
+            "OpenSearch rejected the credentials — check PISCES_USERNAME/PASSWORD"
+        )
+
+    if not resp.is_success:
+        raise OpenSearchConnectionError(
+            f"OpenSearch returned HTTP {resp.status_code}: {resp.text[:300]}"
+        )
+
+    return resp.json()
diff --git a/src/querier/filter_loader.py b/src/querier/filter_loader.py
index 8ba3914..8b6cf5d 100755
--- a/src/querier/filter_loader.py
+++ b/src/querier/filter_loader.py
@@ -8,12 +8,15 @@
 
 import os
 import sys
+import time
 
 import yaml
 
-# Module-level cache: (filters_dir, municipality) → {"mtime": float, "result": dict}
+# Module-level cache: (filters_dir, municipality) → {mtime, result, checked}
 _filter_cache: dict[tuple, dict] = {}
 
+_MTIME_TTL = 5.0  # seconds — skip the directory walk when cache is this fresh
+
 
 def _max_mtime(filters_dir: str) -> float:
     """Return the highest mtime across all *.yaml files under filters_dir."""
@@ -30,6 +33,27 @@ def _max_mtime(filters_dir: str) -> float:
     return max_t
 
 
+def _load_categories(filters_dir: str) -> dict[str, set[str]]:
+    """Load categories.yaml and return {category: set(subcategories)}.
+
+    Returns an empty dict if the file is absent or unparseable (non-fatal).
+    """
+    cat_path = os.path.join(filters_dir, "categories.yaml")
+    try:
+        with open(cat_path) as fh:
+            raw = yaml.safe_load(fh)
+    except (OSError, yaml.YAMLError):
+        return {}
+
+    if not isinstance(raw, dict):
+        return {}
+    registry: dict[str, set[str]] = {}
+    for cat, meta in raw.get("categories", {}).items():
+        subs = meta.get("subcategories", []) if isinstance(meta, dict) else []
+        registry[cat] = set(subs)
+    return registry
+
+
 def load_filters(
     filters_dir: str,
     municipality: str | None = None,
@@ -49,9 +73,13 @@ def load_filters(
         }
     """
     cache_key = (filters_dir, municipality)
-    current_mtime = _max_mtime(filters_dir)
+    now = time.monotonic()
     cached = _filter_cache.get(cache_key)
+    if cached is not None and (now - cached["checked"]) < _MTIME_TTL:
+        return cached["result"]
+    current_mtime = _max_mtime(filters_dir)
     if cached is not None and cached["mtime"] == current_mtime:
+        cached["checked"] = now
         return cached["result"]
 
     must_not_clauses: list[dict] = []
@@ -65,6 +93,8 @@ def load_filters(
             "errors": [f"filters_dir not found: {filters_dir}"],
         }
 
+    categories = _load_categories(filters_dir)
+
     for root, _dirs, files in os.walk(filters_dir):
         for fname in sorted(files):
             if not fname.endswith(".yaml") and not fname.endswith(".yml"):
@@ -88,6 +118,22 @@ def load_filters(
                 errors.append(f"{fpath}: expected a YAML mapping at top level")
                 continue
 
+            # Validate category/subcategory against the registry when present.
+            if categories:
+                cat = data.get("category")
+                sub = data.get("subcategory")
+                if cat is not None and cat not in categories:
+                    errors.append(
+                        f"{fpath}: unknown category '{cat}' (valid: {sorted(categories)})"
+                    )
+                elif cat is not None and sub is not None:
+                    valid_subs = categories[cat]
+                    if valid_subs and sub not in valid_subs:
+                        errors.append(
+                            f"{fpath}: unknown subcategory '{sub}' for category '{cat}' "
+                            f"(valid: {sorted(valid_subs)})"
+                        )
+
             # Respect enabled flag (default True)
             if not data.get("enabled", True):
                 continue
@@ -117,7 +163,7 @@ def load_filters(
         "filter_count": filter_count,
         "errors": errors,
     }
-    _filter_cache[cache_key] = {"mtime": current_mtime, "result": result}
+    _filter_cache[cache_key] = {"mtime": current_mtime, "result": result, "checked": now}
     return result
 
 
diff --git a/src/querier/fp_manager.py b/src/querier/fp_manager.py
index 83aebe2..0cf9589 100755
--- a/src/querier/fp_manager.py
+++ b/src/querier/fp_manager.py
@@ -11,8 +11,10 @@
 import argparse
 import datetime
 import os
+import re
 import subprocess
 import sys
+from pathlib import Path
 
 import yaml
 from rich import box
@@ -70,25 +72,106 @@ def ensure_subcategory(category: str, subcategory: str) -> None:
 # ---------------------------------------------------------------------------
 
 
+_NAME_RE = re.compile(r"^[A-Za-z0-9_-]+$")
+
+
+def _safe_name(label: str, value: str) -> str:
+    """Reject path-traversal or shell-special characters in a filter name component."""
+    if not value or not _NAME_RE.match(value):
+        raise ValueError(f"Invalid {label} name: {value!r}")
+    return value
+
+
+def _assert_inside_filters_dir(path: str) -> str:
+    """Ensure *path* resolves under FILTERS_DIR; return the resolved path.
+
+    All file I/O in this module goes through here so the taint barrier is
+    local to every sink (helps CodeQL's interprocedural analysis).
+    """
+    base = Path(FILTERS_DIR).resolve()
+    real = Path(path).resolve()
+    if not real.is_relative_to(base):
+        raise ValueError(f"Path escapes filters dir: {path}")
+    return str(real)
+
+
 def filter_file_path(category: str, subcategory: str) -> str:
-    return os.path.join(FILTERS_DIR, category, f"{subcategory}.yaml")
+    cat = _safe_name("category", category)
+    sub = _safe_name("subcategory", subcategory)
+    return _assert_inside_filters_dir(os.path.join(FILTERS_DIR, cat, f"{sub}.yaml"))
 
 
 def load_filter_file(path: str) -> dict:
-    if not os.path.exists(path):
+    safe = _assert_inside_filters_dir(path)
+    if not os.path.exists(safe):
         return {}
-    with open(path) as fh:
+    with open(safe) as fh:
         return yaml.safe_load(fh) or {}
 
 
 def write_filter_file(path: str, data: dict) -> None:
-    os.makedirs(os.path.dirname(path), exist_ok=True)
-    with open(path, "w") as fh:
+    safe = _assert_inside_filters_dir(path)
+    os.makedirs(os.path.dirname(safe), exist_ok=True)
+    with open(safe, "w") as fh:
         yaml.dump(data, fh, default_flow_style=False, allow_unicode=True, sort_keys=False)
 
 
+def delete_ip_from_filter(path: str, ip: str) -> int:
+    """Remove must_not clauses that match *ip* as src_ip or dest_ip.
+
+    Handles single-value ``term`` and multi-value ``terms`` clauses.
+    For ``terms`` clauses with multiple IPs only the matching IP is removed;
+    the clause is kept with the remaining IPs.  If the clause had only that
+    one IP it is dropped entirely.
+
+    Returns the number of clause entries affected (removed or shrunken).
+    Raises ``FileNotFoundError`` if *path* does not exist.
+    Raises ``ValueError`` if no clauses matched the IP.
+    """
+    path = _assert_inside_filters_dir(path)
+    if not os.path.exists(path):
+        raise FileNotFoundError(path)
+
+    data = load_filter_file(path)
+    original_clauses: list = data.get("must_not", [])
+    kept: list = []
+    removed_count = 0
+
+    for clause in original_clauses:
+        term = clause.get("term", {})
+        if term.get("src_ip") == ip or term.get("dest_ip") == ip:
+            removed_count += 1
+            continue
+
+        terms = clause.get("terms", {})
+        matched_field: str | None = None
+        for field in ("src_ip", "dest_ip"):
+            if ip in terms.get(field, []):
+                matched_field = field
+                break
+
+        if matched_field:
+            remaining = [v for v in terms[matched_field] if v != ip]
+            if remaining:
+                new_clause = dict(clause)
+                new_clause["terms"] = {**terms, matched_field: remaining}
+                kept.append(new_clause)
+            removed_count += 1
+            continue
+
+        kept.append(clause)
+
+    if removed_count == 0:
+        raise ValueError(f"No clauses found matching IP {ip}")
+
+    data["must_not"] = kept
+    write_filter_file(path, data)
+    return removed_count
+
+
 def append_clauses_to_file(path: str, new_clauses: list[dict], author: str = "analyst") -> None:
     """Append must_not clauses to an existing filter file, or create it."""
+    path = _assert_inside_filters_dir(path)
     if os.path.exists(path):
         existing = load_filter_file(path)
         existing.setdefault("must_not", [])
diff --git a/src/querier/histogram.py b/src/querier/histogram.py
new file mode 100644
index 0000000..ba85504
--- /dev/null
+++ b/src/querier/histogram.py
@@ -0,0 +1,84 @@
+#!/usr/bin/env python3
+"""Date-histogram aggregation helper shared by the MCP tool and CLI renderer."""
+
+from typing import Optional
+
+from src.querier.builder import build_base_query
+from src.querier.client import query_opensearch
+from src.querier.runner import FILTERS_DIR, load_with_remap
+from src.querier.zeek_modules import MODULES
+
+
+def query_histogram(
+    log_type: str,
+    interval: str = "1h",
+    time_range: str = "now-24h",
+    src_ip: str | list[str] | None = None,
+    dest_ip: str | list[str] | None = None,
+    sensor: str | list[str] = "all",
+    no_filters: bool = False,
+    time_from: Optional[str] = None,
+    time_to: Optional[str] = None,
+) -> list[dict]:
+    """Run a date_histogram aggregation and return the time buckets.
+
+    Returns a list of {key: epoch_ms, key_as_string: ISO-8601, doc_count: int}.
+    An empty list is returned when OpenSearch is unreachable or returns no data.
+    """
+    if no_filters:
+        must_not: list = []
+    else:
+        must_not, _, _ = load_with_remap(FILTERS_DIR)
+
+    sensors: list | None = None
+    if sensor:
+        if isinstance(sensor, list):
+            sensors = [s.strip() for s in sensor]
+        elif str(sensor).lower() != "all":
+            sensors = [s.strip() for s in str(sensor).split(",")]
+
+    datasets: list[str]
+    if log_type == "all" or log_type not in MODULES:
+        datasets = ["all"]
+    else:
+        datasets = MODULES[log_type].DATASETS
+
+    body, params = build_base_query(
+        must_not=must_not,
+        extra_must=[],
+        source_fields=[],
+        limit=0,
+        time_range=time_range,
+        sensors=sensors,
+        datasets=datasets,
+        src_ip_filter=src_ip,
+        dest_ip_filter=dest_ip,
+        time_from=time_from,
+        time_to=time_to,
+        sort=False,
+    )
+    body["size"] = 0
+    body["track_total_hits"] = False
+    body["aggs"] = {
+        "over_time": {
+            "date_histogram": {
+                "field": "@timestamp",
+                "fixed_interval": interval,
+                "min_doc_count": 0,
+            }
+        }
+    }
+
+    raw = query_opensearch(body, params)
+    if raw is None:
+        return []
+
+    buckets = raw.get("aggregations", {}).get("over_time", {}).get("buckets", [])
+    return [
+        {
+            "key": b["key"],
+            "key_as_string": b["key_as_string"],
+            "doc_count": b["doc_count"],
+        }
+        for b in buckets
+    ]
diff --git a/src/querier/histogram_cli.py b/src/querier/histogram_cli.py
new file mode 100644
index 0000000..504cd52
--- /dev/null
+++ b/src/querier/histogram_cli.py
@@ -0,0 +1,153 @@
+#!/usr/bin/env python3
+"""pisces-histogram — terminal bar chart of Zeek event volume over time."""
+
+import argparse
+import os
+import shutil
+import sys
+
+from dotenv import load_dotenv
+
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))))
+
+from src.querier.client import OpenSearchAuthError, OpenSearchConnectionError
+from src.querier.histogram import query_histogram
+from src.querier.zeek_modules import MODULES
+from src.utils.dns import setup_dns
+
+_BLOCKS = " ▁▂▃▄▅▆▇█"
+_VALID_LOG_TYPES = sorted(MODULES.keys()) + ["all"]
+
+
+def _render(buckets: list[dict], width: int) -> str:
+    """Return a single-row Unicode bar chart string of `width` characters."""
+    if not buckets:
+        return "(no data)"
+
+    counts = [b["doc_count"] for b in buckets]
+    max_count = max(counts) if any(counts) else 1
+    n = len(buckets)
+
+    if n <= width:
+        bars = [_BLOCKS[round(c / max_count * 8)] for c in counts]
+    else:
+        # Compress: average counts into `width` columns
+        bars = []
+        for i in range(width):
+            lo = int(i * n / width)
+            hi = int((i + 1) * n / width)
+            chunk = counts[lo:hi] if lo < hi else counts[lo : lo + 1]
+            avg = sum(chunk) / len(chunk)
+            bars.append(_BLOCKS[round(avg / max_count * 8)])
+
+    return "".join(bars)
+
+
+def _time_axis(buckets: list[dict], bar_width: int) -> str:
+    """Return a sparse time-label row aligned to the bar chart."""
+    if not buckets:
+        return ""
+
+    def _short(ts: str) -> str:
+        # "2026-04-19T14:00:00.000Z" → "04-19 14:00" or just "HH:MM" if same day
+        try:
+            date_part, time_part = ts.split("T")
+            hhmm = time_part[:5]
+            return f"{date_part[5:]} {hhmm}"
+        except Exception:
+            return ts[:16]
+
+    n = len(buckets)
+    label_positions = [0, n // 4, n // 2, 3 * n // 4, n - 1]
+    row = [" "] * bar_width
+
+    for pos in label_positions:
+        # Map bucket index → bar column
+        col = round(pos * bar_width / max(n - 1, 1))
+        label = _short(buckets[pos]["key_as_string"])
+        start = max(0, min(col, bar_width - len(label)))
+        for i, ch in enumerate(label):
+            if start + i < bar_width:
+                row[start + i] = ch
+
+    return "".join(row)
+
+
+def main() -> None:
+    """Entry point for the pisces-histogram CLI tool."""
+    parser = argparse.ArgumentParser(
+        description="Show a terminal bar chart of Zeek event volume over time.",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+    )
+    parser.add_argument(
+        "log_type",
+        choices=_VALID_LOG_TYPES,
+        help="Zeek log type to histogram, or 'all' for every dataset.",
+    )
+    parser.add_argument(
+        "--interval", default="1h", help="Bucket width, e.g. 15m, 1h, 1d (default: 1h)"
+    )
+    parser.add_argument(
+        "--time-range", default="now-24h", help="ES date-math range (default: now-24h)"
+    )
+    parser.add_argument(
+        "--time-from", help="Absolute start timestamp (ISO 8601), overrides --time-range"
+    )
+    parser.add_argument("--time-to", help="Absolute end timestamp (ISO 8601)")
+    parser.add_argument("--src-ip", help="Filter to a source IP (or comma-separated list)")
+    parser.add_argument("--dest-ip", help="Filter to a destination IP (or comma-separated list)")
+    parser.add_argument("--sensor", default="all", help="Sensor hostname, or 'all' (default)")
+    parser.add_argument(
+        "--no-filters", action="store_true", help="Disable false-positive YAML filters"
+    )
+    args = parser.parse_args()
+
+    load_dotenv()
+    setup_dns()
+
+    src_ip: str | list[str] | None = args.src_ip
+    if args.src_ip and "," in args.src_ip:
+        src_ip = [s.strip() for s in args.src_ip.split(",")]
+    dest_ip: str | list[str] | None = args.dest_ip
+    if args.dest_ip and "," in args.dest_ip:
+        dest_ip = [s.strip() for s in args.dest_ip.split(",")]
+
+    try:
+        buckets = query_histogram(
+            log_type=args.log_type,
+            interval=args.interval,
+            time_range=args.time_range,
+            src_ip=src_ip,
+            dest_ip=dest_ip,
+            sensor=args.sensor,
+            no_filters=args.no_filters,
+            time_from=args.time_from,
+            time_to=args.time_to,
+        )
+    except (OpenSearchConnectionError, OpenSearchAuthError) as exc:
+        print(f"Error: {exc}", file=sys.stderr)
+        sys.exit(1)
+
+    if not buckets:
+        print("No data returned for the given parameters.")
+        return
+
+    total = sum(b["doc_count"] for b in buckets)
+    max_count = max(b["doc_count"] for b in buckets)
+    term_width = shutil.get_terminal_size((120, 24)).columns
+    bar_width = min(term_width - 2, len(buckets))
+
+    time_desc = (
+        f"{args.time_from}–{args.time_to}" if args.time_from and args.time_to else args.time_range
+    )
+    header = (
+        f"{args.log_type} — {time_desc}, interval={args.interval},"
+        f" total={total:,}, max={max_count:,}"
+    )
+    print(header)
+    print(_render(buckets, bar_width))
+    print(_time_axis(buckets, bar_width))
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/querier/module.py b/src/querier/module.py
new file mode 100644
index 0000000..9e7ed2f
--- /dev/null
+++ b/src/querier/module.py
@@ -0,0 +1,113 @@
+#!/usr/bin/env python3
+"""ZeekModule abstract base class — protocol module interface."""
+
+from src.querier.client import console
+
+
+class ZeekModule:
+    """Protocol module interface. Subclass and override methods as needed."""
+
+    DATASETS: list = ["all"]
+    SOURCE_FIELDS: list = []
+    DETAIL_FIELDS: list = []  # List of (label: str, value_fn: Callable[[dict], str])
+    SENSOR_PARAM: str | None = "sensor"  # Set to None to skip the sensor prompt in re-search
+    SUPPORTS_IP_FILTER: bool = True  # Set False for metadata-only modules (pe, capture_loss)
+    SUPPORTS_ENRICHMENT: bool = True  # Set False for modules with no IPs or hashes to enrich
+    SUPPORTS_FP: bool = True  # Set False for diagnostic modules (capture_loss)
+    WEB_CATEGORY: str = "core"  # Category group for the web UI sidebar
+    WEB_ICON: str = "fa-question"  # Font Awesome icon class for the web UI sidebar
+    WEB_COLUMNS: list = []  # List of (header: str, value_fn: Callable[[dict], str]) for web table
+    EXTRA_PARAMS: list[str] = []  # Protocol-specific search_params keys forwarded from HTTP request
+    SUMMARY_FIELD: str | None = None  # OpenSearch field to aggregate on for the browse modal
+    SUMMARY_PARAM: str | None = None  # EXTRA_PARAMS key that filters on SUMMARY_FIELD
+    SUMMARY_TYPE: str = "flat"  # "flat" = single field agg, "grouped" = scripted prefix + severity
+
+    def build_extra_must(self, search_params: dict) -> tuple:
+        """Return (must_clauses, post_filters) built from search_params.
+
+        must_clauses: list of OpenSearch DSL clause dicts added to the query must.
+        post_filters: list of callables (record: dict) -> bool applied after parsing.
+                      When non-empty, run_query() uses 3× over-fetch automatically.
+        """
+        return [], []
+
+    def prepare_hits(self, hits: list) -> None:
+        """Pre-parse hook called on raw hits before parse_hit() loop.
+
+        Override for batch lookups (e.g. x509 community_id pivot, pe fuid→hash lookup).
+        Default is a no-op.
+        """
+
+    def parse_hit(self, src: dict) -> dict:
+        """Convert an OpenSearch _source dict to a normalised record dict.
+
+        Must include at minimum: timestamp, sensor, src_ip, dest_ip,
+        dest_port, src_port, _raw.
+        """
+        raise NotImplementedError
+
+    def dedup_key(self, record: dict) -> tuple:
+        """Return the grouping key tuple for deduplicate_zeek."""
+        raise NotImplementedError
+
+    def display(self, records: list) -> None:
+        """Render records as a Rich table."""
+        raise NotImplementedError
+
+    def display_detail(self, record: dict, idx: int) -> None:
+        """Render a Rich Panel with every DETAIL_FIELDS field for the selected record."""
+        from rich.panel import Panel
+        from rich.table import Table
+
+        grid = Table.grid(padding=(0, 2))
+        grid.add_column(style="dim", no_wrap=True, min_width=12)
+        grid.add_column(overflow="fold")
+        for label, fn in self.DETAIL_FIELDS:
+            grid.add_row(label, fn(record))
+        console.print(
+            Panel(
+                grid,
+                title=f"[bold]#{idx}[/bold]  {self.describe_record(record)}",
+                expand=False,
+            )
+        )
+
+    def add_args(self, parser) -> None:
+        """Add protocol-specific argparse arguments to the shared parser."""
+        pass
+
+    def describe_record(self, record: dict) -> str:
+        """One-line summary used in the interactive loop hint line."""
+        src = record.get("src_ip", "?")
+        dst = record.get("dest_ip", "?")
+        port = record.get("dest_port", "?")
+        return f"{src} → {dst}:{port}"
+
+    def fp_signature(self, record: dict) -> str:
+        """Signature string embedded in the FP alert dict."""
+        return "zeek/unknown"
+
+    def fp_action(self, record: dict) -> None:
+        """Handle the [f]alse positive action. Override for custom behaviour."""
+        from src.querier.fp_manager import create_filter_interactive
+
+        fp_alert = {
+            "src_ip": record.get("src_ip"),
+            "dest_ip": record.get("dest_ip"),
+            "dest_port": record.get("dest_port"),
+            "alert": {
+                "signature": self.fp_signature(record),
+                "severity": 3,
+            },
+            "clientID": (record.get("sensors") or [record.get("sensor", "")])[0],
+        }
+        create_filter_interactive(alert=fp_alert)
+
+    def add_search_params_prompt(self, new: dict, _ask) -> None:
+        """Prompt for protocol-specific re-search parameters.
+
+        Override to append module-specific fields to `new`.
+        `_ask(label, current_val)` returns the user-entered string or the
+        current value's string form if the user pressed Enter.
+        """
+        pass
diff --git a/src/querier/opensearch_querier.py b/src/querier/opensearch_querier.py
index fabd4ad..dd5b574 100755
--- a/src/querier/opensearch_querier.py
+++ b/src/querier/opensearch_querier.py
@@ -26,6 +26,8 @@
 from src.querier.zeek_modules.base import (
     FILTERS_DIR,
     TIME_RANGES,
+    OpenSearchAuthError,
+    OpenSearchConnectionError,
     build_base_query,
     console,
     interactive_loop,
@@ -207,7 +209,11 @@ def main() -> None:
         return
 
     # 7. Execute query
-    records = run_query(module, search_params)
+    try:
+        records = run_query(module, search_params)
+    except (OpenSearchConnectionError, OpenSearchAuthError) as exc:
+        console.print(f"[red]{exc}[/red]")
+        return
     if not records:
         console.print(
             "[yellow]No records returned. Filters may be too aggressive"
diff --git a/src/querier/runner.py b/src/querier/runner.py
new file mode 100644
index 0000000..63b5b8f
--- /dev/null
+++ b/src/querier/runner.py
@@ -0,0 +1,279 @@
+#!/usr/bin/env python3
+"""Core query execution: deduplication, post-filtering, and run_query entrypoint."""
+
+import hashlib
+import json
+import os
+from collections import defaultdict
+
+from src.querier.builder import _remap_clause, build_base_query
+from src.querier.client import console, query_opensearch, query_opensearch_async
+from src.utils.cache import cache_path as _cache_path_util
+from src.utils.cache import load_cache, save_cache
+from src.utils.format import fmt_bytes, fmt_dur
+
+# Backwards-compatible aliases — zeek modules import these names from .base
+_fmt_bytes = fmt_bytes
+_fmt_dur = fmt_dur
+
+# Project root — four dirname() calls up from src/querier/runner.py
+_BASE = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+FILTERS_DIR = os.path.join(_BASE, "filters")
+
+# Fetch this many times the requested limit when post-filters are active.
+_OVERFETCH_MULTIPLIER = 3
+
+
+def _first(val):
+    """Return val as-is if scalar, or the first element if it's a list."""
+    if isinstance(val, list):
+        return val[0] if val else None
+    return val
+
+
+def _sensor_str(rec: dict) -> str:
+    """Format the sensor(s) column for display."""
+    sensors = rec.get("sensors")
+    vals = sensors if sensors else ([rec["sensor"]] if rec.get("sensor") else [])
+    return ", ".join(v.removeprefix("hedgehog-") for v in vals)
+
+
+def _cache_path(args_hash: str) -> str:
+    return _cache_path_util(f"opensearch_{args_hash}.json")
+
+
+_save_cache = save_cache
+_load_cache = load_cache
+
+# Cache: (raw_must_not, remapped) — invalidates when load_filters returns a new list object.
+_remap_cache: tuple[list, list] | None = None
+
+
+def load_with_remap(filters_dir: str) -> tuple:
+    """Load filters and remap field names. Returns (must_not, fcount, errors)."""
+    global _remap_cache
+    from src.querier.filter_loader import load_filters
+
+    filter_result = load_filters(filters_dir)
+    raw = filter_result["must_not"]
+    if _remap_cache is None or _remap_cache[0] is not raw:
+        _remap_cache = (raw, [_remap_clause(c) for c in raw])
+    return _remap_cache[1], filter_result["filter_count"], filter_result["errors"]
+
+
+def deduplicate_zeek(records: list, key_fn) -> list:
+    """Deduplicate records by key_fn, keeping the most recent per group.
+
+    Sorts output by descending frequency so highest-volume flows appear first.
+    """
+    grouped: dict = defaultdict(list)
+    for rec in records:
+        key = key_fn(rec)
+        grouped[key].append(rec)
+
+    deduped = []
+    for _key, group in sorted(grouped.items(), key=lambda kv: -len(kv[1])):
+        rep = max(group, key=lambda r: r["timestamp"]).copy()
+        rep["freq"] = len(group)
+        if len(group) == 1:
+            rep["sensors"] = [rep["sensor"]] if rep.get("sensor") else []
+        else:
+            rep["sensors"] = sorted({r["sensor"] for r in group if r.get("sensor")})
+        deduped.append(rep)
+
+    return deduped
+
+
+def run_query(module, search_params: dict) -> list:
+    """Execute a full query cycle: load filters, build query, fetch, parse, dedup."""
+    if search_params.get("no_filters"):
+        must_not: list = []
+        console.print("[yellow]--no-filters: all false positive filters disabled[/yellow]")
+    else:
+        must_not, fcount, errors = load_with_remap(FILTERS_DIR)
+        console.print("[dim]Loading false positive filters...[/dim]")
+        console.print(
+            f"[dim]Loaded {fcount} filter file(s) → {len(must_not)} must_not clause(s)[/dim]"
+        )
+        for err in errors:
+            console.print(f"[yellow]Filter warning: {err}[/yellow]")
+
+    sensors: list | None = None
+    sensor_val = search_params.get("sensor", "all")
+    if sensor_val:
+        if isinstance(sensor_val, list):
+            sensors = [s.strip() for s in sensor_val]
+        elif str(sensor_val).lower() != "all":
+            sensors = [s.strip() for s in str(sensor_val).split(",")]
+
+    extra_must, post_filters = module.build_extra_must(search_params)
+
+    # Guard src/dest/any ip filters for modules that don't have the field in SOURCE_FIELDS —
+    # a term query on a missing field returns zero results.
+    has_src = "source.ip" in module.SOURCE_FIELDS
+    has_dest = "destination.ip" in module.SOURCE_FIELDS
+    src_ip_for_query = search_params.get("src_ip") if has_src else None
+    dest_ip_for_query = search_params.get("dest_ip") if has_dest else None
+    any_ip_for_query = search_params.get("any_ip") if (has_src or has_dest) else None
+
+    has_src_port = "source.port" in module.SOURCE_FIELDS
+    has_dest_port = "destination.port" in module.SOURCE_FIELDS
+    has_proto = "network.transport" in module.SOURCE_FIELDS
+    src_port_for_query = search_params.get("src_port") if has_src_port else None
+    dest_port_for_query = search_params.get("dest_port") if has_dest_port else None
+    proto_for_query = search_params.get("proto") if has_proto else None
+
+    # Over-fetch when post-filters are active so truncation still yields enough rows.
+    requested_limit = search_params.get("limit", 500)
+    query_limit = (
+        min(requested_limit * _OVERFETCH_MULTIPLIER, 5000) if post_filters else requested_limit
+    )
+
+    body, params = build_base_query(
+        must_not=must_not,
+        extra_must=extra_must,
+        source_fields=module.SOURCE_FIELDS,
+        limit=query_limit,
+        time_range=search_params.get("time_range", "now-24h"),
+        sensors=sensors,
+        datasets=module.DATASETS,
+        public_only=search_params.get("public_only", False),
+        src_ip_filter=src_ip_for_query,
+        dest_ip_filter=dest_ip_for_query,
+        any_ip_filter=any_ip_for_query,
+        direction=search_params.get("direction"),
+        time_from=search_params.get("time_from"),
+        time_to=search_params.get("time_to"),
+        src_port_filter=src_port_for_query,
+        dest_port_filter=dest_port_for_query,
+        proto_filter=proto_for_query,
+    )
+
+    if search_params.get("profile"):
+        body["profile"] = True
+
+    # Cache is meaningless for profile runs (timing data is request-specific).
+    use_cache = search_params.get("use_cache", False) and not search_params.get("profile")
+    raw = None
+    cache_key = hashlib.md5(json.dumps(body, sort_keys=True).encode()).hexdigest()[:10]
+    cpath = _cache_path(cache_key)
+
+    if use_cache:
+        raw = _load_cache(cpath)
+        if raw:
+            console.print(f"[dim]Using cached response: {cpath}[/dim]")
+
+    if raw is None:
+        console.print(
+            f"[dim]Querying OpenSearch / Malcolm"
+            f" ({search_params.get('time_range', 'now-24h')})...[/dim]"
+        )
+        raw = query_opensearch(body, params)
+        if use_cache:
+            _save_cache(raw, cpath)
+
+    if search_params.get("profile"):
+        from src.querier.cli_loop import display_profile
+
+        display_profile(raw)
+
+    hits = raw.get("hits", {}).get("hits", [])
+    if not hits:
+        console.print("[yellow]No records returned.[/yellow]")
+        return []
+
+    # Pre-parse hook — e.g. x509 community_id batch lookup, pe fuid→hash lookup.
+    module.prepare_hits(hits)
+
+    records = [module.parse_hit(hit.get("_source", {})) for hit in hits]
+    records = [r for r in records if r]
+
+    # Apply post-filters (over-fetch strategy: fetch 3× then truncate).
+    if post_filters:
+        keep = lambda r: all(pf(r) for pf in post_filters)  # noqa: E731
+        records = [r for r in records if keep(r)]
+        if len(records) < requested_limit:
+            console.print(
+                f"[dim]Showing {len(records)}/{requested_limit} after post-filtering — "
+                f"increase time range for more results.[/dim]"
+            )
+        records = records[:requested_limit]
+
+    return deduplicate_zeek(records, module.dedup_key)
+
+
+async def run_query_async(module, search_params: dict) -> list:
+    """Async variant of run_query — uses httpx.AsyncClient for the web fan-out path.
+
+    Skips profile support (web path only).  The cache check, filter loading,
+    query building, parsing, and deduplication are identical to the sync version.
+    """
+    if search_params.get("no_filters"):
+        must_not: list = []
+    else:
+        must_not, _fcount, _errors = load_with_remap(FILTERS_DIR)
+
+    sensors: list | None = None
+    sensor_val = search_params.get("sensor", "all")
+    if sensor_val:
+        if isinstance(sensor_val, list):
+            sensors = [s.strip() for s in sensor_val]
+        elif str(sensor_val).lower() != "all":
+            sensors = [s.strip() for s in str(sensor_val).split(",")]
+
+    extra_must, post_filters = module.build_extra_must(search_params)
+
+    has_src = "source.ip" in module.SOURCE_FIELDS
+    has_dest = "destination.ip" in module.SOURCE_FIELDS
+    src_ip_for_query = search_params.get("src_ip") if has_src else None
+    dest_ip_for_query = search_params.get("dest_ip") if has_dest else None
+    any_ip_for_query = search_params.get("any_ip") if (has_src or has_dest) else None
+
+    has_src_port = "source.port" in module.SOURCE_FIELDS
+    has_dest_port = "destination.port" in module.SOURCE_FIELDS
+    has_proto = "network.transport" in module.SOURCE_FIELDS
+    src_port_for_query = search_params.get("src_port") if has_src_port else None
+    dest_port_for_query = search_params.get("dest_port") if has_dest_port else None
+    proto_for_query = search_params.get("proto") if has_proto else None
+
+    requested_limit = search_params.get("limit", 500)
+    query_limit = (
+        min(requested_limit * _OVERFETCH_MULTIPLIER, 5000) if post_filters else requested_limit
+    )
+
+    body, params = build_base_query(
+        must_not=must_not,
+        extra_must=extra_must,
+        source_fields=module.SOURCE_FIELDS,
+        limit=query_limit,
+        time_range=search_params.get("time_range", "now-24h"),
+        sensors=sensors,
+        datasets=module.DATASETS,
+        public_only=search_params.get("public_only", False),
+        src_ip_filter=src_ip_for_query,
+        dest_ip_filter=dest_ip_for_query,
+        any_ip_filter=any_ip_for_query,
+        direction=search_params.get("direction"),
+        time_from=search_params.get("time_from"),
+        time_to=search_params.get("time_to"),
+        src_port_filter=src_port_for_query,
+        dest_port_filter=dest_port_for_query,
+        proto_filter=proto_for_query,
+    )
+
+    raw = await query_opensearch_async(body, params)
+
+    hits = raw.get("hits", {}).get("hits", [])
+    if not hits:
+        return []
+
+    module.prepare_hits(hits)
+    records = [module.parse_hit(hit.get("_source", {})) for hit in hits]
+    records = [r for r in records if r]
+
+    if post_filters:
+        keep = lambda r: all(pf(r) for pf in post_filters)  # noqa: E731
+        records = [r for r in records if keep(r)]
+        records = records[:requested_limit]
+
+    return deduplicate_zeek(records, module.dedup_key)
diff --git a/src/querier/zeek_modules/base.py b/src/querier/zeek_modules/base.py
index 295c95f..09c179f 100644
--- a/src/querier/zeek_modules/base.py
+++ b/src/querier/zeek_modules/base.py
@@ -1,1039 +1,103 @@
 #!/usr/bin/env python3
-"""Shared infrastructure for PISCES OpenSearch / Malcolm / Zeek querier modules.
+"""Backwards-compatibility shim — re-exports everything from the focused querier modules.
 
-All constants, utility functions, OpenSearch interaction, query building,
-deduplication, and interactive loop logic live here.  Protocol modules
-(conn, dns, http, …) import from this file and the ZeekModule base class.
-"""
-
-import hashlib
-import ipaddress
-import json
-import os
-import readline  # noqa: F401 — enables arrow-key history in input()
-import sys
-from collections import defaultdict
-
-import requests
-import urllib3
-from rich import box
-from rich.console import Console
-from rich.table import Table
-
-from src.utils.cache import cache_path as _cache_path_util
-from src.utils.cache import load_cache, save_cache
-from src.utils.format import fmt_bytes, fmt_dur
-from src.utils.terminal import confirm_exit, prompt
+Zeek protocol modules import from this file via relative imports (`from .base import …`).
+New code should import directly from the focused modules in src/querier/:
 
-urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
-
-console = Console(file=sys.stderr)
-
-# Backwards-compatible aliases — zeek modules import these names from .base
-_fmt_bytes = fmt_bytes
-_fmt_dur = fmt_dur
+    from src.querier.client  import query_opensearch, console
+    from src.querier.builder import build_base_query, FIELD_MAP
+    from src.querier.runner  import run_query, deduplicate_zeek
+    from src.querier.cli_loop import interactive_loop
+    from src.querier.module  import ZeekModule
+"""
 
-# Project root — four dirname() calls up from src/querier/zeek_modules/base.py
-_BASE = os.path.dirname(
-    os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+from src.querier.builder import (
+    _PRIVATE_CIDR_MUST_NOT,
+    _PRIVATE_CIDRS,
+    FIELD_MAP,
+    TIME_RANGES,
+    _remap_clause,
+    build_base_query,
+    is_private,
+    source_terms_script,
+)
+from src.querier.cli_loop import (
+    _search_again_prompt,
+    _walk_clauses,
+    display_profile,
+    interactive_loop,
+    list_indices,
+    list_log_types,
+    list_sensors,
+    match_all_sample,
+)
+from src.querier.client import (
+    INDEX,
+    OPENSEARCH_URL,
+    OpenSearchAuthError,
+    OpenSearchConnectionError,
+    _opensearch_session,
+    console,
+    query_opensearch,
+)
+from src.querier.module import ZeekModule
+from src.querier.runner import (
+    _OVERFETCH_MULTIPLIER,
+    FILTERS_DIR,
+    _cache_path,
+    _first,
+    _fmt_bytes,
+    _fmt_dur,
+    _load_cache,
+    _remap_cache,
+    _save_cache,
+    _sensor_str,
+    deduplicate_zeek,
+    load_with_remap,
+    run_query,
 )
-FILTERS_DIR = os.path.join(_BASE, "filters")
-
-# ---------------------------------------------------------------------------
-# Constants
-# ---------------------------------------------------------------------------
-
-# Fetch this many times the requested limit when post-filters are active so
-# truncation still yields enough rows after Python-side filtering discards hits.
-_OVERFETCH_MULTIPLIER = 3
-
-OPENSEARCH_URL = os.environ.get("OPENSEARCH_URL", "https://pisces-opensearch.cyberrangepoulsbo.com")
-INDEX = "arkime_sessions3-*"
-
-# Field name translation: existing YAML filter field → Malcolm/Zeek field
-FIELD_MAP = {
-    "src_ip": "source.ip",
-    "dest_ip": "destination.ip",
-    "src_port": "source.port",
-    "dest_port": "destination.port",
-    "app_proto": "network.protocol",
-    "clientID": "host.name",
-}
-
-TIME_RANGES = [
-    "now-15m",
-    "now-30m",
-    "now-1h",
-    "now-3h",
-    "now-6h",
-    "now-12h",
-    "now-24h",
-    "now-2d",
-    "now-3d",
-    "now-7d",
-    "now-14d",
-    "now-30d",
-]
 
-# Non-routable CIDRs excluded by --public-only.
-_PRIVATE_CIDRS = [
-    # IPv4
-    "10.0.0.0/8",
-    "172.16.0.0/12",
-    "192.168.0.0/16",
-    "127.0.0.0/8",
-    "169.254.0.0/16",  # link-local / APIPA
-    # IPv6
-    "::1/128",  # loopback
-    "fe80::/10",  # link-local
-    "fc00::/7",  # unique-local (fd00::/8 etc.)
-    "ff00::/8",  # multicast
+__all__ = [
+    # client
+    "INDEX",
+    "OPENSEARCH_URL",
+    "OpenSearchAuthError",
+    "OpenSearchConnectionError",
+    "_opensearch_session",
+    "console",
+    "query_opensearch",
+    # builder
+    "FIELD_MAP",
+    "TIME_RANGES",
+    "_PRIVATE_CIDRS",
+    "_PRIVATE_CIDR_MUST_NOT",
+    "_remap_clause",
+    "build_base_query",
+    "is_private",
+    "source_terms_script",
+    # runner
+    "FILTERS_DIR",
+    "_OVERFETCH_MULTIPLIER",
+    "_cache_path",
+    "_first",
+    "_fmt_bytes",
+    "_fmt_dur",
+    "_load_cache",
+    "_remap_cache",
+    "_save_cache",
+    "_sensor_str",
+    "deduplicate_zeek",
+    "load_with_remap",
+    "run_query",
+    # cli_loop
+    "_search_again_prompt",
+    "_walk_clauses",
+    "display_profile",
+    "interactive_loop",
+    "list_indices",
+    "list_log_types",
+    "list_sensors",
+    "match_all_sample",
+    # module
+    "ZeekModule",
 ]
-
-
-# ---------------------------------------------------------------------------
-# Utility helpers
-# ---------------------------------------------------------------------------
-
-
-def _first(val):
-    """Return val as-is if scalar, or the first element if it's a list."""
-    if isinstance(val, list):
-        return val[0] if val else None
-    return val
-
-
-def is_private(ip: str) -> bool:
-    try:
-        addr = ipaddress.ip_address(ip)
-        return any(addr in ipaddress.ip_network(cidr) for cidr in _PRIVATE_CIDRS)
-    except ValueError:
-        return False
-
-
-def _sensor_str(rec: dict) -> str:
-    """Format the sensor(s) column for display."""
-    sensors = rec.get("sensors")
-    vals = sensors if sensors else ([rec["sensor"]] if rec.get("sensor") else [])
-    return ", ".join(v.removeprefix("hedgehog-") for v in vals)
-
-
-# ---------------------------------------------------------------------------
-# Field remapping
-# ---------------------------------------------------------------------------
-
-
-def _remap_clause(clause: dict) -> dict:
-    """Recursively remap Kibana field names to Malcolm/Zeek field names.
-
-    Walks a DSL clause dict and renames any key found in FIELD_MAP.
-    Handles term, terms, range, match_phrase, bool (recurses into
-    must/must_not/should/filter). Pure function — returns a new dict.
-    """
-    if not isinstance(clause, dict):
-        return clause
-
-    result = {}
-    for key, value in clause.items():
-        if key in (
-            "term",
-            "terms",
-            "range",
-            "match_phrase",
-            "match",
-            "wildcard",
-            "prefix",
-            "regexp",
-        ):
-            remapped_inner = {}
-            for field, field_val in value.items():
-                new_field = FIELD_MAP.get(field, field)
-                remapped_inner[new_field] = field_val
-            result[key] = remapped_inner
-        elif key == "bool":
-            new_bool = {}
-            for bool_key, bool_val in value.items():
-                if bool_key in ("must", "must_not", "should", "filter"):
-                    if isinstance(bool_val, list):
-                        new_bool[bool_key] = [_remap_clause(c) for c in bool_val]
-                    else:
-                        new_bool[bool_key] = _remap_clause(bool_val)
-                else:
-                    new_bool[bool_key] = bool_val
-            result[key] = new_bool
-        else:
-            result[key] = value
-
-    return result
-
-
-# ---------------------------------------------------------------------------
-# Cache helpers
-# ---------------------------------------------------------------------------
-
-
-def _cache_path(args_hash: str) -> str:
-    return _cache_path_util(f"opensearch_{args_hash}.json")
-
-
-_save_cache = save_cache
-_load_cache = load_cache
-
-
-# ---------------------------------------------------------------------------
-# OpenSearch session + query
-# ---------------------------------------------------------------------------
-
-
-def _opensearch_session() -> tuple:
-    """Return (base_url, authenticated Session) or (None, None) on missing creds."""
-    opensearch_url = os.environ.get("OPENSEARCH_URL", OPENSEARCH_URL)
-    username = os.environ.get("PISCES_USERNAME", "")
-    password = os.environ.get("PISCES_PASSWORD", "")
-
-    if not username or not password:
-        console.print("[red]PISCES_USERNAME and PISCES_PASSWORD must be set in .env[/red]")
-        return None, None
-
-    session = requests.Session()
-    session.auth = (username, password)
-    session.verify = False
-    session.headers.update(
-        {
-            "Content-Type": "application/json",
-            "osd-xsrf": "true",
-        }
-    )
-    return opensearch_url, session
-
-
-def query_opensearch(body: dict, params: dict) -> dict | None:
-    base_url, session = _opensearch_session()
-    if session is None:
-        return None
-
-    try:
-        resp = session.post(
-            base_url + "/api/console/proxy",
-            params=params,
-            json=body,
-            timeout=30,
-        )
-    except requests.RequestException as exc:
-        console.print(f"[red]OpenSearch request failed: {exc}[/red]")
-        return None
-
-    if resp.status_code == 401:
-        console.print(
-            "[red]OpenSearch authentication failed — check PISCES_USERNAME/PASSWORD[/red]"
-        )
-        return None
-
-    if not resp.ok:
-        console.print(f"[red]OpenSearch error {resp.status_code}: {resp.text[:300]}[/red]")
-        return None
-
-    return resp.json()
-
-
-# ---------------------------------------------------------------------------
-# Profile display
-# ---------------------------------------------------------------------------
-
-
-def _walk_clauses(node: dict, acc: list) -> None:
-    """DFS walk of an ES profile query node, collecting (type, description, time_ms)."""
-    if not isinstance(node, dict):
-        return
-    time_ms = node.get("time_in_nanos", 0) / 1_000_000
-    acc.append((node.get("type", ""), node.get("description", ""), time_ms))
-    for child in node.get("children", []):
-        _walk_clauses(child, acc)
-
-
-def display_profile(raw: dict) -> None:
-    """Render OpenSearch profile data: per-shard timing and slowest query clauses."""
-    profile = raw.get("profile")
-    if not profile:
-        console.print("[yellow]No profile data in response.[/yellow]")
-        return
-
-    shards = profile.get("shards", [])
-    if not shards:
-        console.print("[yellow]Profile present but no shard data.[/yellow]")
-        return
-
-    # --- Shard summary table ---
-    shard_table = Table(title="Profile — per-shard timing", box=box.SIMPLE_HEAVY)
-    shard_table.add_column("Shard", style="cyan", no_wrap=True)
-    shard_table.add_column("Query (ms)", justify="right")
-    shard_table.add_column("Fetch (ms)", justify="right")
-
-    total_query_ms = 0.0
-    total_fetch_ms = 0.0
-    all_clauses: list = []
-
-    for shard in shards:
-        shard_id = shard.get("id", "?")
-        query_ms = 0.0
-        fetch_ms = 0.0
-
-        for search in shard.get("searches", []):
-            for q in search.get("query", []):
-                query_ms += q.get("time_in_nanos", 0) / 1_000_000
-                _walk_clauses(q, all_clauses)
-            for collector in search.get("collector", []):
-                fetch_ms += collector.get("time_in_nanos", 0) / 1_000_000
-
-        total_query_ms += query_ms
-        total_fetch_ms += fetch_ms
-        shard_table.add_row(shard_id, f"{query_ms:.2f}", f"{fetch_ms:.2f}")
-
-    shard_table.add_section()
-    shard_table.add_row(
-        "[bold]Total[/bold]",
-        f"[bold]{total_query_ms:.2f}[/bold]",
-        f"[bold]{total_fetch_ms:.2f}[/bold]",
-    )
-    console.print(shard_table)
-
-    # --- Slowest clauses table (top 15, aggregated across shards) ---
-    from collections import defaultdict
-
-    clause_totals: dict = defaultdict(float)
-    clause_types: dict = {}
-    for ctype, desc, ms in all_clauses:
-        key = desc or ctype
-        clause_totals[key] += ms
-        clause_types[key] = ctype
-
-    top = sorted(clause_totals.items(), key=lambda kv: -kv[1])[:15]
-    if top:
-        clause_table = Table(
-            title="Profile — slowest clauses (all shards combined)", box=box.SIMPLE_HEAVY
-        )
-        clause_table.add_column("Type", style="dim", no_wrap=True)
-        clause_table.add_column("Description", overflow="fold")
-        clause_table.add_column("Total (ms)", justify="right")
-        for desc, ms in top:
-            clause_table.add_row(clause_types.get(desc, ""), desc, f"{ms:.2f}")
-        console.print(clause_table)
-
-
-# ---------------------------------------------------------------------------
-# Filter loading
-# ---------------------------------------------------------------------------
-
-
-def load_with_remap(filters_dir: str) -> tuple:
-    """Load filters and remap field names. Returns (must_not, fcount, errors)."""
-    from src.querier.filter_loader import load_filters
-
-    filter_result = load_filters(filters_dir)
-    raw_must_not = filter_result["must_not"]
-    fcount = filter_result["filter_count"]
-    errors = filter_result["errors"]
-    must_not = [_remap_clause(c) for c in raw_must_not]
-    return must_not, fcount, errors
-
-
-# ---------------------------------------------------------------------------
-# Query building
-# ---------------------------------------------------------------------------
-
-
-def build_base_query(
-    must_not: list,
-    extra_must: list,
-    source_fields: list,
-    limit: int,
-    time_range: str,
-    sensors: list | None,
-    datasets: list,
-    public_only: bool = False,
-    src_ip_filter: str | None = None,
-    dest_ip_filter: str | None = None,
-    direction: str | None = None,
-    time_from: str | None = None,
-    time_to: str | None = None,
-) -> tuple:
-    """Build the OpenSearch query body and request params.
-
-    datasets: list of event.dataset values, or ["all"] to omit the filter.
-    time_from/time_to: absolute ISO timestamps; when both are set they
-        override the relative *time_range* parameter.
-    """
-    if time_from and time_to:
-        ts_clause = {"range": {"@timestamp": {"gte": time_from, "lte": time_to}}}
-    else:
-        ts_clause = {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}}
-    must_clauses: list = [ts_clause]
-
-    if datasets and datasets != ["all"]:
-        must_clauses.append({"terms": {"event.dataset": datasets}})
-
-    if sensors:
-        must_clauses.append({"terms": {"host.name": sensors}})
-
-    if src_ip_filter:
-        must_clauses.append({"term": {"source.ip": src_ip_filter}})
-
-    if dest_ip_filter:
-        must_clauses.append({"term": {"destination.ip": dest_ip_filter}})
-
-    if direction:
-        must_clauses.append({"term": {"network.direction": direction}})
-
-    must_clauses.extend(extra_must)
-
-    effective_must_not = list(must_not)
-    if public_only:
-        for cidr in _PRIVATE_CIDRS:
-            effective_must_not.append({"term": {"source.ip": cidr}})
-
-    body = {
-        "size": limit,
-        "sort": [{"@timestamp": {"order": "desc"}}],
-        "query": {
-            "bool": {
-                "filter": must_clauses,
-                "must_not": effective_must_not,
-            }
-        },
-        "_source": source_fields,
-    }
-
-    params = {
-        "path": f"{INDEX}/_search?timeout=30s",
-        "method": "POST",
-    }
-
-    return body, params
-
-
-# ---------------------------------------------------------------------------
-# Deduplication
-# ---------------------------------------------------------------------------
-
-
-def deduplicate_zeek(records: list, key_fn) -> list:
-    """Deduplicate records by key_fn, keeping the most recent per group.
-
-    Sorts output by descending frequency so highest-volume flows appear first.
-    """
-    grouped: dict = defaultdict(list)
-    for rec in records:
-        key = key_fn(rec)
-        grouped[key].append(rec)
-
-    deduped = []
-    for _key, group in sorted(grouped.items(), key=lambda kv: -len(kv[1])):
-        rep = sorted(group, key=lambda r: r["timestamp"], reverse=True)[0].copy()
-        rep["freq"] = len(group)
-        rep["sensors"] = sorted({r["sensor"] for r in group if r.get("sensor")})
-        deduped.append(rep)
-
-    return deduped
-
-
-# ---------------------------------------------------------------------------
-# run_query
-# ---------------------------------------------------------------------------
-
-
-def run_query(module, search_params: dict) -> list:
-    """Execute a full query cycle: load filters, build query, fetch, parse, dedup."""
-    if search_params.get("no_filters"):
-        must_not: list = []
-        console.print("[yellow]--no-filters: all false positive filters disabled[/yellow]")
-    else:
-        must_not, fcount, errors = load_with_remap(FILTERS_DIR)
-        console.print("[dim]Loading false positive filters...[/dim]")
-        console.print(
-            f"[dim]Loaded {fcount} filter file(s) → {len(must_not)} must_not clause(s)[/dim]"
-        )
-        for err in errors:
-            console.print(f"[yellow]Filter warning: {err}[/yellow]")
-
-    sensors: list | None = None
-    sensor_val = search_params.get("sensor", "all")
-    if sensor_val and str(sensor_val).lower() != "all":
-        sensors = [s.strip() for s in str(sensor_val).split(",")]
-
-    extra_must, post_filters = module.build_extra_must(search_params)
-
-    # Guard src/dest ip filters for modules that don't have the field in SOURCE_FIELDS —
-    # a term query on a missing field returns zero results.
-    src_ip_for_query = search_params.get("src_ip") if "source.ip" in module.SOURCE_FIELDS else None
-    dest_ip_for_query = (
-        search_params.get("dest_ip") if "destination.ip" in module.SOURCE_FIELDS else None
-    )
-
-    # Over-fetch when post-filters are active so truncation still yields enough rows.
-    requested_limit = search_params.get("limit", 500)
-    query_limit = (
-        min(requested_limit * _OVERFETCH_MULTIPLIER, 5000) if post_filters else requested_limit
-    )
-
-    body, params = build_base_query(
-        must_not=must_not,
-        extra_must=extra_must,
-        source_fields=module.SOURCE_FIELDS,
-        limit=query_limit,
-        time_range=search_params.get("time_range", "now-24h"),
-        sensors=sensors,
-        datasets=module.DATASETS,
-        public_only=search_params.get("public_only", False),
-        src_ip_filter=src_ip_for_query,
-        dest_ip_filter=dest_ip_for_query,
-        direction=search_params.get("direction"),
-        time_from=search_params.get("time_from"),
-        time_to=search_params.get("time_to"),
-    )
-
-    if search_params.get("profile"):
-        body["profile"] = True
-
-    # Cache is meaningless for profile runs (timing data is request-specific).
-    use_cache = search_params.get("use_cache", False) and not search_params.get("profile")
-    raw = None
-    cache_key = hashlib.md5(json.dumps(body, sort_keys=True).encode()).hexdigest()[:10]
-    cpath = _cache_path(cache_key)
-
-    if use_cache:
-        raw = _load_cache(cpath)
-        if raw:
-            console.print(f"[dim]Using cached response: {cpath}[/dim]")
-
-    if raw is None:
-        console.print(
-            f"[dim]Querying OpenSearch / Malcolm"
-            f" ({search_params.get('time_range', 'now-24h')})...[/dim]"
-        )
-        raw = query_opensearch(body, params)
-        if raw is None:
-            if search_params.get("raise_on_error"):
-                raise RuntimeError("OpenSearch query failed — check credentials and OPENSEARCH_URL")
-            return []
-        if not search_params.get("profile"):
-            _save_cache(raw, cpath)
-
-    if search_params.get("profile"):
-        display_profile(raw)
-
-    hits = raw.get("hits", {}).get("hits", [])
-    if not hits:
-        console.print("[yellow]No records returned.[/yellow]")
-        return []
-
-    # Pre-parse hook — e.g. x509 community_id batch lookup, pe fuid→hash lookup.
-    module.prepare_hits(hits)
-
-    records = [module.parse_hit(hit.get("_source", {})) for hit in hits]
-    records = [r for r in records if r]
-
-    # Apply post-filters (over-fetch strategy: fetch 3× then truncate).
-    if post_filters:
-        for pf in post_filters:
-            records = [r for r in records if pf(r)]
-        if len(records) < requested_limit:
-            console.print(
-                f"[dim]Showing {len(records)}/{requested_limit} after post-filtering — "
-                f"increase time range for more results.[/dim]"
-            )
-        records = records[:requested_limit]
-
-    return deduplicate_zeek(records, module.dedup_key)
-
-
-# ---------------------------------------------------------------------------
-# Interactive loop
-# ---------------------------------------------------------------------------
-
-
-def interactive_loop(records: list, search_params: dict, module, query_fn=None) -> None:
-    """Interactive post-display prompt — dispatch to module for protocol actions.
-
-    query_fn: callable with signature (module, search_params) -> list.
-              Defaults to run_query when None.
-    """
-    _query_fn = query_fn if query_fn is not None else run_query
-
-    from src.enricher.threat_intel import enrich_ip
-    from src.mantis.mantis_search import (
-        display_results as display_mantis,
-    )
-    from src.mantis.mantis_search import (
-        search as mantis_search,
-    )
-    from src.mantis.mantis_search import (
-        sensor_to_project,
-    )
-
-    last_record: dict | None = None
-
-    while True:
-        console.print("")
-        if last_record:
-            r = last_record["record"]
-            hint = module.describe_record(r)
-            console.print(f"[dim]↩  Last: #{last_record['idx']} {hint}[/dim]")
-        console.print(
-            "[bold cyan]Action[/bold cyan] — enter record #"
-            " / \\[r]e-search / \\[p]rint (CTRL+C to exit):"
-        )
-        try:
-            raw = prompt("  > ").strip().lower()
-        except KeyboardInterrupt:
-            if confirm_exit():
-                break
-            continue
-
-        if raw in ("r", "research", "search"):
-            search_params = _search_again_prompt(search_params, module)
-            new_records = _query_fn(module, search_params)
-            if new_records:
-                records = new_records
-                module.display(records)
-            continue
-
-        if raw in ("p", "print"):
-            module.display(records)
-            continue
-
-        if not raw:
-            continue
-
-        readline.add_history(raw)
-
-        try:
-            idx = int(raw) - 1
-            if idx < 0:
-                raise ValueError
-            record = records[idx]
-        except (ValueError, IndexError):
-            console.print("[red]Invalid selection.[/red]")
-            continue
-
-        src_ip = record.get("src_ip", "")
-        module.display_detail(record, idx + 1)
-
-        # Build action menu dynamically based on module capabilities.
-        action_parts = []
-        if module.SUPPORTS_ENRICHMENT:
-            action_parts.append("\\[e]nrich")
-        if module.SUPPORTS_FP:
-            action_parts.append("\\[f]alse positive")
-        action_parts += ["\\[m]antis search", "\\[s]kip"]
-        console.print("  " + "  ".join(action_parts))
-
-        try:
-            action = prompt("  Action: ").strip().lower()
-        except KeyboardInterrupt:
-            console.print("[dim]Cancelled.[/dim]")
-            continue
-
-        key = action[:1]
-        if key:
-            readline.add_history(action)
-
-        if key == "e" and module.SUPPORTS_ENRICHMENT:
-            hash_val = record.get("sha256") or record.get("md5") or record.get("file_hash")
-            if hash_val and not src_ip:
-                # Hash-only enrichment (e.g. pe module — no IP).
-                from src.enricher.virustotal import check_hash, display_hash
-
-                console.print(f"[dim]Querying VirusTotal for {hash_val[:16]}…[/dim]")
-                display_hash(hash_val, check_hash(hash_val))
-            elif hash_val:
-                # Both hash and IP available — ask which.
-                console.print("  \\[h]ash (VirusTotal file lookup)  \\[i]p enrichment")
-                try:
-                    sub = prompt("  Choice: ").strip().lower()
-                except KeyboardInterrupt:
-                    console.print("[dim]Cancelled.[/dim]")
-                    sub = ""
-                if sub.startswith("h"):
-                    from src.enricher.virustotal import check_hash, display_hash
-
-                    console.print(f"[dim]Querying VirusTotal for {hash_val[:16]}…[/dim]")
-                    display_hash(hash_val, check_hash(hash_val))
-                else:
-                    enrich_ip(src_ip)
-            else:
-                enrich_ip(src_ip)
-        elif key == "f" and module.SUPPORTS_FP:
-            module.fp_action(record)
-        elif key == "m":
-            dest_ip = record.get("dest_ip", "")
-            queries = dict.fromkeys(ip for ip in [src_ip, dest_ip] if ip)
-            city = sensor_to_project(record.get("sensor", "all"))
-            if city:
-                console.print(f"[dim]Filtering Mantis to project '{city}'[/dim]")
-            combined: list = []
-            seen_ids: set = set()
-            for q in queries:
-                console.print(f"[dim]Searching Mantis for '{q}'...[/dim]")
-                for r in mantis_search(q, city=city):
-                    if r["id"] not in seen_ids:
-                        combined.append(r)
-                        seen_ids.add(r["id"])
-            display_mantis(combined)
-        last_record = {"idx": idx + 1, "record": record}
-
-
-# ---------------------------------------------------------------------------
-# Search-again prompt
-# ---------------------------------------------------------------------------
-
-
-def _search_again_prompt(current: dict, module) -> dict:
-    """Prompt for new search parameters, shared + module-specific."""
-    console.print(
-        "\n[bold cyan]New Search Parameters[/bold cyan] [dim](Enter to keep current)[/dim]"
-    )
-    console.print("[dim]Time ranges: " + "  ".join(TIME_RANGES) + "[/dim]")
-
-    def _ask(label: str, current_val) -> str:
-        """Prompt for a value; returns user input or preserves current (empty string for None)."""
-        display = "" if current_val is None else str(current_val)
-        try:
-            val = prompt(f"  {label} [{display}]: ").strip()
-            return val if val else display
-        except KeyboardInterrupt:
-            console.print("")
-            return display
-
-    new = dict(current)
-    new["time_range"] = _ask("Time range", current.get("time_range", "now-24h"))
-    if module.SENSOR_PARAM is not None:
-        new[module.SENSOR_PARAM] = _ask(
-            "Sensor (comma-sep or 'all')", current.get(module.SENSOR_PARAM, "all")
-        )
-
-    if module.SUPPORTS_IP_FILTER:
-        pub_raw = _ask("Public only (y/n)", "y" if current.get("public_only") else "n")
-        new["public_only"] = pub_raw.lower() in ("y", "yes")
-
-        src_raw = _ask("Src IP filter (blank to clear)", current.get("src_ip"))
-        new["src_ip"] = src_raw if src_raw else None
-
-    dir_raw = _ask(
-        "Direction filter (inbound/outbound/internal/external/blank)",
-        current.get("direction"),
-    )
-    new["direction"] = dir_raw if dir_raw else None
-
-    limit_raw = _ask("Limit", current.get("limit", 500))
-    try:
-        new["limit"] = int(limit_raw)
-    except ValueError:
-        new["limit"] = current.get("limit", 500)
-
-    # Module-specific search params
-    module.add_search_params_prompt(new, _ask)
-
-    return new
-
-
-# ---------------------------------------------------------------------------
-# Diagnostic helpers
-# ---------------------------------------------------------------------------
-
-
-def list_sensors(time_range: str = "now-7d") -> None:
-    """Aggregate on host.name and print all known sensors."""
-    body = {
-        "size": 0,
-        "query": {
-            "bool": {
-                "filter": [
-                    {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}},
-                    {"exists": {"field": "event.dataset"}},
-                ]
-            }
-        },
-        "aggs": {
-            "sensors": {
-                "terms": {
-                    "field": "host.name",
-                    "size": 500,
-                    "order": {"_count": "desc"},
-                }
-            }
-        },
-    }
-    params = {"path": f"{INDEX}/_search", "method": "POST"}
-
-    console.print(f"[dim]Querying host.name values ({time_range})...[/dim]")
-    raw = query_opensearch(body, params)
-    if raw is None:
-        return
-
-    buckets = raw.get("aggregations", {}).get("sensors", {}).get("buckets", [])
-    if not buckets:
-        console.print("[yellow]No sensors found in the given time range.[/yellow]")
-        return
-
-    table = Table(
-        title=f"Malcolm sensors (past {time_range.replace('now-', '')})",
-        box=box.SIMPLE_HEAVY,
-    )
-    table.add_column("host.name", style="cyan")
-    table.add_column("Record count", justify="right")
-
-    for bucket in buckets:
-        table.add_row(bucket["key"], str(bucket["doc_count"]))
-
-    console.print(table)
-    console.print(
-        f"[dim]{len(buckets)} sensor(s) found. "
-        f"Pass one or more to --sensor as a comma-separated list.[/dim]"
-    )
-
-
-def list_log_types(time_range: str = "now-7d") -> None:
-    """Aggregate on event.dataset and print all Zeek log types present."""
-    body = {
-        "size": 0,
-        "query": {
-            "bool": {
-                "filter": [
-                    {"range": {"@timestamp": {"gte": time_range, "lte": "now"}}},
-                    {"exists": {"field": "event.dataset"}},
-                ]
-            }
-        },
-        "aggs": {
-            "log_types": {
-                "terms": {
-                    "field": "event.dataset",
-                    "size": 200,
-                    "order": {"_count": "desc"},
-                }
-            }
-        },
-    }
-    params = {"path": f"{INDEX}/_search", "method": "POST"}
-
-    console.print(f"[dim]Querying event.dataset values ({time_range})...[/dim]")
-    raw = query_opensearch(body, params)
-    if raw is None:
-        return
-
-    buckets = raw.get("aggregations", {}).get("log_types", {}).get("buckets", [])
-    if not buckets:
-        console.print("[yellow]No log types found in the given time range.[/yellow]")
-        return
-
-    table = Table(
-        title=f"Zeek log types in Malcolm (past {time_range.replace('now-', '')})",
-        box=box.SIMPLE_HEAVY,
-    )
-    table.add_column("event.dataset (log type)", style="cyan")
-    table.add_column("Record count", justify="right")
-
-    for bucket in buckets:
-        table.add_row(bucket["key"], str(bucket["doc_count"]))
-
-    console.print(table)
-    console.print(
-        f"[dim]{len(buckets)} log type(s) found. Pass one to --log-type (or 'all').[/dim]"
-    )
-
-
-def list_indices() -> None:
-    """List all indices in the cluster sorted by doc count."""
-    base_url, session = _opensearch_session()
-    if session is None:
-        return
-
-    try:
-        resp = session.post(
-            base_url + "/api/console/proxy",
-            params={
-                "path": (
-                    "_cat/indices?format=json&s=docs.count:desc"
-                    "&h=index,docs.count,store.size,health"
-                ),
-                "method": "GET",
-            },
-            timeout=30,
-        )
-    except requests.RequestException as exc:
-        console.print(f"[red]OpenSearch request failed: {exc}[/red]")
-        return
-
-    if not resp.ok:
-        console.print(f"[red]OpenSearch error {resp.status_code}: {resp.text[:300]}[/red]")
-        return
-
-    indices = resp.json()
-    if not indices:
-        console.print("[yellow]No indices found.[/yellow]")
-        return
-
-    table = Table(title="OpenSearch indices (sorted by doc count)", box=box.SIMPLE_HEAVY)
-    table.add_column("Index", style="cyan")
-    table.add_column("Docs", justify="right")
-    table.add_column("Size", justify="right")
-    table.add_column("Health", justify="center")
-
-    for entry in indices:
-        health = entry.get("health", "")
-        health_color = {"green": "green", "yellow": "yellow", "red": "red"}.get(health, "white")
-        table.add_row(
-            entry.get("index", ""),
-            entry.get("docs.count", "—"),
-            entry.get("store.size", "—"),
-            f"[{health_color}]{health}[/{health_color}]",
-        )
-
-    console.print(table)
-    console.print(
-        f"[dim]Current INDEX pattern: '{INDEX}' — update the INDEX constant if needed.[/dim]"
-    )
-
-
-def match_all_sample(time_range: str = "now-24h", limit: int = 3) -> None:
-    """Fire a plain match_all to confirm data exists and show actual field names."""
-    body = {
-        "size": limit,
-        "sort": [{"@timestamp": {"order": "desc"}}],
-        "query": {"bool": {"must": [{"range": {"@timestamp": {"gte": time_range, "lte": "now"}}}]}},
-    }
-    params = {"path": f"{INDEX}/_search", "method": "POST"}
-
-    console.print(f"[dim]match_all against '{INDEX}' ({time_range}, limit {limit})...[/dim]")
-    raw = query_opensearch(body, params)
-    if raw is None:
-        return
-
-    total = raw.get("hits", {}).get("total", {})
-    total_val = total.get("value", 0) if isinstance(total, dict) else total
-    console.print(f"[bold]Total hits:[/bold] {total_val}")
-
-    hits = raw.get("hits", {}).get("hits", [])
-    if not hits:
-        console.print(
-            "[yellow]No hits — index pattern may not match any indices,"
-            " or no data in this time range.[/yellow]"
-        )
-        return
-
-    for i, hit in enumerate(hits, 1):
-        console.print(f"\n[bold cyan]── Hit {i} ──[/bold cyan]")
-        console.print(json.dumps(hit.get("_source", {}), indent=2, default=str))
-
-
-# ---------------------------------------------------------------------------
-# ZeekModule base class
-# ---------------------------------------------------------------------------
-
-
-class ZeekModule:
-    """Protocol module interface. Subclass and override methods as needed."""
-
-    DATASETS: list = ["all"]
-    SOURCE_FIELDS: list = []
-    DETAIL_FIELDS: list = []  # List of (label: str, value_fn: Callable[[dict], str])
-    SENSOR_PARAM: str | None = "sensor"  # Set to None to skip the sensor prompt in re-search
-    SUPPORTS_IP_FILTER: bool = True  # Set False for metadata-only modules (pe, capture_loss)
-    SUPPORTS_ENRICHMENT: bool = True  # Set False for modules with no IPs or hashes to enrich
-    SUPPORTS_FP: bool = True  # Set False for diagnostic modules (capture_loss)
-    WEB_CATEGORY: str = "core"  # Category group for the web UI sidebar
-    WEB_ICON: str = "fa-question"  # Font Awesome icon class for the web UI sidebar
-    WEB_COLUMNS: list = []  # List of (header: str, value_fn: Callable[[dict], str]) for web table
-    EXTRA_PARAMS: list[str] = []  # Protocol-specific search_params keys forwarded from HTTP request
-    SUMMARY_FIELD: str | None = None  # OpenSearch field to aggregate on for the browse modal
-    SUMMARY_PARAM: str | None = None  # EXTRA_PARAMS key that filters on SUMMARY_FIELD
-    SUMMARY_TYPE: str = "flat"  # "flat" = single field agg, "grouped" = scripted prefix + severity
-
-    def build_extra_must(self, search_params: dict) -> tuple:
-        """Return (must_clauses, post_filters) built from search_params.
-
-        must_clauses: list of OpenSearch DSL clause dicts added to the query must.
-        post_filters: list of callables (record: dict) -> bool applied after parsing.
-                      When non-empty, run_query() uses 3× over-fetch automatically.
-        """
-        return [], []
-
-    def prepare_hits(self, hits: list) -> None:
-        """Pre-parse hook called on raw hits before parse_hit() loop.
-
-        Override for batch lookups (e.g. x509 community_id pivot, pe fuid→hash lookup).
-        Default is a no-op.
-        """
-
-    def parse_hit(self, src: dict) -> dict:
-        """Convert an OpenSearch _source dict to a normalised record dict.
-
-        Must include at minimum: timestamp, sensor, src_ip, dest_ip,
-        dest_port, src_port, _raw.
-        """
-        raise NotImplementedError
-
-    def dedup_key(self, record: dict) -> tuple:
-        """Return the grouping key tuple for deduplicate_zeek."""
-        raise NotImplementedError
-
-    def display(self, records: list) -> None:
-        """Render records as a Rich table."""
-        raise NotImplementedError
-
-    def display_detail(self, record: dict, idx: int) -> None:
-        """Render a Rich Panel with every DETAIL_FIELDS field for the selected record."""
-        from rich.panel import Panel
-
-        grid = Table.grid(padding=(0, 2))
-        grid.add_column(style="dim", no_wrap=True, min_width=12)
-        grid.add_column(overflow="fold")
-        for label, fn in self.DETAIL_FIELDS:
-            grid.add_row(label, fn(record))
-        console.print(
-            Panel(
-                grid,
-                title=f"[bold]#{idx}[/bold]  {self.describe_record(record)}",
-                expand=False,
-            )
-        )
-
-    def add_args(self, parser) -> None:
-        """Add protocol-specific argparse arguments to the shared parser."""
-        pass
-
-    def describe_record(self, record: dict) -> str:
-        """One-line summary used in the interactive loop hint line."""
-        src = record.get("src_ip", "?")
-        dst = record.get("dest_ip", "?")
-        port = record.get("dest_port", "?")
-        return f"{src} → {dst}:{port}"
-
-    def fp_signature(self, record: dict) -> str:
-        """Signature string embedded in the FP alert dict."""
-        return "zeek/unknown"
-
-    def fp_action(self, record: dict) -> None:
-        """Handle the [f]alse positive action. Override for custom behaviour."""
-        from src.querier.fp_manager import create_filter_interactive
-
-        fp_alert = {
-            "src_ip": record.get("src_ip"),
-            "dest_ip": record.get("dest_ip"),
-            "dest_port": record.get("dest_port"),
-            "alert": {
-                "signature": self.fp_signature(record),
-                "severity": 3,
-            },
-            "clientID": (record.get("sensors") or [record.get("sensor", "")])[0],
-        }
-        create_filter_interactive(alert=fp_alert)
-
-    def add_search_params_prompt(self, new: dict, _ask) -> None:
-        """Prompt for protocol-specific re-search parameters.
-
-        Override to append module-specific fields to `new`.
-        `_ask(label, current_val)` returns the user-entered string or the
-        current value's string form if the user pressed Enter.
-        """
-        pass
diff --git a/src/querier/zeek_modules/files.py b/src/querier/zeek_modules/files.py
index 2a27251..315327b 100644
--- a/src/querier/zeek_modules/files.py
+++ b/src/querier/zeek_modules/files.py
@@ -32,9 +32,8 @@ class FilesModule(ZeekModule):
         "event.dataset",
     ]
 
-    # source.ip is NOT in SOURCE_FIELDS — IPs come from tx_hosts/rx_hosts arrays.
-    # run_query() guards src_ip_filter against modules without source.ip.
-    SUPPORTS_IP_FILTER = True  # post-filters handle it
+    # Malcolm does not index tx_hosts/rx_hosts, so IP filtering is impossible.
+    SUPPORTS_IP_FILTER = False
 
     WEB_CATEGORY = "files"
     WEB_ICON = "fa-file"
diff --git a/src/querier/zeek_modules/notice.py b/src/querier/zeek_modules/notice.py
index 7bbd8ea..4fa302c 100644
--- a/src/querier/zeek_modules/notice.py
+++ b/src/querier/zeek_modules/notice.py
@@ -42,8 +42,11 @@ class NoticeModule(ZeekModule):
 
     def build_extra_must(self, search_params: dict) -> tuple:
         clauses = []
-        if search_params.get("notice_note"):
-            clauses.append({"term": {"zeek.notice.note": search_params["notice_note"]}})
+        if val := search_params.get("notice_note"):
+            if "*" in val or "?" in val:
+                clauses.append({"wildcard": {"zeek.notice.note.keyword": val}})
+            else:
+                clauses.append({"term": {"zeek.notice.note.keyword": val}})
         return clauses, []
 
     def parse_hit(self, src: dict) -> dict:
diff --git a/src/querier/zeek_modules/pe.py b/src/querier/zeek_modules/pe.py
index af76e8b..c0602bc 100644
--- a/src/querier/zeek_modules/pe.py
+++ b/src/querier/zeek_modules/pe.py
@@ -6,7 +6,15 @@
 from rich import box
 from rich.table import Table
 
-from .base import INDEX, ZeekModule, _sensor_str, console, query_opensearch
+from .base import (
+    INDEX,
+    OpenSearchAuthError,
+    OpenSearchConnectionError,
+    ZeekModule,
+    _sensor_str,
+    console,
+    query_opensearch,
+)
 
 _tl = threading.local()
 
@@ -146,8 +154,9 @@ def prepare_hits(self, hits: list) -> None:
                 "_source": ["zeek.files.fuid", "zeek.files.sha256", "zeek.files.md5"],
             }
             params = {"path": f"{INDEX}/_search", "method": "POST"}
-            raw = query_opensearch(body, params)
-            if raw is None:
+            try:
+                raw = query_opensearch(body, params)
+            except (OpenSearchConnectionError, OpenSearchAuthError):
                 continue
             for h in raw.get("hits", {}).get("hits", []):
                 s = h.get("_source", {}).get("zeek", {}).get("files", {})
diff --git a/src/querier/zeek_modules/suricata_alert.py b/src/querier/zeek_modules/suricata_alert.py
index 6d487ad..caccb24 100644
--- a/src/querier/zeek_modules/suricata_alert.py
+++ b/src/querier/zeek_modules/suricata_alert.py
@@ -20,6 +20,7 @@ class SuricataAlertModule(ZeekModule):
     EXTRA_PARAMS = ["rule_name", "rule_category", "severity", "sid", "exclude_stream", "tag"]
     SUMMARY_FIELD = "rule.name"
     SUMMARY_PARAM = "rule_name"
+    SUMMARY_TYPE = "grouped"
     DATASETS = ["alert"]
     SOURCE_FIELDS = [
         "@timestamp",
diff --git a/src/querier/zeek_modules/weird.py b/src/querier/zeek_modules/weird.py
index b53d35a..1e1d81a 100644
--- a/src/querier/zeek_modules/weird.py
+++ b/src/querier/zeek_modules/weird.py
@@ -41,8 +41,11 @@ class WeirdModule(ZeekModule):
 
     def build_extra_must(self, search_params: dict) -> tuple:
         clauses = []
-        if search_params.get("weird_name"):
-            clauses.append({"term": {"rule.name": search_params["weird_name"]}})
+        if val := search_params.get("weird_name"):
+            if "*" in val or "?" in val:
+                clauses.append({"wildcard": {"rule.name.keyword": val}})
+            else:
+                clauses.append({"term": {"rule.name.keyword": val}})
         return clauses, []
 
     def parse_hit(self, src: dict) -> dict:
diff --git a/src/querier/zeek_modules/x509.py b/src/querier/zeek_modules/x509.py
index 7f4ff2d..8088a72 100644
--- a/src/querier/zeek_modules/x509.py
+++ b/src/querier/zeek_modules/x509.py
@@ -7,7 +7,16 @@
 from rich import box
 from rich.table import Table
 
-from .base import INDEX, ZeekModule, _sensor_str, console, is_private, query_opensearch
+from .base import (
+    INDEX,
+    OpenSearchAuthError,
+    OpenSearchConnectionError,
+    ZeekModule,
+    _sensor_str,
+    console,
+    is_private,
+    query_opensearch,
+)
 
 _tl = threading.local()
 
@@ -108,8 +117,9 @@ def prepare_hits(self, hits: list) -> None:
                 "_source": ["network.community_id", "source.ip", "destination.ip"],
             }
             params = {"path": f"{INDEX}/_search", "method": "POST"}
-            raw = query_opensearch(body, params)
-            if raw is None:
+            try:
+                raw = query_opensearch(body, params)
+            except (OpenSearchConnectionError, OpenSearchAuthError):
                 continue
             for h in raw.get("hits", {}).get("hits", []):
                 s = h.get("_source", {})
diff --git a/tests/fixtures/correlator/kerberos_hit.json b/tests/fixtures/correlator/kerberos_hit.json
new file mode 100644
index 0000000..4f25f84
--- /dev/null
+++ b/tests/fixtures/correlator/kerberos_hit.json
@@ -0,0 +1,18 @@
+{
+  "_source": {
+    "@timestamp": "2024-06-01T10:00:00.000Z",
+    "source": {"ip": "10.200.50.15", "port": 49200},
+    "destination": {"ip": "10.100.50.15", "port": 88},
+    "zeek": {
+      "kerberos": {
+        "request_type": "TGS",
+        "service": "host/dc01.cyberrangepoulsbo.com",
+        "success": true,
+        "client": "ALICE$",
+        "cipher": "aes256-cts-hmac-sha1-96"
+      }
+    },
+    "host": {"name": "hedgehog-east-wenatchee"},
+    "event": {"dataset": "zeek.kerberos"}
+  }
+}
diff --git a/tests/fixtures/correlator/notice_attack_chain_hit.json b/tests/fixtures/correlator/notice_attack_chain_hit.json
new file mode 100644
index 0000000..3da219d
--- /dev/null
+++ b/tests/fixtures/correlator/notice_attack_chain_hit.json
@@ -0,0 +1,16 @@
+{
+  "_source": {
+    "@timestamp": "2024-06-01T11:00:00.000Z",
+    "source": {"ip": "10.200.50.15"},
+    "destination": {"ip": "10.100.50.15"},
+    "zeek": {
+      "notice": {
+        "note": "ATTACK::Credential_Access",
+        "msg": "DCSync detected from 10.200.50.15 to 10.100.50.15",
+        "actions": ["Notice::ACTION_LOG"]
+      }
+    },
+    "host": {"name": "hedgehog-east-wenatchee"},
+    "event": {"dataset": "zeek.notice"}
+  }
+}
diff --git a/tests/fixtures/correlator/ntlm_hit.json b/tests/fixtures/correlator/ntlm_hit.json
new file mode 100644
index 0000000..e32f9da
--- /dev/null
+++ b/tests/fixtures/correlator/ntlm_hit.json
@@ -0,0 +1,17 @@
+{
+  "_source": {
+    "@timestamp": "2024-06-01T09:00:00.000Z",
+    "source": {"ip": "10.200.50.15", "port": 49199},
+    "destination": {"ip": "10.100.50.15", "port": 445},
+    "zeek": {
+      "ntlm": {
+        "username": "ALICE",
+        "domainname": "CYBERRANGE",
+        "hostname": "WORKSTATION01",
+        "status": "SUCCESS"
+      }
+    },
+    "host": {"name": "hedgehog-east-wenatchee"},
+    "event": {"dataset": "zeek.ntlm"}
+  }
+}
diff --git a/tests/test_correlator.py b/tests/test_correlator.py
new file mode 100644
index 0000000..442a253
--- /dev/null
+++ b/tests/test_correlator.py
@@ -0,0 +1,675 @@
+"""Tests for the correlation engine — Phases 1 & 5: core orchestrator + integration."""
+
+from __future__ import annotations
+
+import json
+import os
+import sys
+from pathlib import Path
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+from src.correlator.incident_context import (
+    IncidentContext,
+    build_timeline,
+    investigate,
+    query_attack_chain,
+    query_auth_history,
+)
+
+# ---------------------------------------------------------------------------
+# Fixtures (file-based)
+# ---------------------------------------------------------------------------
+
+FIXTURE_DIR = Path(__file__).parent / "fixtures" / "correlator"
+
+
+def _load_fixture(name: str) -> dict:
+    return json.loads((FIXTURE_DIR / name).read_text())
+
+
+KRB_HIT = _load_fixture("kerberos_hit.json")
+NTLM_HIT = _load_fixture("ntlm_hit.json")
+NOTICE_HIT = _load_fixture("notice_attack_chain_hit.json")
+
+# ---------------------------------------------------------------------------
+# Test data
+# ---------------------------------------------------------------------------
+
+PRIVATE_SRC = "10.200.50.15"
+PRIVATE_DEST = "10.100.50.15"
+PUBLIC_SRC = "8.8.8.8"
+PUBLIC_DEST = "1.1.1.1"
+SENSOR = "hedgehog-east-wenatchee"
+TIME_RANGE = "now-24h"
+
+KRB_RECORD = {"timestamp": "2024-06-01T10:00:00.000Z", "src_ip": PRIVATE_SRC}
+NTLM_RECORD = {"timestamp": "2024-06-01T09:00:00.000Z", "src_ip": PRIVATE_SRC}
+NOTICE_RECORD = {
+    "timestamp": "2024-06-01T11:00:00.000Z",
+    "notice_note": "ATTACK::Credential_Access",
+}
+
+MOCK_PROFILE = MagicMock()
+MOCK_ENRICHMENT = {"ip": PUBLIC_SRC, "greynoise": {"classification": "malicious"}}
+
+MOD = "src.correlator.incident_context"
+
+
+def _base_patches(
+    *,
+    profile_side_effect=None,
+    profile_return=None,
+    krb: list | None = None,
+    ntlm: list | None = None,
+    chain_hits: list | None = None,
+    tickets: list | None = None,
+    enrichment: dict | None = None,
+) -> list:
+    """Return a stack of patch context managers covering all external calls."""
+    if profile_side_effect is not None:
+        profile_patch = patch(f"{MOD}.profile_device", side_effect=profile_side_effect)
+    elif profile_return is not None:
+        profile_patch = patch(f"{MOD}.profile_device", return_value=profile_return)
+    else:
+        profile_patch = patch(f"{MOD}.profile_device", return_value=MOCK_PROFILE)
+
+    return [
+        profile_patch,
+        patch(f"{MOD}.profile_public_ip", return_value=MOCK_PROFILE),
+        patch(f"{MOD}.query_auth_history", return_value=(krb or [], ntlm or [])),
+        patch(f"{MOD}.query_opensearch", return_value={"hits": {"hits": chain_hits or []}}),
+        patch(f"{MOD}.search_tickets", return_value=tickets or []),
+        patch(f"{MOD}.enrich_ip", return_value=enrichment or {}),
+    ]
+
+
+# ---------------------------------------------------------------------------
+# build_timeline
+# ---------------------------------------------------------------------------
+
+
+def test_timeline_chronological_ordering() -> None:
+    ctx = IncidentContext(
+        trigger_type="ip_pair",
+        trigger={},
+        src_ip=PRIVATE_SRC,
+        dest_ip=PRIVATE_DEST,
+        sensor=SENSOR,
+        time_range=TIME_RANGE,
+        kerberos_history=[KRB_RECORD],
+        ntlm_history=[NTLM_RECORD],
+        attack_chain=[NOTICE_RECORD],
+    )
+    timeline = build_timeline(ctx)
+    timestamps = [e["timestamp"] for e in timeline]
+    assert timestamps == sorted(timestamps)
+
+
+def test_timeline_type_tags() -> None:
+    ctx = IncidentContext(
+        trigger_type="ip_pair",
+        trigger={},
+        src_ip=PRIVATE_SRC,
+        dest_ip=PRIVATE_DEST,
+        sensor=SENSOR,
+        time_range=TIME_RANGE,
+        kerberos_history=[KRB_RECORD],
+        ntlm_history=[NTLM_RECORD],
+        attack_chain=[NOTICE_RECORD],
+    )
+    timeline = build_timeline(ctx)
+    assert {e["type"] for e in timeline} == {"kerberos", "ntlm", "notice"}
+
+
+def test_timeline_empty() -> None:
+    ctx = IncidentContext(
+        trigger_type="ip_pair",
+        trigger={},
+        src_ip=PRIVATE_SRC,
+        dest_ip=PRIVATE_DEST,
+        sensor=SENSOR,
+        time_range=TIME_RANGE,
+    )
+    assert build_timeline(ctx) == []
+
+
+def test_timeline_missing_timestamp_sorts_first() -> None:
+    """Records without a timestamp key get empty string, which sorts before any ISO date."""
+    ctx = IncidentContext(
+        trigger_type="ip_pair",
+        trigger={},
+        src_ip=PRIVATE_SRC,
+        dest_ip=PRIVATE_DEST,
+        sensor=SENSOR,
+        time_range=TIME_RANGE,
+        kerberos_history=[{"src_ip": PRIVATE_SRC}],  # no timestamp
+        attack_chain=[NOTICE_RECORD],
+    )
+    timeline = build_timeline(ctx)
+    assert timeline[0]["type"] == "kerberos"
+
+
+def test_timeline_does_not_mutate_source_records() -> None:
+    original = {"timestamp": "2024-06-01T10:00:00.000Z", "src_ip": PRIVATE_SRC}
+    ctx = IncidentContext(
+        trigger_type="ip_pair",
+        trigger={},
+        src_ip=PRIVATE_SRC,
+        dest_ip=PRIVATE_DEST,
+        sensor=SENSOR,
+        time_range=TIME_RANGE,
+        kerberos_history=[original],
+    )
+    build_timeline(ctx)
+    assert "type" not in original
+
+
+def test_timeline_explicit_keys_override_rec() -> None:
+    """Explicit type/timestamp must win even when the source record has those keys."""
+    rec_with_type = {
+        "timestamp": "2024-06-01T10:00:00.000Z",
+        "type": "SHOULD_BE_OVERRIDDEN",
+        "src_ip": PRIVATE_SRC,
+    }
+    ctx = IncidentContext(
+        trigger_type="ip_pair",
+        trigger={},
+        src_ip=PRIVATE_SRC,
+        dest_ip=PRIVATE_DEST,
+        sensor=SENSOR,
+        time_range=TIME_RANGE,
+        kerberos_history=[rec_with_type],
+    )
+    timeline = build_timeline(ctx)
+    assert timeline[0]["type"] == "kerberos"
+
+
+# ---------------------------------------------------------------------------
+# investigate() — IP routing logic
+# ---------------------------------------------------------------------------
+
+
+def test_investigate_both_private() -> None:
+    patches = _base_patches(krb=[KRB_RECORD], ntlm=[NTLM_RECORD])
+    with patches[0], patches[1], patches[2], patches[3], patches[4], patches[5]:
+        ctx = investigate(PRIVATE_SRC, PRIVATE_DEST, SENSOR, TIME_RANGE)
+
+    assert ctx.src_profile is not None
+    assert ctx.dest_profile is not None
+    assert len(ctx.kerberos_history) == 1
+    assert len(ctx.ntlm_history) == 1
+    assert ctx.src_enrichment is None
+    assert ctx.dest_enrichment is None
+    assert ctx.errors == {}
+
+
+def test_investigate_one_public() -> None:
+    """Private src → profiled; public dest → profiled (public) + enriched."""
+    patches = _base_patches(enrichment=MOCK_ENRICHMENT)
+    with patches[0], patches[1], patches[2], patches[3], patches[4], patches[5]:
+        ctx = investigate(PRIVATE_SRC, PUBLIC_DEST, SENSOR, TIME_RANGE)
+
+    assert ctx.src_profile is not None
+    assert ctx.dest_profile is not None  # now a PublicIPProfile
+    assert ctx.dest_enrichment is not None
+    assert ctx.src_enrichment is None
+
+
+def test_investigate_both_public() -> None:
+    """Both public → both profiled (public) + both enrichments populated."""
+    patches = _base_patches(enrichment=MOCK_ENRICHMENT)
+    with patches[0], patches[1], patches[2], patches[3], patches[4], patches[5]:
+        ctx = investigate(PUBLIC_SRC, PUBLIC_DEST, SENSOR, TIME_RANGE)
+
+    assert ctx.src_profile is not None  # now a PublicIPProfile
+    assert ctx.dest_profile is not None  # now a PublicIPProfile
+    assert ctx.src_enrichment is not None
+    assert ctx.dest_enrichment is not None
+
+
+def test_investigate_track_failure_isolated() -> None:
+    """Failure in src_profile track stores error; other tracks succeed."""
+    patches = _base_patches(profile_side_effect=ValueError("sensor mismatch"))
+    with patches[0], patches[1], patches[2], patches[3], patches[4], patches[5]:
+        ctx = investigate(PRIVATE_SRC, PRIVATE_DEST, SENSOR, TIME_RANGE)
+
+    failed = ctx.errors.get("src_profile", "") + ctx.errors.get("dest_profile", "")
+    assert "sensor mismatch" in failed
+    assert "auth_history" not in ctx.errors
+    assert "attack_chain" not in ctx.errors
+    assert "context_gather" not in ctx.errors
+
+
+def test_investigate_no_auth_history() -> None:
+    patches = _base_patches(krb=[], ntlm=[])
+    with patches[0], patches[1], patches[2], patches[3], patches[4], patches[5]:
+        ctx = investigate(PRIVATE_SRC, PRIVATE_DEST, SENSOR, TIME_RANGE)
+
+    assert ctx.kerberos_history == []
+    assert ctx.ntlm_history == []
+    assert "auth_history" not in ctx.errors
+
+
+def test_investigate_returns_context_on_full_failure() -> None:
+    """investigate() always returns IncidentContext even when all tracks fail."""
+    with (
+        patch(f"{MOD}.profile_device", side_effect=RuntimeError("ES down")),
+        patch(f"{MOD}.query_auth_history", side_effect=RuntimeError("ES down")),
+        patch(f"{MOD}.query_opensearch", side_effect=RuntimeError("ES down")),
+        patch(f"{MOD}.search_tickets", side_effect=RuntimeError("Mantis down")),
+        patch(f"{MOD}.enrich_ip", return_value={}),
+    ):
+        ctx = investigate(PRIVATE_SRC, PRIVATE_DEST, SENSOR, TIME_RANGE)
+
+    assert isinstance(ctx, IncidentContext)
+    assert len(ctx.errors) > 0
+    assert ctx.timeline == []
+
+
+# ---------------------------------------------------------------------------
+# investigate() — metadata
+# ---------------------------------------------------------------------------
+
+
+def test_investigate_default_trigger_and_time_range() -> None:
+    patches = _base_patches()
+    with patches[0], patches[1], patches[2], patches[3], patches[4], patches[5]:
+        ctx = investigate(PRIVATE_SRC, PRIVATE_DEST, SENSOR)
+
+    assert ctx.trigger == {"src_ip": PRIVATE_SRC, "dest_ip": PRIVATE_DEST}
+    assert ctx.trigger_type == "ip_pair"
+    assert ctx.time_range == "now-24h"
+
+
+def test_investigate_custom_trigger() -> None:
+    custom_trigger = {"ticket_id": 1234}
+    patches = _base_patches()
+    with patches[0], patches[1], patches[2], patches[3], patches[4], patches[5]:
+        ctx = investigate(
+            PRIVATE_SRC,
+            PRIVATE_DEST,
+            SENSOR,
+            trigger_type="ticket",
+            trigger=custom_trigger,
+        )
+
+    assert ctx.trigger == custom_trigger
+    assert ctx.trigger_type == "ticket"
+
+
+def test_investigate_timeline_populated() -> None:
+    patches = _base_patches(krb=[KRB_RECORD], ntlm=[NTLM_RECORD])
+    with patches[0], patches[1], patches[2], patches[3], patches[4], patches[5]:
+        ctx = investigate(PRIVATE_SRC, PRIVATE_DEST, SENSOR, TIME_RANGE)
+
+    assert len(ctx.timeline) == 2
+    timestamps = [e["timestamp"] for e in ctx.timeline]
+    assert timestamps == sorted(timestamps)
+
+
+# ---------------------------------------------------------------------------
+# query_auth_history — search_params contract
+# ---------------------------------------------------------------------------
+
+
+def test_query_auth_history_search_params() -> None:
+    """run_query is called with correct search_params for both kerberos and ntlm."""
+    with patch(f"{MOD}.run_query", return_value=[]) as mock_rq:
+        query_auth_history(PRIVATE_SRC, PRIVATE_DEST, SENSOR, TIME_RANGE)
+
+    assert mock_rq.call_count == 2
+    _, first_call_kwargs = mock_rq.call_args_list[0]
+    first_call_pos = mock_rq.call_args_list[0][0]
+    # Extract the search_params dict (second positional arg)
+    sp = first_call_pos[1]
+    assert sp["src_ip"] == PRIVATE_SRC
+    assert sp["dest_ip"] == PRIVATE_DEST
+    assert sp["sensor"] == SENSOR
+    assert sp["time_range"] == TIME_RANGE
+    assert sp["limit"] == 200
+    assert sp["raise_on_error"] is False
+
+
+def test_query_auth_history_both_protocols_queried() -> None:
+    """Both kerberos and ntlm modules are passed to run_query."""
+    from src.querier.zeek_modules import MODULES
+
+    with patch(f"{MOD}.run_query", return_value=[]) as mock_rq:
+        query_auth_history(PRIVATE_SRC, PRIVATE_DEST, SENSOR, TIME_RANGE)
+
+    called_modules = [c[0][0] for c in mock_rq.call_args_list]
+    assert MODULES["kerberos"] in called_modules
+    assert MODULES["ntlm"] in called_modules
+
+
+def test_query_auth_history_returns_tuple() -> None:
+    with patch(f"{MOD}.run_query", side_effect=[[KRB_RECORD], [NTLM_RECORD]]):
+        krb, ntlm = query_auth_history(PRIVATE_SRC, PRIVATE_DEST, SENSOR, TIME_RANGE)
+
+    assert krb == [KRB_RECORD]
+    assert ntlm == [NTLM_RECORD]
+
+
+# ---------------------------------------------------------------------------
+# query_attack_chain — sensor filter and ES response parsing
+# ---------------------------------------------------------------------------
+
+
+def test_query_attack_chain_includes_sensor_filter() -> None:
+    """When sensor is not 'all', a host.name terms filter is added to the query."""
+    with patch(f"{MOD}.query_opensearch", return_value={"hits": {"hits": []}}) as mock_qs:
+        query_attack_chain(PRIVATE_SRC, SENSOR, TIME_RANGE)
+
+    body = mock_qs.call_args[0][0]
+    must_clauses = body["query"]["bool"]["must"]
+    host_filter = next(
+        (c for c in must_clauses if "terms" in c and "host.name" in c["terms"]), None
+    )
+    assert host_filter is not None
+    assert SENSOR in host_filter["terms"]["host.name"]
+
+
+def test_query_attack_chain_omits_sensor_filter_for_all() -> None:
+    """When sensor='all', no host.name filter is added."""
+    with patch(f"{MOD}.query_opensearch", return_value={"hits": {"hits": []}}) as mock_qs:
+        query_attack_chain(PRIVATE_SRC, "all", TIME_RANGE)
+
+    body = mock_qs.call_args[0][0]
+    must_clauses = body["query"]["bool"]["must"]
+    host_filter = next(
+        (c for c in must_clauses if "terms" in c and "host.name" in c.get("terms", {})), None
+    )
+    assert host_filter is None
+
+
+def test_query_attack_chain_empty_response() -> None:
+    with patch(f"{MOD}.query_opensearch", return_value=None):
+        result = query_attack_chain(PRIVATE_SRC, SENSOR, TIME_RANGE)
+    assert result == []
+
+
+def test_query_attack_chain_parses_fixture_hit() -> None:
+    """parse_hit is applied to each ES hit — spot-check against the fixture."""
+    raw_hit = NOTICE_HIT
+    with patch(f"{MOD}.query_opensearch", return_value={"hits": {"hits": [raw_hit]}}):
+        result = query_attack_chain(PRIVATE_SRC, SENSOR, TIME_RANGE)
+
+    assert len(result) == 1
+    parsed = result[0]
+    assert parsed["timestamp"] == "2024-06-01T11:00:00.000Z"
+    assert parsed["notice_note"] == "ATTACK::Credential_Access"
+    assert parsed["src_ip"] == PRIVATE_SRC
+    assert parsed["dest_ip"] == PRIVATE_DEST
+
+
+def test_query_attack_chain_attack_prefix_filter() -> None:
+    """Query includes a prefix filter for ATTACK:: notices."""
+    with patch(f"{MOD}.query_opensearch", return_value={"hits": {"hits": []}}) as mock_qs:
+        query_attack_chain(PRIVATE_SRC, SENSOR, TIME_RANGE)
+
+    body = mock_qs.call_args[0][0]
+    must_clauses = body["query"]["bool"]["must"]
+    prefix_filter = next(
+        (c for c in must_clauses if "prefix" in c and "zeek.notice.note" in c["prefix"]), None
+    )
+    assert prefix_filter is not None
+    assert prefix_filter["prefix"]["zeek.notice.note"] == "ATTACK::"
+
+
+# ---------------------------------------------------------------------------
+# Integration: investigate() with fixture-based ES responses
+# ---------------------------------------------------------------------------
+
+
+def test_investigate_parses_attack_chain_from_fixture() -> None:
+    """End-to-end: attack chain hits from fixture produce correctly typed timeline events."""
+    patches = _base_patches(
+        chain_hits=[NOTICE_HIT],
+    )
+    with patches[0], patches[1], patches[2], patches[3], patches[4], patches[5]:
+        ctx = investigate(PRIVATE_SRC, PRIVATE_DEST, SENSOR, TIME_RANGE)
+
+    notice_events = [e for e in ctx.timeline if e["type"] == "notice"]
+    assert len(notice_events) == 1
+    assert notice_events[0]["notice_note"] == "ATTACK::Credential_Access"
+
+
+def test_investigate_tickets_populated() -> None:
+    """Mantis tickets are stored per-IP in src_tickets / dest_tickets."""
+    mock_ticket = {"id": 42, "summary": f"Suspicious activity from {PRIVATE_SRC}"}
+    patches = _base_patches(tickets=[mock_ticket])
+    with patches[0], patches[1], patches[2], patches[3], patches[4], patches[5]:
+        ctx = investigate(PRIVATE_SRC, PRIVATE_DEST, SENSOR, TIME_RANGE)
+
+    assert ctx.src_tickets == [mock_ticket]
+    assert ctx.dest_tickets == [mock_ticket]
+
+
+def test_investigate_context_gather_skips_enrichment_for_private() -> None:
+    """enrich_ip is never called when both IPs are private."""
+    patches = _base_patches()
+    with patches[0], patches[1], patches[2], patches[3], patches[4], patches[5] as mock_enrich:
+        investigate(PRIVATE_SRC, PRIVATE_DEST, SENSOR, TIME_RANGE)
+
+    mock_enrich.assert_not_called()
+
+
+# ---------------------------------------------------------------------------
+# MCP tool — JSON serialization and error handling
+# ---------------------------------------------------------------------------
+
+# Load the MCP server module via its file path (it is not an installed package).
+_MCP_SERVER_PATH = Path(__file__).parent.parent / "mcp_servers" / "opensearch" / "server.py"
+
+try:
+    import importlib.util as _ilu
+
+    _spec = _ilu.spec_from_file_location("_mcp_server", _MCP_SERVER_PATH)
+    mcp_server = _ilu.module_from_spec(_spec)  # type: ignore[arg-type]
+    _spec.loader.exec_module(mcp_server)  # type: ignore[union-attr]
+    _MCP_AVAILABLE = True
+except Exception:
+    mcp_server = None  # type: ignore[assignment]
+    _MCP_AVAILABLE = False
+
+_skip_no_mcp = pytest.mark.skipif(not _MCP_AVAILABLE, reason="MCP server not importable")
+
+
+def _make_incident_context(**overrides) -> IncidentContext:
+    """Return a minimal IncidentContext suitable for asdict() serialization."""
+    defaults = dict(
+        trigger_type="ip_pair",
+        trigger={"src_ip": PRIVATE_SRC, "dest_ip": PRIVATE_DEST},
+        src_ip=PRIVATE_SRC,
+        dest_ip=PRIVATE_DEST,
+        sensor=SENSOR,
+        time_range=TIME_RANGE,
+        kerberos_history=[KRB_RECORD],
+        ntlm_history=[NTLM_RECORD],
+        attack_chain=[NOTICE_RECORD],
+        src_tickets=[],
+        dest_tickets=[],
+        src_enrichment=None,
+        dest_enrichment=None,
+        timeline=[],
+        errors={},
+    )
+    defaults.update(overrides)
+    return IncidentContext(**defaults)
+
+
+@_skip_no_mcp
+def test_mcp_pivot_incident_returns_ok_json() -> None:
+    """pivot(mode='incident') returns JSON with status='ok' and all top-level keys."""
+    ctx = _make_incident_context()
+    with patch("src.correlator.incident_context.investigate", return_value=ctx):
+        result_str = mcp_server.pivot(
+            PRIVATE_SRC, mode="incident", dest_ip=PRIVATE_DEST, sensor=SENSOR, time_range=TIME_RANGE
+        )
+
+    result = json.loads(result_str)
+    assert result["status"] == "ok"
+    data = result["data"]
+    for key in (
+        "src_ip",
+        "dest_ip",
+        "sensor",
+        "time_range",
+        "trigger_type",
+        "kerberos_history",
+        "ntlm_history",
+        "attack_chain",
+        "errors",
+    ):
+        assert key in data, f"Missing key: {key}"
+
+
+@_skip_no_mcp
+def test_mcp_pivot_incident_profile_trimmed() -> None:
+    """pivot(mode='incident') trims profile dicts to compact summaries."""
+    from src.profiler.device_profiler import DeviceProfile
+
+    profile = DeviceProfile(
+        ip=PRIVATE_SRC,
+        sensor=SENSOR,
+        time_range=TIME_RANGE,
+        role="workstation",
+        confidence=0.85,
+        os_family="Windows",
+        hostname="workstation01",
+    )
+    ctx = _make_incident_context(src_profile=profile)
+    with patch("src.correlator.incident_context.investigate", return_value=ctx):
+        result_str = mcp_server.pivot(
+            PRIVATE_SRC, mode="incident", dest_ip=PRIVATE_DEST, sensor=SENSOR, time_range=TIME_RANGE
+        )
+
+    result = json.loads(result_str)
+    assert result["status"] == "ok"
+    trimmed = result["data"]["src_profile"]
+    expected_keys = {
+        "ip",
+        "hostname",
+        "role",
+        "confidence",
+        "os_family",
+        "software",
+        "users",
+        "inbound_services",
+    }
+    assert set(trimmed.keys()) == expected_keys
+    assert trimmed["role"] == "workstation"
+    assert trimmed["ip"] == PRIVATE_SRC
+    assert "dest_port_distribution" not in trimmed
+    assert "bytes_sent" not in trimmed
+
+
+@_skip_no_mcp
+def test_mcp_pivot_incident_error_json() -> None:
+    """pivot(mode='incident') returns JSON with status='error' when backend raises."""
+    with patch(
+        "src.correlator.incident_context.investigate",
+        side_effect=RuntimeError("OpenSearch unreachable"),
+    ):
+        result_str = mcp_server.pivot(
+            PRIVATE_SRC, mode="incident", dest_ip=PRIVATE_DEST, sensor=SENSOR, time_range=TIME_RANGE
+        )
+
+    result = json.loads(result_str)
+    assert result["status"] == "error"
+    assert "OpenSearch unreachable" in result["message"]
+
+
+@_skip_no_mcp
+def test_mcp_pivot_incident_null_profiles_preserved() -> None:
+    """pivot(mode='incident') preserves None profiles as null in JSON."""
+    ctx = _make_incident_context(src_profile=None, dest_profile=None)
+    with patch("src.correlator.incident_context.investigate", return_value=ctx):
+        result_str = mcp_server.pivot(
+            PUBLIC_SRC, mode="incident", dest_ip=PUBLIC_DEST, sensor=SENSOR, time_range=TIME_RANGE
+        )
+
+    result = json.loads(result_str)
+    assert result["status"] == "ok"
+    assert result["data"]["src_profile"] is None
+    assert result["data"]["dest_profile"] is None
+
+
+@_skip_no_mcp
+def test_mcp_pivot_incident_requires_dest_ip() -> None:
+    """pivot(mode='incident') returns error when dest_ip is omitted."""
+    result_str = mcp_server.pivot(PRIVATE_SRC, mode="incident")
+    result = json.loads(result_str)
+    assert result["status"] == "error"
+    assert "dest_ip" in result["message"]
+
+
+@_skip_no_mcp
+def test_mcp_pivot_unknown_mode_returns_error() -> None:
+    """pivot() returns error for unrecognised mode values."""
+    result_str = mcp_server.pivot(PRIVATE_SRC, mode="bogus")
+    result = json.loads(result_str)
+    assert result["status"] == "error"
+    assert "bogus" in result["message"]
+
+
+# ---------------------------------------------------------------------------
+# MCP tool — aggregate (§2.2)
+# ---------------------------------------------------------------------------
+
+_AGGREGATE_RESPONSE = {
+    "aggregations": {
+        "buckets": {
+            "buckets": [
+                {"key": "1.2.3.4", "doc_count": 42},
+                {"key": "5.6.7.8", "doc_count": 17},
+            ]
+        }
+    }
+}
+
+
+@_skip_no_mcp
+def test_mcp_aggregate_returns_ok_json() -> None:
+    """aggregate() returns status='ok' with field/results keys."""
+    with patch.object(mcp_server, "query_opensearch", return_value=_AGGREGATE_RESPONSE):
+        result_str = mcp_server.aggregate(
+            "source.ip", log_type="notice", notice_type="Scan::Port_Scan"
+        )
+
+    result = json.loads(result_str)
+    assert result["status"] == "ok"
+    data = result["data"]
+    assert data["field"] == "source.ip"
+    assert data["log_type"] == "notice"
+    assert data["notice_type"] == "Scan::Port_Scan"
+    assert len(data["results"]) == 2
+    assert data["results"][0] == {"value": "1.2.3.4", "count": 42}
+    assert data["results"][1] == {"value": "5.6.7.8", "count": 17}
+
+
+@_skip_no_mcp
+def test_mcp_aggregate_no_log_type() -> None:
+    """aggregate() works without log_type (cross-dataset)."""
+    empty_resp = {"aggregations": {"buckets": {"buckets": []}}}
+    with patch.object(mcp_server, "query_opensearch", return_value=empty_resp):
+        result_str = mcp_server.aggregate("destination.ip")
+
+    result = json.loads(result_str)
+    assert result["status"] == "ok"
+    assert result["data"]["log_type"] is None
+    assert result["data"]["results"] == []
+
+
+@_skip_no_mcp
+def test_mcp_aggregate_opensearch_failure() -> None:
+    """aggregate() returns error when query_opensearch returns None."""
+    with patch.object(mcp_server, "query_opensearch", return_value=None):
+        result_str = mcp_server.aggregate("source.ip")
+
+    result = json.loads(result_str)
+    assert result["status"] == "error"
diff --git a/tests/test_fp_filter_tools.py b/tests/test_fp_filter_tools.py
new file mode 100644
index 0000000..c2afb00
--- /dev/null
+++ b/tests/test_fp_filter_tools.py
@@ -0,0 +1,155 @@
+"""Tests for the Tier-5 FP filter read/delete helpers in fp_manager.py."""
+
+from __future__ import annotations
+
+import os
+import sys
+
+import pytest
+import yaml
+
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+from src.querier import fp_manager
+from src.querier.fp_manager import (
+    delete_ip_from_filter,
+    load_filter_file,
+)
+
+
+@pytest.fixture(autouse=True)
+def _redirect_filters_dir(tmp_path, monkeypatch) -> None:
+    """Point FILTERS_DIR at tmp_path so the path-injection guard accepts test files."""
+    monkeypatch.setattr(fp_manager, "FILTERS_DIR", str(tmp_path))
+
+
+# ---------------------------------------------------------------------------
+# Fixtures
+# ---------------------------------------------------------------------------
+
+
+def _write_filter(path: str, clauses: list[dict]) -> None:
+    os.makedirs(os.path.dirname(path), exist_ok=True)
+    data = {
+        "description": "test filter",
+        "author": "pytest",
+        "date_added": "2026-01-01",
+        "category": "ips",
+        "subcategory": "test",
+        "enabled": True,
+        "must_not": clauses,
+    }
+    with open(path, "w") as fh:
+        yaml.dump(data, fh, default_flow_style=False)
+
+
+# ---------------------------------------------------------------------------
+# delete_ip_from_filter — term clauses
+# ---------------------------------------------------------------------------
+
+
+def test_delete_term_src_ip(tmp_path: str) -> None:
+    path = os.path.join(str(tmp_path), "ips", "test.yaml")
+    _write_filter(
+        path,
+        [
+            {"term": {"src_ip": "1.2.3.4"}},
+            {"term": {"src_ip": "5.6.7.8"}},
+        ],
+    )
+    removed = delete_ip_from_filter(path, "1.2.3.4")
+    assert removed == 1
+    remaining = load_filter_file(path)["must_not"]
+    assert len(remaining) == 1
+    assert remaining[0]["term"]["src_ip"] == "5.6.7.8"
+
+
+def test_delete_term_dest_ip(tmp_path: str) -> None:
+    path = os.path.join(str(tmp_path), "ips", "test.yaml")
+    _write_filter(path, [{"term": {"dest_ip": "10.0.0.1"}}])
+    removed = delete_ip_from_filter(path, "10.0.0.1")
+    assert removed == 1
+    assert load_filter_file(path)["must_not"] == []
+
+
+def test_delete_leaves_other_clauses_untouched(tmp_path: str) -> None:
+    path = os.path.join(str(tmp_path), "ips", "test.yaml")
+    _write_filter(
+        path,
+        [
+            {"term": {"src_ip": "1.2.3.4"}, "comment": "remove this"},
+            {"term": {"src_ip": "9.9.9.9"}, "comment": "keep this"},
+        ],
+    )
+    delete_ip_from_filter(path, "1.2.3.4")
+    remaining = load_filter_file(path)["must_not"]
+    assert len(remaining) == 1
+    assert remaining[0]["term"]["src_ip"] == "9.9.9.9"
+
+
+# ---------------------------------------------------------------------------
+# delete_ip_from_filter — terms (multi-value) clauses
+# ---------------------------------------------------------------------------
+
+
+def test_delete_single_ip_from_terms_list(tmp_path: str) -> None:
+    path = os.path.join(str(tmp_path), "ips", "test.yaml")
+    _write_filter(path, [{"terms": {"src_ip": ["1.1.1.1", "2.2.2.2", "3.3.3.3"]}}])
+    removed = delete_ip_from_filter(path, "2.2.2.2")
+    assert removed == 1
+    remaining = load_filter_file(path)["must_not"]
+    assert len(remaining) == 1
+    assert "2.2.2.2" not in remaining[0]["terms"]["src_ip"]
+    assert set(remaining[0]["terms"]["src_ip"]) == {"1.1.1.1", "3.3.3.3"}
+
+
+def test_delete_last_ip_from_terms_drops_clause(tmp_path: str) -> None:
+    path = os.path.join(str(tmp_path), "ips", "test.yaml")
+    _write_filter(path, [{"terms": {"src_ip": ["1.1.1.1"]}}])
+    removed = delete_ip_from_filter(path, "1.1.1.1")
+    assert removed == 1
+    assert load_filter_file(path)["must_not"] == []
+
+
+def test_delete_ip_from_terms_dest_ip(tmp_path: str) -> None:
+    path = os.path.join(str(tmp_path), "ips", "test.yaml")
+    _write_filter(path, [{"terms": {"dest_ip": ["10.0.0.1", "10.0.0.2"]}}])
+    delete_ip_from_filter(path, "10.0.0.1")
+    remaining = load_filter_file(path)["must_not"]
+    assert remaining[0]["terms"]["dest_ip"] == ["10.0.0.2"]
+
+
+# ---------------------------------------------------------------------------
+# delete_ip_from_filter — error cases
+# ---------------------------------------------------------------------------
+
+
+def test_delete_raises_file_not_found(tmp_path: str) -> None:
+    path = os.path.join(str(tmp_path), "ips", "missing.yaml")
+    with pytest.raises(FileNotFoundError):
+        delete_ip_from_filter(path, "1.2.3.4")
+
+
+def test_delete_raises_value_error_when_no_match(tmp_path: str) -> None:
+    path = os.path.join(str(tmp_path), "ips", "test.yaml")
+    _write_filter(path, [{"term": {"src_ip": "9.9.9.9"}}])
+    with pytest.raises(ValueError, match="No clauses found"):
+        delete_ip_from_filter(path, "1.2.3.4")
+
+
+def test_delete_removes_multiple_matching_clauses(tmp_path: str) -> None:
+    """An IP that appears in two separate clauses — both are removed."""
+    path = os.path.join(str(tmp_path), "ips", "test.yaml")
+    _write_filter(
+        path,
+        [
+            {"term": {"src_ip": "1.2.3.4"}, "comment": "first"},
+            {"term": {"src_ip": "1.2.3.4"}, "comment": "duplicate"},
+            {"term": {"src_ip": "5.5.5.5"}},
+        ],
+    )
+    removed = delete_ip_from_filter(path, "1.2.3.4")
+    assert removed == 2
+    remaining = load_filter_file(path)["must_not"]
+    assert len(remaining) == 1
+    assert remaining[0]["term"]["src_ip"] == "5.5.5.5"
diff --git a/tests/test_histogram.py b/tests/test_histogram.py
new file mode 100644
index 0000000..318f2ab
--- /dev/null
+++ b/tests/test_histogram.py
@@ -0,0 +1,140 @@
+"""Tests for the histogram core helper and CLI renderer (pure/offline functions only)."""
+
+from __future__ import annotations
+
+import os
+import sys
+from unittest.mock import patch
+
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+from src.querier.histogram import query_histogram
+from src.querier.histogram_cli import _render, _time_axis
+
+# ---------------------------------------------------------------------------
+# _render — pure function, no I/O
+# ---------------------------------------------------------------------------
+
+_SAMPLE_BUCKETS = [
+    {"key": i * 3_600_000, "key_as_string": f"2026-04-19T{i:02d}:00:00.000Z", "doc_count": c}
+    for i, c in enumerate([0, 10, 50, 100, 80, 20, 5, 0])
+]
+
+
+def test_render_returns_correct_length() -> None:
+    result = _render(_SAMPLE_BUCKETS, width=len(_SAMPLE_BUCKETS))
+    assert len(result) == len(_SAMPLE_BUCKETS)
+
+
+def test_render_empty_buckets() -> None:
+    assert _render([], width=80) == "(no data)"
+
+
+def test_render_all_zero_counts() -> None:
+    buckets = [{"key": 0, "key_as_string": "2026-04-19T00:00:00.000Z", "doc_count": 0}]
+    result = _render(buckets, width=10)
+    # All-zero: max is treated as 1, round(0/1*8)=0 → first block char (space)
+    assert result == " "
+
+
+def test_render_single_spike() -> None:
+    buckets = [
+        {"key": 0, "key_as_string": "2026-04-19T00:00:00.000Z", "doc_count": 0},
+        {"key": 3_600_000, "key_as_string": "2026-04-19T01:00:00.000Z", "doc_count": 100},
+        {"key": 7_200_000, "key_as_string": "2026-04-19T02:00:00.000Z", "doc_count": 0},
+    ]
+    result = _render(buckets, width=3)
+    # Middle bucket is max → full block
+    assert result[1] == "█"
+
+
+def test_render_compresses_when_wider_than_width() -> None:
+    # 20 buckets into width=10 → result length == 10
+    many = [{"key": i * 3_600_000, "key_as_string": f"T{i}", "doc_count": i * 5} for i in range(20)]
+    result = _render(many, width=10)
+    assert len(result) == 10
+
+
+# ---------------------------------------------------------------------------
+# _time_axis
+# ---------------------------------------------------------------------------
+
+
+def test_time_axis_length_matches_width() -> None:
+    result = _time_axis(_SAMPLE_BUCKETS, bar_width=80)
+    assert len(result) == 80
+
+
+def test_time_axis_empty_buckets() -> None:
+    assert _time_axis([], bar_width=80) == ""
+
+
+# ---------------------------------------------------------------------------
+# query_histogram — mock OpenSearch to test query construction
+# ---------------------------------------------------------------------------
+
+
+def _fake_raw(buckets: list[dict]) -> dict:
+    return {"aggregations": {"over_time": {"buckets": buckets}}}
+
+
+def test_query_histogram_passes_log_type_datasets() -> None:
+    fake_buckets = [{"key": 0, "key_as_string": "2026-04-19T00:00:00.000Z", "doc_count": 42}]
+    with (
+        patch("src.querier.histogram.load_with_remap", return_value=([], 0, [])),
+        patch(
+            "src.querier.histogram.query_opensearch", return_value=_fake_raw(fake_buckets)
+        ) as mock_qos,
+    ):
+        result = query_histogram("conn", interval="1h", time_range="now-24h")
+
+    assert result == [{"key": 0, "key_as_string": "2026-04-19T00:00:00.000Z", "doc_count": 42}]
+    body_arg = mock_qos.call_args[0][0]
+    assert body_arg["size"] == 0
+    assert "over_time" in body_arg["aggs"]
+    assert body_arg["aggs"]["over_time"]["date_histogram"]["fixed_interval"] == "1h"
+
+
+def test_query_histogram_none_when_opensearch_fails() -> None:
+    with (
+        patch("src.querier.histogram.load_with_remap", return_value=([], 0, [])),
+        patch("src.querier.histogram.query_opensearch", return_value=None),
+    ):
+        result = query_histogram("dns")
+
+    assert result == []
+
+
+def test_query_histogram_src_ip_list_produces_terms_clause() -> None:
+    with (
+        patch("src.querier.histogram.load_with_remap", return_value=([], 0, [])),
+        patch("src.querier.histogram.query_opensearch", return_value=_fake_raw([])) as mock_qos,
+    ):
+        query_histogram("conn", src_ip=["1.1.1.1", "2.2.2.2"])
+
+    body_arg = mock_qos.call_args[0][0]
+    filter_clauses = body_arg["query"]["bool"]["filter"]
+    terms_clause = next(
+        (c for c in filter_clauses if "terms" in c and "source.ip" in c["terms"]), None
+    )
+    assert terms_clause is not None
+    assert terms_clause["terms"]["source.ip"] == ["1.1.1.1", "2.2.2.2"]
+
+
+def test_query_histogram_absolute_timestamps() -> None:
+    time_from = "2026-04-19T00:00:00Z"
+    time_to = "2026-04-20T00:00:00Z"
+    with (
+        patch("src.querier.histogram.load_with_remap", return_value=([], 0, [])),
+        patch("src.querier.histogram.query_opensearch", return_value=_fake_raw([])) as mock_qos,
+    ):
+        query_histogram("notice", time_from=time_from, time_to=time_to)
+
+    body_arg = mock_qos.call_args[0][0]
+    filter_clauses = body_arg["query"]["bool"]["filter"]
+    ts_clause = next(
+        (c for c in filter_clauses if "range" in c and "@timestamp" in c["range"]), None
+    )
+    assert ts_clause is not None
+    assert ts_clause["range"]["@timestamp"]["gte"] == time_from
+    assert ts_clause["range"]["@timestamp"]["lte"] == time_to
diff --git a/tests/test_public_ip_profiler.py b/tests/test_public_ip_profiler.py
new file mode 100644
index 0000000..117703a
--- /dev/null
+++ b/tests/test_public_ip_profiler.py
@@ -0,0 +1,366 @@
+"""Tests for public_ip_profiler — query builders, parsers, classifier, orchestrator."""
+
+from __future__ import annotations
+
+import os
+import sys
+from unittest.mock import patch
+
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+from src.profiler.public_ip_profiler import (
+    PublicIPProfile,
+    _conn_from_query,
+    _conn_to_query,
+    _http_to_query,
+    _parse_conn_from,
+    _parse_conn_to,
+    _parse_http_to,
+    _parse_rdp_from,
+    _parse_reverse_dns,
+    _parse_sensor_presence,
+    _parse_ssh_from,
+    _parse_ssl_to,
+    _rdp_from_query,
+    _reverse_dns_query,
+    _sensor_presence_query,
+    _ssh_from_query,
+    _ssl_to_query,
+    profile_public_ip,
+)
+from src.profiler.public_role_classifier import classify_public_role
+
+# ---------------------------------------------------------------------------
+# Query builder tests — verify correct IP field and dataset filters
+# ---------------------------------------------------------------------------
+
+
+class TestQueryBuilders:
+    """Verify query builders produce correct ES query structure."""
+
+    def test_sensor_presence_uses_both_ip_fields(self):
+        q = _sensor_presence_query("1.2.3.4", "now-7d")
+        should = q["query"]["bool"]["must"][1]["bool"]["should"]
+        assert {"term": {"source.ip": "1.2.3.4"}} in should
+        assert {"term": {"destination.ip": "1.2.3.4"}} in should
+
+    def test_reverse_dns_filters_on_answers(self):
+        q = _reverse_dns_query("1.2.3.4", "now-7d")
+        must = q["query"]["bool"]["must"]
+        assert {"term": {"zeek.dns.answers": "1.2.3.4"}} in must
+        assert {"term": {"event.dataset": "dns"}} in must
+
+    def test_conn_to_uses_dest_ip(self):
+        q = _conn_to_query("1.2.3.4", "now-7d")
+        must = q["query"]["bool"]["must"]
+        assert {"term": {"destination.ip": "1.2.3.4"}} in must
+        assert {"term": {"event.dataset": "conn"}} in must
+
+    def test_conn_from_uses_src_ip(self):
+        q = _conn_from_query("1.2.3.4", "now-7d")
+        must = q["query"]["bool"]["must"]
+        assert {"term": {"source.ip": "1.2.3.4"}} in must
+
+    def test_ssl_to_uses_dest_ip(self):
+        q = _ssl_to_query("1.2.3.4", "now-7d")
+        must = q["query"]["bool"]["must"]
+        assert {"term": {"destination.ip": "1.2.3.4"}} in must
+        assert {"term": {"event.dataset": "ssl"}} in must
+
+    def test_http_to_uses_dest_ip(self):
+        q = _http_to_query("1.2.3.4", "now-7d")
+        must = q["query"]["bool"]["must"]
+        assert {"term": {"destination.ip": "1.2.3.4"}} in must
+
+    def test_ssh_from_uses_src_ip(self):
+        q = _ssh_from_query("1.2.3.4", "now-7d")
+        must = q["query"]["bool"]["must"]
+        assert {"term": {"source.ip": "1.2.3.4"}} in must
+        assert {"term": {"event.dataset": "ssh"}} in must
+
+    def test_rdp_from_uses_src_ip(self):
+        q = _rdp_from_query("1.2.3.4", "now-7d")
+        must = q["query"]["bool"]["must"]
+        assert {"term": {"source.ip": "1.2.3.4"}} in must
+        assert {"term": {"event.dataset": "rdp"}} in must
+
+
+# ---------------------------------------------------------------------------
+# Parser tests — extract fields from mock ES aggregation responses
+# ---------------------------------------------------------------------------
+
+MOCK_SENSOR_AGGS = {
+    "sensors": {
+        "buckets": [
+            {"key": "hedgehog-east", "doc_count": 1423},
+            {"key": "hedgehog-west", "doc_count": 892},
+        ]
+    },
+    "time_range": {
+        "min_as_string": "2026-04-24T08:30:00.000Z",
+        "max_as_string": "2026-04-30T13:41:00.000Z",
+    },
+}
+
+MOCK_RDNS_AGGS = {
+    "domains": {
+        "buckets": [
+            {"key": "example.com", "doc_count": 1200},
+            {"key": "www.example.com", "doc_count": 892},
+        ]
+    }
+}
+
+MOCK_CONN_TO_AGGS = {
+    "dest_ports": {
+        "buckets": [
+            {
+                "key": 443,
+                "doc_count": 2100,
+                "app_proto": {"buckets": [{"key": "ssl", "doc_count": 2100}]},
+            },
+            {
+                "key": 80,
+                "doc_count": 556,
+                "app_proto": {"buckets": [{"key": "http", "doc_count": 556}]},
+            },
+        ]
+    },
+    "unique_clients": {"value": 45},
+    "bytes_to": {"value": 12300000000},
+    "bytes_from": {"value": 500000},
+    "time_range": {
+        "min_as_string": "2026-04-24T08:30:00.000Z",
+        "max_as_string": "2026-04-30T13:41:00.000Z",
+    },
+}
+
+MOCK_CONN_FROM_AGGS = {
+    "inbound_ports": {
+        "buckets": [
+            {"key": 22, "doc_count": 150},
+            {"key": 80, "doc_count": 30},
+        ]
+    },
+    "unique_targets": {"value": 15},
+}
+
+MOCK_SSL_TO_AGGS = {
+    "ja4s": {"buckets": [{"key": "abc123", "doc_count": 2100}]},
+    "tls_versions": {"buckets": [{"key": "TLSv1.3", "doc_count": 2000}]},
+    "subjects": {"buckets": [{"key": "CN=example.com", "doc_count": 2100}]},
+    "issuers": {"buckets": [{"key": "CN=Let's Encrypt", "doc_count": 2100}]},
+}
+
+MOCK_HTTP_TO_AGGS = {
+    "server_headers": {"buckets": [{"key": "nginx", "doc_count": 500}]},
+    "top_uris": {
+        "buckets": [
+            {"key": "/", "doc_count": 300},
+            {"key": "/api/v1", "doc_count": 200},
+        ]
+    },
+}
+
+MOCK_SSH_FROM_AGGS = {
+    "server_versions": {
+        "buckets": [{"key": "SSH-2.0-OpenSSH_8.9", "doc_count": 50}],
+        "sum_other_doc_count": 0,
+    }
+}
+
+MOCK_RDP_FROM_AGGS = {"cookies": {"buckets": [{"key": "admin", "doc_count": 10}]}}
+
+
+class TestParsers:
+    """Verify parsers extract correct fields from mock aggregations."""
+
+    def test_parse_sensor_presence(self):
+        result = _parse_sensor_presence(MOCK_SENSOR_AGGS)
+        assert len(result["sensors"]) == 2
+        assert result["sensors"][0]["sensor"] == "hedgehog-east"
+        assert result["total_records"] == 1423 + 892
+        assert result["first_seen"] == "2026-04-24T08:30:00.000Z"
+
+    def test_parse_reverse_dns(self):
+        result = _parse_reverse_dns(MOCK_RDNS_AGGS)
+        assert len(result["reverse_dns"]) == 2
+        assert result["reverse_dns"][0]["domain"] == "example.com"
+
+    def test_parse_conn_to(self):
+        result = _parse_conn_to(MOCK_CONN_TO_AGGS)
+        assert len(result["services"]) == 2
+        assert result["services"][0]["port"] == 443
+        assert result["services"][0]["app_proto"] == "ssl"
+        assert result["internal_client_count"] == 45
+        assert result["bytes_to"] == 12300000000
+
+    def test_parse_conn_from(self):
+        result = _parse_conn_from(MOCK_CONN_FROM_AGGS)
+        assert len(result["inbound_ports_targeted"]) == 2
+        assert result["internal_targets_count"] == 15
+
+    def test_parse_ssl_to(self):
+        result = _parse_ssl_to(MOCK_SSL_TO_AGGS)
+        assert len(result["ja4s_fingerprints"]) == 1
+        assert result["tls_versions"][0]["version"] == "TLSv1.3"
+        assert "CN=Let's Encrypt" in result["ssl_issuers"]
+
+    def test_parse_http_to(self):
+        result = _parse_http_to(MOCK_HTTP_TO_AGGS)
+        assert "nginx" in result["http_server_headers"]
+        assert len(result["http_top_uris"]) == 2
+
+    def test_parse_ssh_from(self):
+        result = _parse_ssh_from(MOCK_SSH_FROM_AGGS)
+        assert result["ssh_inbound"] is True
+        assert "SSH-2.0-OpenSSH_8.9" in result["ssh_server_versions"]
+
+    def test_parse_ssh_from_empty(self):
+        result = _parse_ssh_from({})
+        assert result["ssh_inbound"] is False
+        assert result["ssh_server_versions"] == []
+
+    def test_parse_rdp_from(self):
+        result = _parse_rdp_from(MOCK_RDP_FROM_AGGS)
+        assert result["rdp_inbound"] is True
+        assert "admin" in result["rdp_usernames"]
+
+    def test_parse_rdp_from_empty(self):
+        result = _parse_rdp_from({})
+        assert result["rdp_inbound"] is False
+
+
+# ---------------------------------------------------------------------------
+# Role classifier tests
+# ---------------------------------------------------------------------------
+
+
+def _make_profile(**kwargs) -> PublicIPProfile:
+    """Create a PublicIPProfile with overrides."""
+    defaults = {"ip": "1.2.3.4", "time_range": "now-7d"}
+    defaults.update(kwargs)
+    return PublicIPProfile(**defaults)
+
+
+class TestPublicRoleClassifier:
+    """Verify role classification for common scenarios."""
+
+    def test_web_server(self):
+        p = _make_profile(
+            services=[
+                {"port": 443, "app_proto": "ssl", "count": 2100},
+                {"port": 80, "app_proto": "http", "count": 556},
+            ],
+            internal_client_count=20,
+            ssl_issuers=["CN=Let's Encrypt Authority X3"],
+            reverse_dns=[{"domain": "example.com", "count": 1200}],
+        )
+        role, conf = classify_public_role(p)
+        assert role == "web_server"
+        assert conf >= 0.8
+
+    def test_scanner(self):
+        p = _make_profile(
+            inbound_ports_targeted=[{"port": i, "count": 5} for i in range(22, 35)],
+            internal_targets_count=50,
+            bytes_to=100,
+            bytes_from=100,
+        )
+        role, conf = classify_public_role(p)
+        assert role == "scanner"
+        assert conf >= 0.7
+
+    def test_cdn_node(self):
+        p = _make_profile(
+            org={"name": "Cloudflare", "category": "cdn"},
+            services=[{"port": 443, "app_proto": "ssl", "count": 5000}],
+            internal_client_count=100,
+            reverse_dns=[
+                {"domain": "a.example.com", "count": 100},
+                {"domain": "b.example.com", "count": 100},
+                {"domain": "c.example.com", "count": 100},
+            ],
+        )
+        role, conf = classify_public_role(p)
+        assert role == "cdn_node"
+        assert conf >= 0.8
+
+    def test_dns_server(self):
+        p = _make_profile(
+            services=[{"port": 53, "app_proto": "dns", "count": 10000}],
+            internal_client_count=200,
+        )
+        role, conf = classify_public_role(p)
+        assert role == "dns_server"
+        assert conf >= 0.7
+
+    def test_unknown_empty_profile(self):
+        p = _make_profile()
+        role, conf = classify_public_role(p)
+        assert role == "unknown"
+        assert conf == 0.0
+
+
+# ---------------------------------------------------------------------------
+# Orchestrator integration test (mocked ES)
+# ---------------------------------------------------------------------------
+
+
+def _mock_query_opensearch(body, params):
+    """Return appropriate mock response based on query content."""
+    must = body.get("query", {}).get("bool", {}).get("must", [])
+    for clause in must:
+        ds = clause.get("term", {}).get("event.dataset")
+        if ds == "dns":
+            return {"aggregations": MOCK_RDNS_AGGS}
+        if ds == "conn":
+            # Distinguish conn_to vs conn_from by IP field
+            for c in must:
+                if c.get("term", {}).get("destination.ip"):
+                    return {"aggregations": MOCK_CONN_TO_AGGS}
+                if c.get("term", {}).get("source.ip"):
+                    return {"aggregations": MOCK_CONN_FROM_AGGS}
+        if ds == "ssl":
+            return {"aggregations": MOCK_SSL_TO_AGGS}
+        if ds == "http":
+            return {"aggregations": MOCK_HTTP_TO_AGGS}
+        if ds == "ssh":
+            return {"aggregations": MOCK_SSH_FROM_AGGS}
+        if ds == "rdp":
+            return {"aggregations": MOCK_RDP_FROM_AGGS}
+    # Default: sensor presence query (no event.dataset filter)
+    return {"aggregations": MOCK_SENSOR_AGGS}
+
+
+class TestProfilePublicIp:
+    """Integration test for profile_public_ip with mocked ES."""
+
+    @patch("src.profiler.public_ip_profiler.query_opensearch", side_effect=_mock_query_opensearch)
+    @patch("src.profiler.public_ip_profiler.lookup_org", return_value=None)
+    def test_full_profile(self, mock_org, mock_es):
+        profile = profile_public_ip("1.2.3.4", time_range="now-7d")
+
+        assert profile.ip == "1.2.3.4"
+        assert len(profile.sensors) == 2
+        assert profile.total_records == 2315
+        assert len(profile.reverse_dns) == 2
+        assert len(profile.services) == 2
+        assert profile.internal_client_count == 45
+        assert profile.ssh_inbound is True
+        assert profile.rdp_inbound is True
+        assert profile.role != "unknown"
+        assert profile.confidence > 0
+
+    @patch("src.profiler.public_ip_profiler.query_opensearch", return_value=None)
+    @patch("src.profiler.public_ip_profiler.lookup_org", return_value=None)
+    def test_empty_profile_no_errors(self, mock_org, mock_es):
+        """IP with zero records across all sensors → empty profile, no errors."""
+        profile = profile_public_ip("5.6.7.8", time_range="now-7d")
+
+        assert profile.ip == "5.6.7.8"
+        assert profile.sensors == []
+        assert profile.total_records == 0
+        assert profile.services == []
+        assert profile.role == "unknown"
+        assert profile.confidence == 0.0
diff --git a/tests/test_zeek_base.py b/tests/test_zeek_base.py
index ada79b9..a6ce1a9 100644
--- a/tests/test_zeek_base.py
+++ b/tests/test_zeek_base.py
@@ -12,7 +12,10 @@
     build_base_query,
     deduplicate_zeek,
     is_private,
+    source_terms_script,
 )
+from src.querier.zeek_modules.notice import NoticeModule
+from src.querier.zeek_modules.weird import WeirdModule
 
 # ---------------------------------------------------------------------------
 # is_private
@@ -183,6 +186,44 @@ def test_build_base_query_src_ip_filter() -> None:
     assert ip_clause["term"]["source.ip"] == "198.51.100.1"
 
 
+def test_build_base_query_dest_ip_filter() -> None:
+    """dest_ip_filter must appear in the ES filter clauses, not as a post-filter."""
+    body, _ = build_base_query(
+        must_not=[],
+        extra_must=[],
+        source_fields=["source.ip", "destination.ip"],
+        limit=10,
+        time_range="now-1h",
+        sensors=None,
+        datasets=["conn"],
+        dest_ip_filter="8.8.8.8",
+    )
+    must = body["query"]["bool"]["filter"]
+    ip_clause = next((c for c in must if "term" in c and "destination.ip" in c["term"]), None)
+    assert ip_clause is not None, "dest_ip_filter must be pushed into the ES filter clause"
+    assert ip_clause["term"]["destination.ip"] == "8.8.8.8"
+
+
+def test_build_base_query_src_and_dest_ip_filter() -> None:
+    """src and dest IP filters must both appear in the ES filter clauses simultaneously."""
+    body, _ = build_base_query(
+        must_not=[],
+        extra_must=[],
+        source_fields=["source.ip", "destination.ip"],
+        limit=10,
+        time_range="now-1h",
+        sensors=None,
+        datasets=["conn"],
+        src_ip_filter="1.2.3.4",
+        dest_ip_filter="8.8.8.8",
+    )
+    must = body["query"]["bool"]["filter"]
+    src_clause = next((c for c in must if "term" in c and "source.ip" in c["term"]), None)
+    dest_clause = next((c for c in must if "term" in c and "destination.ip" in c["term"]), None)
+    assert src_clause is not None and src_clause["term"]["source.ip"] == "1.2.3.4"
+    assert dest_clause is not None and dest_clause["term"]["destination.ip"] == "8.8.8.8"
+
+
 def test_build_base_query_public_only_adds_must_not() -> None:
     body, _ = build_base_query(
         must_not=[],
@@ -305,3 +346,238 @@ def test_dedup_collects_sensors() -> None:
 
 def test_dedup_empty_list() -> None:
     assert deduplicate_zeek([], _key) == []
+
+
+# ---------------------------------------------------------------------------
+# §4.3 Port / proto filters in build_base_query
+# ---------------------------------------------------------------------------
+
+
+def test_build_base_query_dest_port_filter() -> None:
+    body, _ = build_base_query(
+        must_not=[],
+        extra_must=[],
+        source_fields=["destination.port"],
+        limit=10,
+        time_range="now-1h",
+        sensors=None,
+        datasets=["conn"],
+        dest_port_filter=443,
+    )
+    must = body["query"]["bool"]["filter"]
+    clause = next((c for c in must if "term" in c and "destination.port" in c["term"]), None)
+    assert clause is not None
+    assert clause["term"]["destination.port"] == 443
+
+
+def test_build_base_query_src_port_filter() -> None:
+    body, _ = build_base_query(
+        must_not=[],
+        extra_must=[],
+        source_fields=["source.port"],
+        limit=10,
+        time_range="now-1h",
+        sensors=None,
+        datasets=["conn"],
+        src_port_filter=12345,
+    )
+    must = body["query"]["bool"]["filter"]
+    clause = next((c for c in must if "term" in c and "source.port" in c["term"]), None)
+    assert clause is not None
+    assert clause["term"]["source.port"] == 12345
+
+
+def test_build_base_query_proto_filter() -> None:
+    body, _ = build_base_query(
+        must_not=[],
+        extra_must=[],
+        source_fields=[],
+        limit=10,
+        time_range="now-1h",
+        sensors=None,
+        datasets=["conn"],
+        proto_filter="udp",
+    )
+    must = body["query"]["bool"]["filter"]
+    clause = next((c for c in must if "term" in c and "network.transport" in c["term"]), None)
+    assert clause is not None
+    assert clause["term"]["network.transport"] == "udp"
+
+
+def test_build_base_query_dest_port_list() -> None:
+    body, _ = build_base_query(
+        must_not=[],
+        extra_must=[],
+        source_fields=["destination.port"],
+        limit=10,
+        time_range="now-1h",
+        sensors=None,
+        datasets=["conn"],
+        dest_port_filter=[80, 443, 8080],
+    )
+    must = body["query"]["bool"]["filter"]
+    clause = next((c for c in must if "terms" in c and "destination.port" in c["terms"]), None)
+    assert clause is not None
+    assert clause["terms"]["destination.port"] == [80, 443, 8080]
+
+
+# ---------------------------------------------------------------------------
+# §4.4 Multi-value src_ip / dest_ip in build_base_query
+# ---------------------------------------------------------------------------
+
+
+def test_build_base_query_src_ip_list() -> None:
+    body, _ = build_base_query(
+        must_not=[],
+        extra_must=[],
+        source_fields=["source.ip"],
+        limit=10,
+        time_range="now-1h",
+        sensors=None,
+        datasets=["conn"],
+        src_ip_filter=["1.1.1.1", "2.2.2.2"],
+    )
+    must = body["query"]["bool"]["filter"]
+    clause = next((c for c in must if "terms" in c and "source.ip" in c["terms"]), None)
+    assert clause is not None
+    assert clause["terms"]["source.ip"] == ["1.1.1.1", "2.2.2.2"]
+
+
+def test_build_base_query_dest_ip_list() -> None:
+    body, _ = build_base_query(
+        must_not=[],
+        extra_must=[],
+        source_fields=["destination.ip"],
+        limit=10,
+        time_range="now-1h",
+        sensors=None,
+        datasets=["conn"],
+        dest_ip_filter=["8.8.8.8", "1.1.1.1"],
+    )
+    must = body["query"]["bool"]["filter"]
+    clause = next((c for c in must if "terms" in c and "destination.ip" in c["terms"]), None)
+    assert clause is not None
+    assert clause["terms"]["destination.ip"] == ["8.8.8.8", "1.1.1.1"]
+
+
+def test_build_base_query_proto_list() -> None:
+    body, _ = build_base_query(
+        must_not=[],
+        extra_must=[],
+        source_fields=[],
+        limit=10,
+        time_range="now-1h",
+        sensors=None,
+        datasets=["conn"],
+        proto_filter=["tcp", "udp"],
+    )
+    must = body["query"]["bool"]["filter"]
+    clause = next((c for c in must if "terms" in c and "network.transport" in c["terms"]), None)
+    assert clause is not None
+    assert clause["terms"]["network.transport"] == ["tcp", "udp"]
+
+
+# ---------------------------------------------------------------------------
+# §4.6 Absolute timestamp override in build_base_query
+# ---------------------------------------------------------------------------
+
+
+def test_build_base_query_absolute_timestamps() -> None:
+    time_from = "2026-04-19T00:00:00Z"
+    time_to = "2026-04-20T00:00:00Z"
+    body, _ = build_base_query(
+        must_not=[],
+        extra_must=[],
+        source_fields=[],
+        limit=10,
+        time_range="now-24h",
+        sensors=None,
+        datasets=["conn"],
+        time_from=time_from,
+        time_to=time_to,
+    )
+    must = body["query"]["bool"]["filter"]
+    ts_clause = next((c for c in must if "range" in c and "@timestamp" in c["range"]), None)
+    assert ts_clause is not None
+    assert ts_clause["range"]["@timestamp"]["gte"] == time_from
+    assert ts_clause["range"]["@timestamp"]["lte"] == time_to
+
+
+# ---------------------------------------------------------------------------
+# NoticeModule.build_extra_must — wildcard / exact match
+# ---------------------------------------------------------------------------
+
+_notice = NoticeModule()
+_weird = WeirdModule()
+
+
+def test_notice_exact_match_uses_term() -> None:
+    clauses, _ = _notice.build_extra_must({"notice_note": "Scan::Port_Scan"})
+    assert len(clauses) == 1
+    assert "term" in clauses[0]
+    assert clauses[0]["term"]["zeek.notice.note.keyword"] == "Scan::Port_Scan"
+
+
+def test_notice_trailing_wildcard_uses_wildcard_query() -> None:
+    clauses, _ = _notice.build_extra_must({"notice_note": "Scan::*"})
+    assert len(clauses) == 1
+    assert "wildcard" in clauses[0]
+    assert clauses[0]["wildcard"]["zeek.notice.note.keyword"] == "Scan::*"
+
+
+def test_notice_question_mark_uses_wildcard_query() -> None:
+    clauses, _ = _notice.build_extra_must({"notice_note": "SSH::Brute_Force_?"})
+    assert "wildcard" in clauses[0]
+
+
+def test_notice_no_filter_returns_empty() -> None:
+    clauses, _ = _notice.build_extra_must({})
+    assert clauses == []
+
+
+def test_weird_exact_match_uses_term() -> None:
+    clauses, _ = _weird.build_extra_must({"weird_name": "bad_HTTP_reply"})
+    assert len(clauses) == 1
+    assert "term" in clauses[0]
+    assert clauses[0]["term"]["rule.name.keyword"] == "bad_HTTP_reply"
+
+
+def test_weird_trailing_wildcard_uses_wildcard_query() -> None:
+    clauses, _ = _weird.build_extra_must({"weird_name": "bad_*"})
+    assert len(clauses) == 1
+    assert "wildcard" in clauses[0]
+    assert clauses[0]["wildcard"]["rule.name.keyword"] == "bad_*"
+
+
+def test_weird_no_filter_returns_empty() -> None:
+    clauses, _ = _weird.build_extra_must({})
+    assert clauses == []
+
+
+# ---------------------------------------------------------------------------
+# source_terms_script
+# ---------------------------------------------------------------------------
+
+
+def test_source_terms_script_single_field() -> None:
+    script = source_terms_script("note")
+    assert set(script.keys()) == {"source"}
+    src = script["source"]
+    assert src.startswith("def v = params._source;")
+    assert "v = v['note'];" in src
+    assert "v.toString()" in src
+
+
+def test_source_terms_script_dotted_field_walks_each_segment() -> None:
+    src = source_terms_script("zeek.notice.note")["source"]
+    assert "v = v['zeek'];" in src
+    assert "v = v['notice'];" in src
+    assert "v = v['note'];" in src
+    # One null-guard per segment plus the final return guard.
+    assert src.count("if (v == null) return null;") == 4
+
+
+def test_source_terms_script_handles_list_valued_fields() -> None:
+    src = source_terms_script("rule.name")["source"]
+    assert "v instanceof List" in src
+    assert "v.isEmpty() ? null : v[0]" in src
diff --git a/uv.lock b/uv.lock
index 8c35a99..4c3b783 100644
--- a/uv.lock
+++ b/uv.lock
@@ -140,6 +140,15 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/38/0e/27be9fdef66e72d64c0cdc3cc2823101b80585f8119b5c112c2e8f5f7dab/anyio-4.12.1-py3-none-any.whl", hash = "sha256:d405828884fc140aa80a3c667b8beed277f1dfedec42ba031bd6ac3db606ab6c", size = 113592, upload-time = "2026-01-06T11:45:19.497Z" },
 ]
 
+[[package]]
+name = "asgiref"
+version = "3.11.1"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/63/40/f03da1264ae8f7cfdbf9146542e5e7e8100a4c66ab48e791df9a03d3f6c0/asgiref-3.11.1.tar.gz", hash = "sha256:5f184dc43b7e763efe848065441eac62229c9f7b0475f41f80e207a114eda4ce", size = 38550, upload-time = "2026-02-03T13:30:14.33Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/5c/0a/a72d10ed65068e115044937873362e6e32fab1b7dce0046aeb224682c989/asgiref-3.11.1-py3-none-any.whl", hash = "sha256:e8667a091e69529631969fd45dc268fa79b99c92c5fcdda727757e52146ec133", size = 24345, upload-time = "2026-02-03T13:30:13.039Z" },
+]
+
 [[package]]
 name = "attrs"
 version = "25.4.0"
@@ -653,6 +662,11 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/7f/9c/34f6962f9b9e9c71f6e5ed806e0d0ff03c9d1b0b2340088a0cf4bce09b18/flask-3.1.3-py3-none-any.whl", hash = "sha256:f4bcbefc124291925f1a26446da31a5178f9483862233b23c0c96a20701f670c", size = 103424, upload-time = "2026-02-19T05:00:56.027Z" },
 ]
 
+[package.optional-dependencies]
+async = [
+    { name = "asgiref" },
+]
+
 [[package]]
 name = "frozenlist"
 version = "1.8.0"
@@ -1480,17 +1494,15 @@ wheels = [
 
 [[package]]
 name = "pisces-scripts"
-version = "1.0.0"
+version = "1.1.0"
 source = { virtual = "." }
 dependencies = [
     { name = "beautifulsoup4" },
-    { name = "cryptography" },
-    { name = "flask" },
-    { name = "geoip2" },
+    { name = "flask", extra = ["async"] },
+    { name = "httpx" },
     { name = "orjson" },
     { name = "plotext" },
     { name = "pygments" },
-    { name = "pytest" },
     { name = "python-dotenv" },
     { name = "python-multipart" },
     { name = "pyyaml" },
@@ -1500,6 +1512,7 @@ dependencies = [
 
 [package.optional-dependencies]
 all = [
+    { name = "geoip2" },
     { name = "mcp", extra = ["cli"] },
     { name = "pyasn" },
     { name = "spacy" },
@@ -1511,6 +1524,7 @@ nlp = [
     { name = "spacy" },
 ]
 offline-enrichment = [
+    { name = "geoip2" },
     { name = "pyasn" },
 ]
 
@@ -1528,9 +1542,10 @@ dev = [
 [package.metadata]
 requires-dist = [
     { name = "beautifulsoup4", specifier = ">=4.14.3" },
-    { name = "cryptography", specifier = ">=46.0.7" },
-    { name = "flask", specifier = ">=3.0" },
-    { name = "geoip2", specifier = ">=5.2.0" },
+    { name = "flask", extras = ["async"], specifier = ">=3.0" },
+    { name = "geoip2", marker = "extra == 'all'", specifier = ">=5.2.0" },
+    { name = "geoip2", marker = "extra == 'offline-enrichment'", specifier = ">=5.2.0" },
+    { name = "httpx", specifier = ">=0.28.1" },
     { name = "mcp", extras = ["cli"], marker = "extra == 'all'", specifier = ">=1.0.0" },
     { name = "mcp", extras = ["cli"], marker = "extra == 'mcp'", specifier = ">=1.0.0" },
     { name = "orjson", specifier = ">=3.11.8" },
@@ -1538,7 +1553,6 @@ requires-dist = [
     { name = "pyasn", marker = "extra == 'all'", specifier = ">=1.6.2" },
     { name = "pyasn", marker = "extra == 'offline-enrichment'", specifier = ">=1.6.2" },
     { name = "pygments", specifier = ">=2.20.0" },
-    { name = "pytest", specifier = ">=9.0.3" },
     { name = "python-dotenv", specifier = ">=1.2.2" },
     { name = "python-multipart", specifier = ">=0.0.26" },
     { name = "pyyaml", specifier = ">=6.0.3" },