Skip to content

SidhuK007/ctitool

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
ctitool
ctitool
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

CTI Triage CLI

CTI Triage CLI is a command-line tool for SOC analysts to quickly enrich suspicious artifacts (IPs, domains, and file hashes) using multiple Cyber Threat Intelligence (CTI) sources, normalize the results, score risk, and present clean, colorized output for fast alert triage.

Features

🔎 Artifact enrichment

IPs, domains, and SHA256 file hashes

🌐 Multiple CTI sources

RDAP (ownership & registration)

VirusTotal (reputation, detections, tags)

Shodan (open ports, exposure) (API or Python SDK)

Censys (services & exposure)

IPinfo / IP-API (geolocation)

crt.sh (certificate transparency / subdomains)

🧠 Risk scoring

Combines signals from multiple providers

Outputs benign, unknown, suspicious, or malicious

🎨 Readable output

Colorized terminal output (Rich)

One field per line, clearly labeled

Human-readable timestamps

💾 SQLite caching

Per-provider TTLs

Cache purge controls

🔐 Safe by default

**No auto-submission of samples

API keys stored outside the repo**

Example Output Artifact: ip 8.8.8.8 Verdict: benign Score: 0 Why: • No malicious detections observed

Provider summaries:

  • rdap (OK) handle: NET-8-8-8-0-2 name: GOGL events:

    • registration: 2023-12-28T17:24:33-05:00
    • last changed: 2023-12-28T17:24:56-05:00

  • virustotal (OK) malicious: 0 suspicious: 0 reputation: 529 last_analysis_date: 2026-02-01 23:55:15 UTC

Installation Requirements

Python 3.10+

Windows, Linux, or macOS

Setup git clone https://github.com/yourusername/cti-tool.git cd cti-tool python -m venv .venv ..venv\Scripts\activate pip install -r requirements.txt

Configuration

Create a config file at:

C:\Users<you>.ctitool\config.yml

Example config.yml cache: path: "~/.ctitool/cache.sqlite"

providers: virustotal: enabled: true api_key: "YOUR_VT_API_KEY" shodan: enabled: true api_key: "YOUR_SHODAN_API_KEY" censys: enabled: true api_id: "YOUR_CENSYS_ID" api_secret: "YOUR_CENSYS_SECRET"

API keys are never committed to the repository.

Usage Enrich an IP python cti_triage.py --ip 8.8.8.8

Enrich a file hash python cti_triage.py --sha256

Enrich a domain python cti_triage.py --domain example.com

Disable cache for a run python cti_triage.py --no-cache --ip 8.8.8.8

Purge cache python cti_triage.py --purge-cache python cti_triage.py --purge-provider virustotal

Supported Providers Provider Artifact Types Notes RDAP IP, Domain Ownership & registration VirusTotal IP, Domain, Hash Reputation & detections Shodan IP SDK preferred, REST fallback Censys IP Exposure & services IPinfo IP Geo (API key required) IP-API IP Optional, no key crt.sh Domain Subdomain discovery

**Design Goals ** SOC L1/L2 friendly Fast triage, not deep malware reversing Deterministic, scriptable output Safe defaults (no submissions, no surprises)

Roadmap (Ideas)

--only / --skip provider flags JSON schema for SOAR ingestion Batch input from files Splunk / Elastic output mode Confidence scoring explanation

Disclaimer

This tool does not replace analyst judgment. Always validate results with organizational context and additional investigation.

License

MIT License.

About

CTI Triage CLI for SOC analysts. Enrich IPs, domains, and file hashes using multiple CTI sources (RDAP, VirusTotal, Shodan, Censys, etc.), normalize results, score risk, cache responses, and present readable, colorized output for fast L1/L2 alert triage.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages