Skip to content
The SOC Analysts all-in-one CLI tool to automate and speed up workflow.
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
.idea Fixed DNS loop Jun 10, 2019
readmeimages Add files via upload Jun 23, 2019 Added road map to readme Jun 24, 2019 Added VT report link to Hash Checks Jun 24, 2019
requirements.txt Added ipwhois requirement Jun 19, 2019

Generic badge PRs Welcome GitHub contributors Generic badge HitCount


Sooty can Currently:

  • Sanitise URL's to be safe to send in emails
  • Perform reverse DNS and DNS lookups
  • Perform reputation checks from:
  • Check if an IP address is a TOR exit node
  • Decode Proofpoint URL's and UTF-8 encoded URLS
  • Get file hashes and compare them against VirusTotal (see requirements)
  • Perform WhoIs Lookups
  • Check Usernames and Emails against HaveIBeenPwned to see if a breach has occurred.


Version 1.1 - The Reputation Update

  • Improved Rep Checker
  • Added HaveIBeenPwned Functionality
  • Added DNS Tools and WhoIs Functionality
  • Added Hash and VirusTotal Checkers
  • Added Abuse IPDB, Tor Exit Node, BadIP's to Reputation Checker

Version 1.0

  • Initial Release
  • URL and ProofPoint Decoder
  • Initial implementation of Reputation Checker
  • Sanitize links to be safe for email


This is an outline of what features will be coming in future versions.

Version 1.2 - The Phishing Update

- Add Ability to extract email addresses and URL's from mail.
- Correlate emails and URL's to see if they have been reported for phishing (PhishTank)
- Scan email attachments for malicious content, macros, files, scan hashes, etc.

Version 1.3 - The Case Update

- Add a 'New Case' Feature, allowing output of the tool to be output to a txt file.


  • Python 3.x
  • To use the Hash comparison with VirusTotal requires an API key, replace the key VT_API_KEY in the code with your own key. The tool will still function without this key, however this feature will not work.
  • To use the Reputation Checker with AbuseIPDB requires an API Key, replace the key AB_API_KEY in the code with your own key. The tool will still function without this key, however this feature will not work.


Want to contribute? Great!

Code Contributions

  • New features / requests should start by opening an issue. This helps track new features and prevent crossover.
  • If you wish to work on a feature, leave a comment on the issue page and I will assign you to it.
  • All code modifications, enhancements or additions must be done through a pull request.
  • Once reviewed and merged, contibutors will be added to the ReadMe


  • Aaron J Copley for his code to decode ProofPoint URL's
  • James Duarte for adding a hash and auto-check option to the hashing function
  • mrpnkt for adding the missing whois requirement to requirements.txt

You can’t perform that action at this time.