IOC-Enrich.
A unified threat-intelligence CLI for incident responders. Built because every analyst loses time the same way, and the tool to stop losing it did not exist in a form I wanted to use.
IThe shape of the problem.
An analyst stares at a single line in a SIEM. An IP address. Or a SHA-256. Or a fully qualified domain name. The question is straightforward. Is this benign, suspicious, or already known bad? The work to answer it is not.
The honest version of the workflow looks like this. Open VirusTotal in one tab. Open AbuseIPDB in another. Open Shodan, URLScan, ThreatFox, MalwareBazaar. Paste the indicator into each. Read each report. Hold all of them in your head at the same time. Decide.
Thirty tabs and ten minutes. Multiplied by every alert. The cognitive load is not the intel. The cognitive load is the coordination. I wanted a tool that did the coordination, kept the intel, and gave one verdict.
IIWhat I built.
IOC-Enrich is a single CLI binary. You hand it an indicator, it figures out what type the indicator is, it queries every relevant intel source in parallel, it collapses the responses into one weighted risk verdict, and it gives you a colored, structured report in your terminal. JSON, Markdown, or CSV on request.
One command. One output. The same shape every time. The analyst’s time is spent on judgment, not on tab management.
Thirty tabs and ten minutes. Multiplied by every alert. That is not a tooling problem. That is a coordination problem masquerading as one.
IIIType detection.
The first question for any indicator is what it is. The CLI classifies into eight types before doing anything else.
- IPv4 and IPv6 addresses, with reserved-range filtering
- Fully qualified domain names
- URLs, defanged or otherwise
- MD5, SHA1, and SHA256 hashes
- Email addresses
Type detection runs on regex plus length checks plus a few domain-specific heuristics. It runs in microseconds. The output of detection routes the indicator to the right intel sources. There is no point asking Shodan about a SHA-256.
IVConcurrent enrichment.
The reason a manual workflow is slow is not the network. It is the human serialization of network calls. Open one tab. Wait for it. Read it. Open the next. Wait for it. Read it.
The CLI fans out every applicable query at the same time through asyncio with aiohttp. For a typical IP indicator that means VirusTotal, AbuseIPDB, Shodan, URLScan, ThreatFox, and the rest run concurrently. The wall-clock time of an enrichment is the time of the slowest API, not the sum of all of them.
Each API client respects its own rate limits and exposes its own structured response model. The clients are isolated. Adding a new source is a single Python module that produces a normalized record, and the rest of the system picks it up without changes.
VRisk scoring.
Raw intel is noisy. Different sources score on different scales. Some report reputation. Some report categorical classifications. Some report vendor verdicts. To turn this into a single number the CLI weighs each source by historical reliability and source-specific signal strength, then maps the aggregate into five tiers.
The tiers are not a substitute for analyst judgment. They are a way to triage. CRITICAL items get attention now. CLEAN items get logged and moved on. The middle tiers get the seconds they deserve.
VIOutput and ergonomics.
The terminal output is color coded by tier and structured by source, so the eye can land on the verdict in a second and then drill into specific sources without re-running. The same data is available as JSON for downstream automation, as Markdown for incident tickets, and as CSV for batch workflows that pipe many indicators through at once.
Batch mode reads indicators from a file or stdin and emits a structured report. The output is deterministic in shape and stable across versions, which matters for any analyst who grew tired of writing throwaway parsers.
VIIWhat is honest about it.
IOC-Enrich is a coordination tool. It does not improve the intel. It does not catch zero days that no source has seen. Its value is wall clock and cognitive. It compresses what takes ten minutes by hand into five seconds and a single colored verdict. For the volume of indicators a working SOC actually faces, that is the difference between getting through the morning queue and not.
The CLI is open source on GitHub. The default configuration runs against free tiers of every source it supports, so there is no commercial dependency to install. If you do this work and you find it useful, I would like to hear about it.