wtfis: A Human-Centered OSINT Tool That Respects Free-Tier API Limits
Hook
Most security tools treat API rate limits as an afterthought. wtfis was architected around them from day one, making strategic choices about which enrichments to bundle and which to keep optional.
Context
Security analysts investigating domains and IP addresses typically bounce between multiple browser tabs—Virustotal for reputation scores, Shodan for open ports, AbuseIPDB for abuse reports, various whois services for registration data. Each lookup requires remembering different API endpoints, parsing inconsistent JSON responses, and managing separate API keys. Worse, chaining these lookups manually burns through free-tier quotas fast, forcing analysts to either pay for premium accounts or ration their investigations.
The traditional whois command provides basic registration data but nothing about threat intelligence, geolocation, or whether an IP is actively scanning the internet. Commercial threat intelligence platforms like PassiveTotal aggregate this data beautifully but lock most features behind paywalls. wtfis occupies the middle ground: a command-line tool that orchestrates multiple OSINT services into a single lookup while being paranoid about API conservation. It’s built for the analyst who has five free-tier accounts and needs to make them count.
Technical Insight
wtfis implements a tiered enrichment architecture where Virustotal serves as the mandatory foundation, with eight optional services layered on top via CLI flags. This design reflects a hard reality: if you’re going to require an API key, make it count. Virustotal provides the richest single-source dataset—reputation scores, historical resolutions, category assignments from multiple vendors, and community votes. Everything else is additive.
The tool’s core loop fetches VT data first, then conditionally enriches based on entity type and available credentials. For IP addresses, you might invoke:
# Minimal lookup - VT only
wtfis 8.8.8.8
# Full enrichment stack
wtfis 8.8.8.8 --use-abuseipdb --use-greynoise --use-shodan --use-urlhausFor domains, the whois logic gets interesting. By default, wtfis pulls whois data from Virustotal’s /whois endpoint. But if you set IP2WHOIS_API_KEY, it silently switches providers. This isn’t just feature duplication—IP2Whois consistently returns better-structured data, especially for registrant information. VT’s whois responses are anonymized and format-inconsistent across TLDs. More importantly, offloading whois to IP2Whois saves a VT API call, preserving quota for the lookups that actually need VT’s threat intelligence corpus.
The geolocation provider logic follows similar pragmatism. Three providers are supported (IPWhois, IP2Location, IPinfo), with IPWhois as the default because it requires no signup. You can override via environment variable:
export GEOLOCATION_SERVICE=ip2location
export IP2LOCATION_API_KEY=your_key_here
wtfis 1.1.1.1Output formatting prioritizes scanability over completeness. Results are organized into panels—Reputation, Whois, Resolutions, Geolocation—each with colored severity indicators. Malicious reputation scores render in red, unknown in yellow, clean in green. URLs are clickable terminal hyperlinks, so you can Command+Click straight to the Virustotal report. The tool even supports defanged input (api[.]google[.]com or 1[.]1[.]1[.]1) for copying directly from security reports without triggering browser previews.
The URLhaus integration demonstrates the tool’s philosophy about crowd-sourced intelligence. Rather than just showing “this IP has malware URLs,” wtfis displays online vs. total URL counts, current blocklist status (DNSBL/SURBL), and aggregated tags from URLhaus history. An IP might have hosted malware six months ago (offline URLs) but be clean today—context that matters during incident triage.
One clever detail: the Greynoise enrichment uses their community API’s trichotomy (Noise/RIOT/neither) to surface different kinds of “known.” RIOT IPs belong to legitimate business services but generate tons of scanning-like traffic (think Microsoft O365 health checks). Noise IPs are confirmed internet scanners. Neither means Greynoise hasn’t categorized it yet—absence of signal, not confirmation of benign. The terminal output makes these distinctions visually obvious with color coding.
Gotcha
wtfis is deliberately not an automation tool. There’s no JSON output mode, no batch processing flag, no stdin pipeline support. If you need to lookup 500 domains from a CSV, this isn’t your tool—use the APIs directly. The entire design optimizes for interactive investigation by humans who can read colored terminal output and click hyperlinks. This is a feature, not an oversight, but it means wtfis won’t fit into automated threat feeds or SOAR playbooks.
The Shodan enrichment requires a paid account (minimum $49 one-time fee), which undermines the “free-tier friendly” positioning for arguably one of the most valuable enrichments. Open port and service data from Shodan often provides the smoking gun during investigations, but budget-constrained analysts are locked out. The README is upfront about this limitation, but it still stings when you see --use-shodan in the help text and realize you can’t actually use it without paying.
While the tool supports a ~/.env.wtfis configuration file for managing environment variables, you still need to manually set up and maintain API keys for up to eight different services. For a tool aimed at security analysts who probably have dozens of API keys already, the initial setup requires non-trivial coordination across multiple service signups and key generation workflows.
Verdict
Use wtfis if you’re a security analyst or SOC team member doing manual threat investigations with free-tier OSINT accounts. It excels at providing quick, comprehensive overviews during incident response when you need to triage whether a domain or IP deserves deeper investigation. The human-friendly terminal output and intelligent API quota conservation make it ideal for interactive work. Skip it if you need programmatic access to structured data (no JSON export), plan to do bulk lookups (no batch mode), don’t want to juggle multiple API signups, or require Shodan data but lack a paid account. Also skip if you’re already paying for commercial threat intel platforms—they’ll provide richer data with better historical coverage. wtfis shines brightest in the hands of analysts making free-tier accounts punch above their weight.
