wtfis: Building a Human-First Threat Intelligence CLI That Respects Free Tiers
Hook
Most security tools output JSON blobs meant for machines. wtfis does the opposite—it's a threat intelligence aggregator explicitly designed for humans who are tired of juggling browser tabs.
Context
Security analysts investigating suspicious domains or IPs face a tedious workflow: copy an indicator, paste it into VirusTotal, wait, open another tab for Shodan, paste again, then AbuseIPDB, then URLhaus, manually correlating results across interfaces. Each service offers partial visibility—VirusTotal shows malware detections, Shodan reveals exposed services, Greynoise identifies internet scanners—but no single platform aggregates them into a coherent picture without enterprise-grade costs.
wtfis emerged from this friction. Rather than building yet another JSON-spewing API wrapper, developer pirxthepilot created a CLI tool that mirrors how analysts actually work: type one command, get a color-coded terminal report synthesizing multiple threat feeds. It's passive reconnaissance optimized for quick lookups during incident response, not bulk scanning. The design philosophy centers on respecting free-tier API quotas while maximizing signal, acknowledging that most security practitioners can't justify $10k/year threat intel subscriptions for occasional investigations.
Technical Insight
The architecture revolves around modular enrichment providers that execute asynchronously to minimize latency. Each OSINT service—VirusTotal, Shodan, IPinfo, etc.—is wrapped in a dedicated handler class with standardized interfaces for querying and parsing responses. When you run wtfis example.com, the tool determines entity type (domain/FQDN/IP), then fires parallel requests to configured services.
Here's a typical invocation showing optional enrichments:
# Basic lookup uses only free APIs (VirusTotal, Greynoise)
wtfis 1.2.3.4
# Add Shodan enrichment for port/service data
wtfis 1.2.3.4 -s
# Include passive DNS resolutions (limited to 3 by default)
wtfis malicious-domain.com -n 3
# Full enrichment with all optional sources
wtfis suspicious.example.com -sn 10 --use-pt
The tool's intelligence lies in its quota-conscious defaults. Passive DNS resolution (-n flag) is opt-in because VirusTotal's free tier caps API calls at 500/day—blindly resolving every subdomain would exhaust quotas fast. Similarly, Shodan lookups require explicit flags since many analysts lack paid accounts. This design respects the reality of free-tier usage while keeping power-user options accessible.
Output rendering uses the Rich library for terminal formatting, detecting capability for colors, hyperlinks, and Unicode. Results appear as structured sections—reputation scores at the top, then geolocation, threat classifications, and historical data. Critical findings like high malware detection rates render in red; clean results show green. URLs become clickable terminal hyperlinks when supported, letting analysts jump to full reports with one click.
The defanged input handling demonstrates thoughtful security workflow integration:
# wtfis accepts obfuscated indicators common in threat reports
wtfis 'hxxps://evil[.]com/payload[.]exe'
wtfis '192[.]0[.]2[.]1'
# Automatically refanged internally before API queries
# evil[.]com -> evil.com
# hxxps:// -> https://
This matters because security teams often share indicators with brackets or 'x' replacements to prevent accidental clicks or auto-crawling by email scanners. Supporting this natively eliminates a manual refanging step that's error-prone and annoying.
The asynchronous query execution is handled via Python's asyncio, batching requests to services that support it. For instance, VirusTotal allows bundled queries for domain + IP resolution in single API calls, which wtfis exploits to minimize quota consumption. The code maintains a session pool to reuse HTTP connections across requests, shaving hundreds of milliseconds off total execution time when querying 5+ services.
Configuration lives in ~/.config/wtfis/wtfis.yaml, where API keys are stored:
virustotal:
api_key: "your_vt_key_here"
shodan:
api_key: "your_shodan_key"
greynoise:
api_key: "your_gn_key"
abuseipdb:
api_key: "your_abuse_key"
# Optional: choose geolocation provider
geolocation:
provider: "ipwhois" # or ip2location, ipinfo
The modular geolocation provider system is particularly elegant. Rather than hardcoding one service, wtfis defines a GeoProvider interface that IPWhois, IP2Location, and IPinfo classes implement. Users select their preferred service in config based on which free tier they've signed up for, or which paid plan they're already subscribed to. This flexibility acknowledges the fragmented geolocation API landscape without forcing vendor lock-in.
Gotcha
The tool's usefulness collapses without API keys. While some services like Greynoise offer community tiers, VirusTotal requires registration, and Shodan's free tier is severely limited (1 query/second, minimal historical data). You'll spend the first 30 minutes signing up for 5+ services and hunting down API keys before wtfis becomes truly useful. There's no graceful degradation UI—missing keys simply omit those sections from output, leaving you guessing what data you're not seeing.
No caching means repeated lookups hammer your API quotas unnecessarily. If you're investigating a campaign with 50 indicators sharing the same C2 infrastructure, you'll query that IP 50 times instead of once. The lack of structured export is another friction point for teams needing audit trails or SOAR integration. Output is beautiful in terminals but useless for piping into downstream tools—you can't easily extract just the malware score or subnet information without parsing ANSI color codes. For ad-hoc human investigations this is fine, but don't expect to build automated workflows around wtfis without significant wrapper scripting.
Verdict
Use if: You're a security analyst, incident responder, or threat hunter who performs manual investigations and wants to stop context-switching between VirusTotal/Shodan/AbuseIPDB browser tabs during triage. The terminal-first UX and quota-conscious design make this perfect for quick lookups when you need human-readable context, not raw JSON. It shines in SOC environments where analysts field alerts and need fast reputation checks without firing up a $50k threat intel platform. Skip if: You need programmatic access to structured data for automation, require offline/air-gapped operation, or want comprehensive historical analysis beyond what free tiers provide. If you're already paying for a commercial threat intel feed (Recorded Future, Anomali, ThreatConnect), wtfis offers little value since those platforms aggregate similar sources with better APIs. Also skip if you can't spend time acquiring API keys from 5+ services—without them, wtfis is just a pretty wrapper around partial data.
