Tool Catalog

Overview

28 tools organized by IOC type and analysis category. The ReAct agent automatically selects them based on the IOC you investigate.

By IOC type

IPs

Tool	Source	What it returns
`virustotal_ip_lookup`	VirusTotal	Reputation score, detection count, associated domains
`abuseipdb_check_ip`	AbuseIPDB	Abuse confidence (0-100%), report count, ISP
`alienvault_ip_lookup`	AlienVault OTX	Threat pulses, IOC associations, country, ASN
`shodan_host_lookup`	Shodan	Open ports, services, versions, CVEs
`ipinfo_lookup`	IPInfo	Geolocation, coordinates, ISP/org, hostname

Domains

Tool	Source	What it returns
`virustotal_domain_lookup`	VirusTotal	Categories, reputation, WHOIS, DNS, detections
`whois_lookup`	WHOIS/RDAP	Registrar, creation/expiration dates, registrant
`dns_lookup`	DNS resolvers	A, AAAA, MX, NS, TXT, CNAME records
`crtsh_lookup`	crt.sh	Subdomains via Certificate Transparency logs
`alienvault_ip_lookup`	AlienVault OTX	Pulses and associations (for domains too)

URLs

Tool	Source	What it returns
`urlscan_lookup`	URLScan.io	Full page scan, verdict, technologies, screenshots

Hashes

Tool	Source	What it returns
`virustotal_hash_lookup`	VirusTotal	File reputation, AV detections, file metadata

Free tools (no API key)

Tool	IOC	What it returns
`whois_lookup`	Domain	Registrar, dates, registrant
`dns_lookup`	Domain	Complete DNS records
`crtsh_lookup`	Domain	Subdomains via CT logs
`fetch_threat_feed`	IP / URL	Live IOCs from Feodo, URLhaus, IPsum

Intelligence and context tools

Tool	Source	What it returns
`gdelt_entity_search`	GDELT	Recent global news about an entity
`gdelt_topic_search`	GDELT	News by topic or event
`gdelt_tone_analysis`	GDELT	Tone analysis (positive/negative) of media coverage
`rss_news_search`	Curated RSS feeds	General news monitoring
`rss_financial_news`	Financial RSS feeds	Market and finance news
`rss_security_news`	Security RSS feeds	Cybersecurity and threat news
`get_crypto_prices`	CoinGecko	Cryptocurrency prices and volatility
`get_economic_indicator`	FRED	Macroeconomic indicators (GDP, inflation, rates)
`get_energy_prices`	EIA	Oil, gas and electricity prices
`classify_threat_type`	Local classifier	Threat category by keywords
`acled_conflict_events`	ACLED	Recent conflict events by country
`get_country_risk_score`	Local + GDELT/ACLED	Country Instability Index (CII)
`ais_vessel_lookup`	AISStream	Ship information by MMSI or name
`ais_chokepoint_activity`	AISStream	Traffic at strategic maritime chokepoints
`check_entity_anomaly`	Local + GDELT/FRED	Anomaly detection in mentions or market signals

Utility tools

Tool	What it does
`search_history`	Check if an IOC was investigated before in SQLite
`pivot_investigate`	Extract related IOCs from a result for pivoting

Code structure

All tools are in src/tools/ as independent async functions:

src/tools/
├── virustotal.py         # ip_lookup, domain_lookup, hash_lookup
├── abuseipdb.py          # check_ip
├── alienvault.py         # ip_lookup
├── shodan_tool.py        # host_lookup
├── ipinfo.py             # lookup
├── urlscan.py            # lookup
├── whois_tool.py         # lookup (free)
├── dns_tool.py           # lookup (free)
├── crtsh.py              # lookup (free)
├── threat_feeds.py       # fetch_threat_feed (free)
├── pivot.py              # pivot_investigate
├── history.py            # search_history
├── gdelt_tool.py         # entity_search, topic_search, tone_analysis
├── rss_monitor.py        # news_search, financial_news, security_news
├── financial_data.py     # crypto_prices, economic_indicator, energy_prices
├── threat_classifier.py  # classify_threat_type
├── acled_tool.py         # conflict_events
├── country_risk.py       # get_country_risk_score
└── ais_tool.py           # vessel_lookup, chokepoint_activity

And advanced analysis modules in src/analysis/:

src/analysis/
├── anomaly_detector.py   # Welford anomaly detection
├── market_correlation.py # IOC ↔ market signal correlation
└── narrative_detector.py # Narrative clustering detection (GDELT)