Skip to content
OSINT AI One

Quick Threat Intel

When you need a quick answer about an IOC without the overhead of creating a formal investigation.

Direct query from CLI

Ventana de terminal
# IP
osint-agent -q "Investigate IP 185.220.101.34"


# Domain
osint-agent -q "Is domain phishing-example.net malicious?"


# URL
osint-agent -q "Analyze this URL: http://malware.host/payload.exe"


# Hash
osint-agent -q "What is the file with hash d41d8cd98f00b204e9800998ecf8427e"

Interactive session for triage

Ventana de terminal
osint-agent
osint> Investigate IP 185.220.101.34
# → Complete analysis with risk score


osint> And the domain evil-relay.com that appears in the logs?
# → The agent remembers session context


osint> /dashboard
# → Comparison table of all analyzed IOCs


osint> /report save
# → Report in reports/

JSON for scripting

Ventana de terminal
# Get only risk score
osint-agent -q "Analyze 185.220.101.34" --json | jq '.risk_score'


# Process result in pipeline
osint-agent -q "Investigate evil.com" --json | python3 -c "
import json, sys
data = json.load(sys.stdin)
if data['risk_score'] > 60:
    print(f'ALERT: {data[\"ioc\"]} risk {data[\"risk_score\"]}/100')
"

From MCP in Claude Desktop

Open Claude Desktop with MCP configured and write directly:

Investigate IP 185.220.101.34 and tell me if it's malicious

Claude uses MCP tools to call VirusTotal, AbuseIPDB, Shodan and returns complete analysis. No need to open the terminal.

Incident response: quick batch

When you have an IOC list from an alert or SIEM:

Ventana de terminal
# Create iocs-incident.txt with IOCs from the incident
cat > iocs-incident.txt << EOF
185.220.101.34
evil-c2.example.com
http://malware-url.net/payload
d41d8cd98f00b204e9800998ecf8427e
EOF


# Analyze all with JSON output
osint-agent --batch iocs-incident.txt --json > incident-analysis.json


# See only high-risk ones
cat incident-analysis.json | jq '.[] | select(.risk_score > 60)'

Quick contextual queries

The agent does more than just analyze technical IOCs:

osint> Give me context about APT Scattered Spider
osint> What's the current ransomware threat status this month?
osint> Are there any major 0-day vulnerabilities in the last 7 days?

For this it uses GDELT, security RSS feeds and threat classification.

Compare with history

If you investigated the same IOC some time ago:

osint> Investigate 185.220.101.34 and compare with history
# → search_history returns the previous analysis
# → The agent compares: "Last time it was MEDIUM, now it's CRITICAL"

When to move to formal investigation

Use quick threat intel for:

  • SIEM alert triage
  • Quick verification during an incident
  • Ad-hoc enrichment

Move to formal investigation (/investigation-init) when:

  • The case has legal or compliance implications
  • You need traceability for an external report
  • Multiple analysts are working on the same case
  • The investigation will last more than one session