🛡️ SOC Toolkit

███████╗ ██████╗  ██████╗    ████████╗ ██████╗  ██████╗ ██╗     ██╗  ██╗██╗████████╗
██╔════╝██╔═══██╗██╔════╝    ╚══██╔══╝██╔═══██╗██╔═══██╗██║     ██║ ██╔╝██║╚══██╔══╝
███████╗██║   ██║██║            ██║   ██║   ██║██║   ██║██║     █████╔╝ ██║   ██║   
╚════██║██║   ██║██║            ██║   ██║   ██║██║   ██║██║     ██╔═██╗ ██║   ██║   
███████║╚██████╔╝╚██████╗       ██║   ╚██████╔╝╚██████╔╝███████╗██║  ██╗██║   ██║   
╚══════╝ ╚═════╝  ╚═════╝       ╚═╝    ╚═════╝  ╚═════╝ ╚══════╝╚═╝  ╚═╝╚═╝   ╚═╝

SOC Analyst Workbench - All-in-One Threat Intelligence Tool

🔍 28 Threat Intel Sources | 🆓 25 FREE (No API Key!) | 🎯 MITRE ATT&CK | ⚡ Parallel Queries

⭐ Why SOC Toolkit?

Most threat intelligence tools require API keys for every source. SOC Toolkit is different:

✅ 25 sources work without any API key
✅ Instant setup - just pip install and go
✅ Real blocklists from abuse.ch, Spamhaus, EmergingThreats, and more
✅ One command queries all sources in parallel

🚀 Quick Start

# Install
pip install soc-toolkit

# Analyze an IP
soc 185.220.101.45

# That's it! No API keys needed.

📊 Example Output

╔════════════════════════════════════════════════════════════════╗
║ 🔍 IOC: 185.220.101.45                                         ║
║ 📋 Type: IP                                                    ║
║ 🔴 CRITICAL - Known malicious indicator!                       ║
║ 📊 Found in 8/23 sources | ⚠️  2 sources flagged as malicious   ║
╚════════════════════════════════════════════════════════════════╝

┌─────────────────┬──────────┬──────────┬─────────────────────────┐
│ Source          │ Status   │ Threat   │ Details                 │
├─────────────────┼──────────┼──────────┼─────────────────────────┤
│ DNSBL           │ ✅ Found │ 🔴 Crit  │ 3/6 blacklists          │
│ IPsum           │ ✅ Found │ 🔴 Crit  │ 3+ blacklist hits       │
│ TorExit         │ ✅ Found │ 🟡 Med   │ TOR EXIT NODE           │
│ GreyNoise       │ ✅ Found │ 🔵 Low   │ suspicious, noise=True  │
│ Shodan          │ ✅ Found │ 🔵 Low   │ ports: 80               │
│ IP-API          │ ✅ Found │ 🟢 Clean │ Germany, Brandenburg    │
└─────────────────┴──────────┴──────────┴─────────────────────────┘

🔌 Providers (28 Total)

🆓 FREE - No API Key Required (25)

API-Based (7)

Provider	Types	Description
Shodan InternetDB	IP	Open ports, CVEs
IP-API	IP	GeoIP, proxy detection
GreyNoise	IP	Scanner detection
StopForumSpam	IP, Email	Spam database
URLScan.io	URL, Domain	URL analysis
IPInfo	IP	Geolocation
CIRCL Hashlookup	Hash	Known file database

DNS Blacklist (1)

Provider	Types	Description
DNSBL	IP	Checks 6 major blacklists (Spamhaus, SpamCop, SORBS, Barracuda, CBL, UCEProtect)

Blocklist Downloads (17)

Provider	Source	Description
EmergingThreats	Proofpoint	Compromised IPs
CINS Army	Sentinel IPS	Bad reputation IPs
Blocklist.de	Community	Attack source IPs
Feodo Tracker	abuse.ch	Botnet C2 servers
SSLBL	abuse.ch	Malicious SSL certs
Tor Exit Nodes	torproject.org	Tor exit detection
Spamhaus DROP	Spamhaus	Hijacked networks
Binary Defense	BinaryDefense	Threat IPs
GreenSnow	GreenSnow	Attack IPs
IPsum	stamparm	3+ blacklist aggregator
DShield	SANS ISC	Top attackers
BruteForce Blocker	danger.rulez.sk	SSH/FTP attackers
URLhaus	abuse.ch	Malware URLs
ThreatFox	abuse.ch	IOC database
MalwareBazaar	abuse.ch	Malware hashes
Phishing Database	Community	Phishing domains
OpenPhish	OpenPhish	Phishing URLs

🔑 Premium - API Key Required (3)

Provider	Free Tier	Get Key
VirusTotal	500/day	virustotal.com
AbuseIPDB	1000/day	abuseipdb.com
AlienVault OTX	Unlimited	otx.alienvault.com

💡 Usage

# IP Analysis
soc 185.220.101.45

# Domain Analysis
soc evil-domain.com

# Hash Analysis
soc 44d88612fea8a8f36de82e1278abb02f

# MITRE ATT&CK Mapping
soc 185.220.101.45 --mitre

# WHOIS & DNS Enrichment
soc evil.com --enrich

# Extract IOCs from log file
soc -e /var/log/firewall.log

# Batch analysis
soc -f iocs.txt -o ./reports/

# Interactive mode
soc -i

# Export formats
soc 1.2.3.4 --json out.json
soc 1.2.3.4 --md report.md

🔑 Optional: Add API Keys

For even more coverage, add these free API keys:

export VIRUSTOTAL_API_KEY="your-key"
export ABUSEIPDB_API_KEY="your-key"
export OTX_API_KEY="your-key"

🎯 MITRE ATT&CK Mapping

soc 185.220.101.45 --mitre

🎯 MITRE ATT&CK Mapping

  📌 Credential Access
    🔴 T1110: Brute Force

  📌 Command and Control
    🟡 T1071: Application Layer Protocol

  📌 Initial Access
    🟢 T1190: Exploit Public-Facing Application

📦 Installation

# From PyPI
pip install soc-toolkit

# From source
git clone https://github.com/frkndncr/soc-toolkit.git
cd soc-toolkit
pip install -e .

# Verify
soc --version
soc --providers

📝 Changelog

v2.1.0 (December 2025) 🆕

🔥 25 FREE providers - no API key required!
➕ Added 17 blocklist-based providers
➕ EmergingThreats, CINS Army, Blocklist.de
➕ Spamhaus DROP, Binary Defense, GreenSnow
➕ IPsum, DShield, BruteForce Blocker
➕ Phishing Database, OpenPhish
🔄 Smart blocklist caching (1 hour)
⚡ Parallel queries for faster results

v2.0.0 (December 2025)

Updated all providers to latest APIs
Added MITRE ATT&CK mapping
Added WHOIS & DNS enrichment

v1.0.0

Initial release with 19 providers

🤝 Contributing

Contributions welcome! Feel free to submit issues and pull requests.

👨‍💻 Author

Furkan Dinçer - Security Engineer

📄 License

MIT License - feel free to use in your projects!

⭐ Star this repo if you find it useful!

Name		Name	Last commit message	Last commit date
Latest commit History 5 Commits
samples		samples
soc_toolkit		soc_toolkit
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
pyproject.toml		pyproject.toml
requirements.txt		requirements.txt
sample_iocs.txt		sample_iocs.txt
soc_toolkit.py		soc_toolkit.py
test_soc.sh		test_soc.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

🛡️ SOC Toolkit

SOC Analyst Workbench - All-in-One Threat Intelligence Tool

⭐ Why SOC Toolkit?

🚀 Quick Start

📊 Example Output

🔌 Providers (28 Total)

🆓 FREE - No API Key Required (25)

API-Based (7)

DNS Blacklist (1)

Blocklist Downloads (17)

🔑 Premium - API Key Required (3)

💡 Usage

🔑 Optional: Add API Keys

🎯 MITRE ATT&CK Mapping

📦 Installation

📝 Changelog

v2.1.0 (December 2025) 🆕

v2.0.0 (December 2025)

v1.0.0

🤝 Contributing

👨‍💻 Author

📄 License

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

🛡️ SOC Toolkit

SOC Analyst Workbench - All-in-One Threat Intelligence Tool

⭐ Why SOC Toolkit?

🚀 Quick Start

📊 Example Output

🔌 Providers (28 Total)

🆓 FREE - No API Key Required (25)

API-Based (7)

DNS Blacklist (1)

Blocklist Downloads (17)

🔑 Premium - API Key Required (3)

💡 Usage

🔑 Optional: Add API Keys

🎯 MITRE ATT&CK Mapping

📦 Installation

📝 Changelog

v2.1.0 (December 2025) 🆕

v2.0.0 (December 2025)

v1.0.0

🤝 Contributing

👨‍💻 Author

📄 License

About

Topics

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages