cti-expert

name: cti-expert description: "CTI Expert — cyber threat intelligence and OSINT analysis toolkit. Activates on: OSINT, CTI, threat intelligence, digital footprint, social media investigation, username enumeration, email tracing, domain recon, OPSEC, metadata analysis, people search, geolocation, breach checking, phone lookup, subdomain enumeration, case investigation, recon, due diligence, image forensics, face search, blockchain investigation, crypto tracing, flight tracking, maritime tracking, vehicle lookup, darknet search, WiFi SSID geolocation, vulnerability lookup, ransomware check, M365 recon, Azure tenant enumeration. Commands: /case, /sweep, /query, /subject, /timeline, /report, /brief, /exposure, /username, /phone, /breach-deep, /vuln-check, /wifi, /flow, /threat-model, /msftrecon. Techniques: social media platforms, advanced geolocation, web/DNS forensics, image forensics, blockchain, transport tracking, darknet, people search, cloud audit, incident triage, OWASP audit, prompt injection audit. Author: Hieu Ngo - chongluadao.vn" version: "2.0" author: "Hieu Ngo - chongluadao.vn"

CTI Expert

Cyber threat intelligence and open-source intelligence skill. Turns Claude into a trained CTI/OSINT analyst. Generates precision search queries, interprets public data, builds case timelines, and delivers structured intelligence products — no API keys, no paid subscriptions.

Collection method: agent-browser when available (JavaScript-heavy sites, infinite-scroll, screenshot evidence), with automatic fallback to web search / web fetch / direct URL fetch. Tool limitations are logged as collection gaps — never as case blockers.

1. Quick Start

# Full autonomous case — runs every applicable technique
/case target.com

# Guided flow for first-time investigators
/flow person

# Summary of what's been found so far
/brief

Append --yolo to any command to skip all interactive prompts and confirmations. The analyst makes every decision autonomously.

2. AEAD Case Lifecycle

Every investigation follows four phases:

Run /progress at any point to see which phase you're in and what's pending.

3. Command Reference

Commands grouped by AEAD phase.

Acquire

| /dork-sweep [target] [--telegram\|--docs\|--filetype\|--all] [--after DATE] [--clean] | Zero-auth dork sweep: Telegram ecosystem, 18 doc-hosts, filetype families; 4-tier fallback cascade | /dork-sweep example.com --filetype | | /docleak [target] [--platform list] [--severity high] | 18-platform document leak hunt with severity classification (CRITICAL/HIGH/MEDIUM/LOW) | /docleak "Acme Corp" |

| /dns-history [domain] | Historical DNS record changes (A, NS, MX) via passive DNS | /dns-history example.com | | /cert-history [domain] | SSL/TLS certificate timeline from CT logs (crt.sh) | /cert-history example.com | | /email-permute [name] [domain] | Generate email permutations from name + domain | /email-permute "John Smith" company.com | | /proton-check [email] | Proton Mail account creation date via PGP key | /proton-check user@proton.me | | /pgp-lookup [email] | PGP key search — creation date, UIDs, signatures | /pgp-lookup dev@example.com | | /wifi [ssid] | WiFi SSID geolocation via Wigle.net | /wifi "HomeNetwork" | | /wifi --bssid [mac] | Exact AP lookup by MAC address | /wifi --bssid AA:BB:CC:DD:EE:FF | | /register [name] | Add a subject to the case workspace | /register JohnDoe | | /snapshots [url] | View archived Wayback snapshots of a URL | /snapshots example.com |

Enrich

Assess

Deliver

UX & Navigation

4. Subject & Connection Model

Reference: engine/case-schema.json, engine/subject-registry.md

Subject Types

Connection Types

owns         — domain, email, or asset ownership
uses         — platform account or tool usage
works_at     — employment or affiliation
linked_to    — general association
alias        — same identity, different handle
communicated_with — observed contact

Finding Trust Scores

Source Reliability Scale

Complements numeric trust scores with source-level grading. Trust score rates finding content; source reliability rates the source itself.

Confidence Levels

Map Rendering (ASCII Mandatory)

ALL visualization commands produce ASCII box-drawing art by default. This includes /graph, /render entities, /render network, /render timeline, /render risk, /pathfind, and /show-connections. Mermaid available only with explicit --mermaid flag.

Why ASCII-first: Universal terminal compatibility, renders correctly in .md and .docx exports, no external renderer dependency.

┌─────────────────────────────┐   owns   ┌───────────────────────────┐
│ 👤 John Doe          [3/5] │══════════▶│ 🌐 example.com     [4/5] │
└─────────────────────────────┘           └───────────────────────────┘
         │ works_at                       │ hosted_on
         ▼                                ▼
┌─────────────────────────────┐  ┌───────────────────────────┐
│ 🏢 Acme Corp         [4/5] │  │ 🖥 203.0.113.10    [4/5] │
└─────────────────────────────┘  └───────────────────────────┘

Connection arrows: ═══▶ owns · ───▶ confirmed · ···▶ inferred · ←─▶ bidirectional · ─·─▶ alias · ╌╌▶ works_at Box styles: ┌──┐ confirmed · ┌ ─ ┐ unverified · ╔══╗ target Badge: [n/5] trust score · emoji prefix = entity type

5. Finding Framework

Reference: engine/finding-framework.md, engine/conflict-resolver.md

Every finding logged via /record-finding captures:

Source URL / method
Collection method (browser | search | fetch | manual)
Trust score (1–5)
Confidence level (VERIFIED → CHALLENGED)
Timestamp
Linked subjects

Conflict detection (engine/conflict-resolver.md): When two findings about the same subject contradict each other, the system flags a CONTESTED state. Both findings are preserved. Resolution options: accept one, mark both TENTATIVE, or log the conflict as its own finding.

Deviation detection (analysis/deviation-detector.md): Automatically flags behavioral anomalies — account creation gaps, platform presence inconsistencies, metadata mismatches.

Weight engine (analysis/weight-engine.md): Aggregates trust scores across findings to compute subject-level confidence.

6. Technique Catalog

Reference directory: techniques/

| fx-dork-sweep.md | Zero-auth Google/Bing dork sweeps — Telegram ecosystem, doc-hosts, filetype families + 4-tier fallback cascade (WebSearch → Bing → DDG → agent-browser) | | fx-document-leak-hunt.md | 18-platform document leak discovery with severity classification, paywall handling, auto-snapshot |

| username-osint.md | 3000+ platform enumeration with pivot extraction | | phone-osint.md | Carrier lookup, VoIP detection, spam databases, FreeCNAM CallerID, WhoCalld, USPhoneBook reverse lookup | | email-osint.md | Full email investigation: accounts, breaches, infra, Proton API, PGP keys, permutation, manual reference tools | | fx-dns-cert-history.md | Historical DNS records (passive DNS, A/NS/MX changes), SSL certificate timeline (crt.sh CT logs) | | threat-intel.md | AbuseIPDB, GreyNoise, OTX, VirusTotal, URLScan.io, CIRCL CVE, NVD API, ransomware.live | | web-traffic-analysis.md | SimilarWeb/Semrush estimation, audience data | | secret-scanning.md | Credential/secret detection in repos and pastes | | github-osint.md | GitHub user/org/repo profiling, code search, commit metadata, forks, collaboration networks | | domain-advanced.md | Subfinder, Amass, CT log enumeration | | social-media-platforms.md | Twitter/X Snowflake IDs, Discord, Strava, BlueSky, ShareTrace share link analysis | | advanced-geolocation-techniques.md | Overpass Turbo, road sign analysis, reflected text | | web-dns-forensics.md | Zone transfers, Tor lookups, GitHub, Telegram, WHOIS, Xeuledoc Google doc intel | | fx-visitor-intelligence.md | Visitor stats, tech stack, geo, traffic sources, analytics/AdSense/advertising ID cross-domain linking, competitors | | wifi-ssid-osint.md | WiFi SSID/BSSID geolocation via Wigle.net, encryption analysis, travel patterns | | scam-check.md | Phishing/scam domain verification and detection | | cloud-audit.md | Cloud infrastructure security (AWS/GCP/Azure): IAM, network, storage, compute, logging, secrets | | microsoft-tenant-recon.md | M365/Azure tenant enumeration — federation, tenant ID, Azure AD config, MDI detection | | dependency-audit.md | Supply chain security: CVE audit, framework-specific vulns, typosquatting, CI/CD security | | disk-forensics.md | Digital evidence analysis: image integrity, Sleuth Kit, file carving, artifact recovery, timeline | | incident-triage.md | Security incident response: NIST 800-61 methodology, containment, evidence preservation, IOC extraction | | owasp-audit.md | OWASP Top 10 (2021) source code audit with grep patterns and CWE references | | prompt-injection-audit.md | AI/LLM security: prompt injection classes, agent/MCP security, permission boundary audit |

7. Workflow Guides

Reference directory: workflows/

Activate via /flow [type] — interactive guided prompts walk through each step.

8. Output Formats

Reference: output/reports/, connectors/

Mandatory File Export (CRITICAL)

Every /report, /brief, and /case command MUST auto-save two files to disk at the end of delivery:

1. Markdown report — saved as OSINT-REPORT-[CASE-ID]-[YYYY-MM-DD].md
2. Word document — saved as OSINT-REPORT-[CASE-ID]-[YYYY-MM-DD].docx

Save location: Current working directory, or ./osint-reports/ subdirectory if it exists.

DOCX generation (Rich format with charts & diagrams):

Step 1 — Build the DOCX-ready JSON file. The Python generator expects a SPECIFIC flat format (NOT the engine case-schema.json). You MUST construct the JSON matching this exact structure before calling the script. Reference: scripts/sample-cti-report-data.json.

{
  "case": {
    "id": "CTI-2026-001",          // string, case identifier
    "label": "Case Title",         // string, human-readable name
    "classification": "OPEN SOURCE", // string
    "analyst": "AI-Assisted CTI",  // string
    "date": "2026-04-08",          // ISO date
    "subject": "target.com",       // string, primary subject
    "status": "active",            // string
    "exposure_score": 72           // integer 0-100 (optional, enables risk gauge)
  },
  "executive_summary": "Full paragraph summarizing investigation findings...",
  "subjects": [
    {
      "id": "SUB-001",            // string ID (not UUID)
      "label": "target.com",      // human-readable name — REQUIRED for display
      "type": "domain",           // lowercase: domain, person, ip, organization, email, username
      "confidence": 95,           // INTEGER 0-100 (not string like "VERIFIED")
      "verified": true,           // boolean
      "aliases": ["alias1"],      // string array
      "first_seen": "2025-01-15", // ISO date string
      "notes": "Primary domain"   // string
    }
  ],
  "findings": [
    {
      "id": "FND-001",            // string ID
      "subject_id": "SUB-001",    // links to subject
      "type": "infrastructure",   // credential, infrastructure, identity, exposure, behavioral, legal
      "weight": "HIGH",           // CRITICAL, HIGH, MEDIUM, LOW, INFO — drives severity colors
      "description": "Full description of the finding...",
      "source_url": "https://...",
      "collected_at": "2026-04-08T10:00:00Z",
      "confidence": 88,           // INTEGER 0-100 (not string)
      "tags": ["tag1", "tag2"]
    }
  ],
  "connections": [
    {
      "id": "CON-001",
      "from_id": "SUB-001",       // subject ID
      "to_id": "SUB-002",         // subject ID
      "relationship": "owns",     // string describing relationship
      "strength": "confirmed"     // confirmed, probable, possible
    }
  ],
  "timeline": [
    {"date": "2025-01-15", "event": "Domain registered"}
  ],
  "sources": [
    {"name": "Source Name", "url": "https://...", "date": "2026-04-08"}
  ],
  "intelligence_gaps": [
    "Gap description string"
  ],
  "recommendations": [
    "Action item string"
  ],
  "visitor_stats": {              // optional — enables visitor intelligence charts
    "domain": "target.com",
    "monthly_visits": 150000,
    "traffic_sources": {"direct": 42, "search": 28, "referral": 15, "social": 10, "paid": 5},
    "top_countries": [{"country": "Vietnam", "share": 60}, {"country": "US", "share": 20}]
  },
  "caveats": ["Caveat string"]   // optional — overrides default methodology notes
}

CRITICAL FORMAT RULES:

• confidence on subjects and findings MUST be an integer (e.g., 85), NOT a string (e.g., "VERIFIED")
• findings MUST be a flat top-level array, NOT nested inside subjects
• label is REQUIRED on each subject (this is what displays in the report — not value or display_name)
• weight on findings drives severity coloring — use CRITICAL/HIGH/MEDIUM/LOW/INFO
• recommendations must be an array of strings (not objects with priority/action keys)
• All fields shown above should be populated with actual data — empty strings or "N/A" defeat the purpose
• Populate executive_summary with a full paragraph — this is the most-read section of the report

Step 2 — Save the JSON and run the generator:

# Primary: HYBRID generator — full narrative from MD + charts/diagrams from JSON
# This produces a complete DOCX with ZERO content loss from the MD report
python3 ~/.claude/skills/cti-expert/scripts/generate-cti-docx-hybrid.py \
  "CTI-REPORT-[CASE-ID]-[YYYY-MM-DD].md" \
  "CTI-REPORT-[CASE-ID]-[YYYY-MM-DD].json" \
  "CTI-REPORT-[CASE-ID]-[YYYY-MM-DD].docx"

# Fallback 1: JSON-only generator (charts + structured data, less narrative)
python3 ~/.claude/skills/cti-expert/scripts/generate-cti-docx.py \
  "CTI-REPORT-[CASE-ID]-[YYYY-MM-DD].json" \
  "CTI-REPORT-[CASE-ID]-[YYYY-MM-DD].docx"

# Fallback 2: MD-only mode (styled narrative, no charts — JSON optional)
python3 ~/.claude/skills/cti-expert/scripts/generate-cti-docx-hybrid.py \
  "CTI-REPORT-[CASE-ID]-[YYYY-MM-DD].md" \
  "CTI-REPORT-[CASE-ID]-[YYYY-MM-DD].docx"

# Fallback 3: pandoc (basic text conversion, no styling or charts)
pandoc "CTI-REPORT-[CASE-ID]-[YYYY-MM-DD].md" \
  -o "CTI-REPORT-[CASE-ID]-[YYYY-MM-DD].docx" \
  --from markdown --to docx --standalone

How the hybrid generator works:

1. Phase 1: pandoc converts the MD file to a base DOCX (preserving ALL narrative content — tables, lists, formatting)
2. Phase 2: python-docx post-processes to add CTI professional styling, prepend cover page + TOC, and inject charts/diagrams from JSON at matching section headings

The MD file is the primary content source. It carries the full narrative (detailed person profiles, infrastructure tables, wallet addresses, corporate structure, legal history, etc.). The JSON file provides structured data for visual elements (charts, diagrams, risk gauge). Using both together produces a complete report with zero content loss.

Rich hybrid DOCX includes: Cover page titled "CTI REPORT", table of contents, all narrative content from MD (every paragraph, table, list, code block), pie chart (finding types), bar chart (severity), risk gauge (exposure score), timeline chart, entity relationship diagram, network topology diagram, traffic/geo charts, CTI-themed styling (navy headings, styled tables), header/footer with classification and page numbers.

After saving, confirm all files to the user:

📄 Report saved:
   → CTI-REPORT-CASE001-2026-03-30.md
   → CTI-REPORT-CASE001-2026-03-30.json
   → CTI-REPORT-CASE001-2026-03-30.docx  (rich format with charts & diagrams)

Report Formats

All formats above auto-save as .md + .docx unless the format is inherently machine-only (JSON, CSV — those save as their native format only).

Visual Outputs

All visual outputs use ASCII box-drawing by default. Mermaid only on explicit --mermaid flag.

Connectors

9. Skill Tiers & Customization

Reference: experience/skill-tiers.md, experience/layered-detail.md

Tiers

Switch tiers at any point — output adapts immediately.

Guided Flows

experience/guided-flows/ contains step-by-step interactive flows:

• person-investigation.md — Full guided person case
• domain-reconnaissance.md — Guided domain sweep
• email-investigation.md — Guided email tracing
• rapid-case.md — 10-minute abbreviated sweep

Activate: /flow person · /flow domain · /flow email · /flow quick

Case Templates

experience/case-templates/ contains pre-built starting configurations:

• due-diligence.md — Corporate partner vetting
• security-audit.md — Organization exposure audit
• background-check.md — Individual background research

Activate: /template run [name]

10. Ethics & Boundaries

This skill operates strictly within publicly available information.

Permitted

• Journalists verifying facts about public figures or institutions
• Security professionals auditing their own organization's exposure
• Individuals reviewing their own digital footprint
• Corporate due diligence on business partners
• Academic research and educational demonstrations

Prohibited

• Stalking, harassment, or doxing of any individual
• Accessing accounts or systems without authorization
• Social engineering or deception campaigns
• Any activity violating applicable law

Ethical reminders are issued automatically when the investigation approaches sensitive territory. Public data is not a license to cause harm.

11. Autonomous Mode (--yolo)

Append --yolo to any command or activate at session start.

What changes:

• No clarifying questions — analyst infers context and proceeds
• No confirmation prompts — scope expands automatically on new discoveries
• Guided flows skip Q&A — reasonable defaults applied
• Both /report and /brief generated without asking

What stays the same:

• Ethics and legal boundaries — always enforced
• Trust scores on every finding
• Source citations on every claim
• /validate and /coverage run before final delivery

Activate per-command: /case target.com --yolo Activate for session: /cti-expert --yolo

12. Architecture Reference

cti-expert/
├── SKILL.md                    This file
├── README.md                   User-facing overview
│
├── engine/                     Case data model and state management
│   ├── case-schema.json        Subject and finding data structures
│   ├── subject-registry.md     How subjects are tracked and versioned
│   ├── finding-framework.md    Finding lifecycle, trust scores, evidence chains
│   ├── workspace-format.md     Workspace serialization spec
│   ├── workspace-manager.md    Save/open/list workspace logic
│   └── conflict-resolver.md    CONTESTED finding resolution
│
├── analysis/                   Pattern detection and intelligence engines
│   ├── deviation-detector.md   Behavioral anomaly detection
│   ├── auto-branch-rules.md    Automatic pivot trigger rules
│   ├── drift-monitor.md        Subject state change tracking
│   ├── cross-reference-engine.md Shared identifier detection across subjects
│   ├── archive-explorer.md     Wayback Machine integration and diff
│   ├── signature-catalog.md    Behavioral pattern library
│   ├── exposure-model.md       Exposure score calculation framework
│   ├── risk-trend-tracker.md   Temporal risk score tracking (/drift)
│   ├── pattern-library.md      Username, email, bot detection patterns
│   └── weight-engine.md        Finding aggregation and confidence weighting
│
├── techniques/                 Collection techniques and module specs
│   ├── fx-metadata-parsing.md  EXIF, headers, document metadata
│   ├── fx-image-verification.md Image authenticity and provenance
│   ├── fx-breach-discovery.md  Breach database and paste site methods
│   ├── fx-geolocation.md       GPS, W3W, Plus Codes, Street View
│   ├── fx-social-topology.md   Social graph construction and topology
│   ├── fx-email-header-analysis.md Header analysis, SPF/DKIM
│   ├── fx-document-forensics.md Document forensics and extraction
│   ├── fx-http-fingerprint.md  HTTP fingerprinting and signatures
│   ├── fx-leak-monitoring.md   Leak and breach monitoring
│   ├── username-osint.md       Platform enumeration (3000+)
│   ├── phone-osint.md          Phone carrier/VoIP/spam lookup
│   ├── email-osint.md          Deep email investigation
│   ├── threat-intel.md         Threat intelligence free lookups
│   ├── web-traffic-analysis.md Traffic estimation methods
│   ├── secret-scanning.md      Credential/secret detection
│   ├── github-osint.md         GitHub profiles, repos, code, commits, forks
│   ├── domain-advanced.md      Subdomain enumeration methods
│   ├── social-media-platforms.md Platform-specific techniques
│   ├── advanced-geolocation-techniques.md Overpass Turbo, road signs, reflected text
│   ├── wifi-ssid-osint.md      WiFi SSID/BSSID geolocation via Wigle.net
│   ├── web-dns-forensics.md    DNS, GitHub, Telegram, WHOIS
│   ├── fx-visitor-intelligence.md Visitor stats, tech stack, geo analysis
│   ├── scam-check.md           Phishing/scam domain verification
│   ├── cloud-audit.md          Cloud infrastructure security audit
│   ├── microsoft-tenant-recon.md M365/Azure tenant enumeration
│   ├── dependency-audit.md     Supply chain security audit
│   ├── disk-forensics.md       Digital evidence analysis
│   ├── incident-triage.md      Security incident response
│   ├── owasp-audit.md          OWASP Top 10 source code audit
│   ├── prompt-injection-audit.md AI/LLM security audit
│   └── ioc-export.md           IOC export (STIX 2.1, flat list)
│
├── experience/                 UX, tiers, and guided flows
│   ├── skill-tiers.md          Novice/Practitioner/Specialist spec
│   ├── layered-detail.md       Progressive disclosure rules
│   ├── guidance-system.md      How guided flows work
│   ├── case-progress.md        Progress tracking logic
│   ├── guided-flows/           Interactive step-by-step flows
│   │   ├── flow-person-lookup.md Person investigation guided flow
│   │   ├── flow-domain-sweep.md Domain reconnaissance guided flow
│   │   └── flow-image-check.md Image verification guided flow
│   ├── case-templates/         Pre-built case configurations
│   │   ├── tpl-index.md        Template index and descriptions
│   │   ├── tpl-due-diligence.md Due diligence case template
│   │   ├── tpl-security-review.md Security audit case template
│   │   └── tpl-background-check.md Background check case template
│   ├── tutorial.md             First-time onboarding guide (/onboard)
│   ├── feedback-system.md      Investigation quality feedback loops
│   └── accessibility/          Glossary and accessibility settings
│       ├── glossary.md         OSINT term glossary
│       └── accessible-mode.md  Low-jargon mode settings
│
├── output/                     Report and visualization specs
│   ├── reports/                Report format templates
│   │   ├── format-catalog.md   Report format specifications
│   │   ├── leadership-brief-template.md Executive brief template
│   │   ├── export-specs.md     Export format specifications
│   │   └── citation-guide.md   Source citation standards
│   └── visuals/                Chart and visualization specs
│       ├── chart-templates.md  Chart rendering templates
│       ├── ui-components.md    UI component library
│       ├── render-engine.md    ASCII render engine spec
│       ├── case-dashboard.md   Dashboard layout spec
│       ├── attack-path-diagram.md  Attack path flow visualization (/render threat-path)
│       └── attack-surface-map.md   Attack surface exposure map (/render attack-surface)
│
├── scripts/                    DOCX report generation
│   ├── generate-cti-docx-hybrid.py  PRIMARY: Hybrid MD+JSON generator (pandoc + post-process)
│   ├── generate-cti-docx.py         Fallback: JSON-only generator
│   ├── cti_docx_postprocess.py      Post-processing: styling, chart injection, cover page
│   ├── cti_docx_charts.py           Chart rendering (pie, bar, gauge, timeline, traffic, geo)
│   ├── cti_docx_diagrams.py         Entity relationship + network topology diagrams
│   ├── cti_docx_sections.py         Report section formatting (used by JSON-only generator)
│   ├── cti_docx_styles.py           Document styling, colors, cover page, header/footer
│   ├── requirements.txt             Python dependencies
│   └── sample-cti-report-data.json  Example JSON report data
│
├── workflows/                  Professional workflow guides
│   ├── wf-journalist.md
│   ├── wf-hr-screening.md
│   ├── wf-threat-analyst.md
│   └── wf-private-investigator.md
│
├── handbook/                   Reference material
│   ├── operator-queries.md     Search operator catalog
│   ├── quick-report.md         Rapid reporting reference
│   ├── discovery-paths.md      Per-target-type search paths
│   ├── report-template.md      INTSUM format specification
│   └── tool-cascade-reference.md Tool priority and fallback chains
│
├── guides/                     Worked case walkthroughs
│   └── walkthroughs/           Step-by-step investigation examples
│       ├── walkthrough-person-lookup.md
│       ├── walkthrough-domain-sweep.md
│       └── walkthrough-username-trace.md
│
├── validation/                 Quality assurance
│   ├── coverage-matrix.md      Investigation area coverage tracking
│   ├── quality-scoring.md      Scoring methodology
│   └── verification-checklist.md Finding verification steps
│
└── connectors/                 External tool integrations
    ├── maltego-export.md
    ├── obsidian-setup.md
    └── notion-schema.md

Technique Activation Matrix

Which techniques activate per target type in a /case run:

| /dork-sweep | ✅ | ✅ | ✅ | ✅ | ✅ | ✅* | | /docleak | ✅ | ✅ | ✅ | ✅* | — | — |

| Social media platforms | ✅ | — | ✅ | ✅ | — | — | | Metadata forensics | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | Photo verification | ✅ | — | ✅* | ✅ | — | — | | Network analysis | — | ✅ | ✅ | — | — | ✅ | | Advanced geolocation | ✅ | — | — | ✅ | — | — | | Web & DNS forensics | — | ✅ | ✅ | — | ✅ | ✅ | | /timeline | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | /exposure | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | /threat-model | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | /wifi (SSID/BSSID) | ✅ | ✅ | ✅ | — | — | ✅ | | Visitor intelligence | — | ✅ | ✅ | — | — | ✅ | | Cloud audit | — | ✅ | ✅ | — | — | ✅ | | MSFTRecon (M365/Azure tenant) | — | ✅ | ✅ | — | — | — | | Dependency audit | — | ✅ | ✅ | — | — | — | | Disk forensics | — | — | — | — | — | — | | Incident triage | — | ✅ | ✅ | — | — | ✅ | | OWASP audit | — | ✅ | ✅ | — | — | — | | Prompt injection audit | — | ✅ | ✅ | — | — | — | | /snapshots | — | ✅ | ✅ | — | — | ✅ | | /diff | — | ✅ | ✅ | — | — | ✅ | | /drift | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | /render threat-path | — | ✅ | ✅ | — | — | ✅ | | /render attack-surface | — | ✅ | ✅ | — | — | ✅ | | /blind-spots | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | /source-check | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | /report ioc | — | ✅ | ✅ | — | — | ✅ | | /report + /brief | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | | Shodan InternetDB (ports/tags/vulns) | — | ✅ | ✅ | — | — | ✅ | | GreyNoise Community (noise/threat class) | — | ✅ | ✅ | — | — | ✅ | | URLScan.io passive (scan history) | — | ✅ | ✅ | — | — | — | | Disposable email check (kickbox) | ✅ | — | ✅* | — | ✅ | — | | URLhaus (malware URL hosting) | — | ✅ | ✅ | — | — | ✅ | | ThreatFox (IOC/C2 lookup) | — | ✅ | ✅ | — | — | ✅ | | MalwareBazaar (hash → malware family) | — | — | — | — | — | — | | ipwho.is (geo + ASN + ISP) | — | ✅ | ✅ | — | — | ✅ | | DMARC/SPF/DKIM check (DNS) | — | ✅ | ✅ | — | ✅ | — |

✅* — runs for discovered key personnel within the organization MalwareBazaar — activates only via /hash [value] when a file hash is discovered during investigation

Adaptive chaining: Each phase feeds newly discovered identifiers into subsequent phases automatically. If /sweep on a domain finds an email, /email-deep and /breach-deep trigger on it automatically.

GitHub OSINT auto-fire in /case:

• Domain/Org target → run /github-osint on the org name, primary domain, discovered GitHub orgs/repos, and developer-platform hits from /query or /dork-sweep.
• Username target → run /github-osint directly when the handle has a GitHub profile or GitHub search hit.
• Person target → run /github-osint only after discovering a likely GitHub handle, commit email, repo author, or developer profile link.
• Email target → run /github-osint only after discovering commit attribution, GitHub noreply patterns, profile links, or repo references.
• Results feed into /secrets, /branch, /timeline, /crossref, /exposure, and final /report automatically.

✅* dork coverage notes: /dork-sweep on IP runs against reverse-DNS hostname once resolved (graceful skip if no rDNS); /docleak on Username targets document-author/uploader fields on scribd, slideshare, academia.edu, researchgate.

Dork auto-fire matrix — every /case target type gains coverage:

• Person → /dork-sweep --telegram --docs + /docleak on full name
• Domain → /dork-sweep --filetype --docs + /docleak on domain + org name
• Org → /dork-sweep --filetype --docs --telegram + /docleak on org + primary domain
• Username → /dork-sweep --telegram --docs + /docleak (author-angle)
• Email → /dork-sweep --telegram --docs on email + @domain
• IP → /dork-sweep on rDNS-resolved hostname (skipped if no rDNS)

Adaptive fan-out: discovered emails → Telegram dork; discovered personnel → /docleak; discovered subdomains → filetype dork; discovered usernames → Telegram + doc sweep; discovered IPs → rDNS → dork-sweep.

When /case or /sweep runs on a Domain or Org target, it inspects the MX record and SPF TXT record. If MX ends in protection.outlook.com OR SPF contains spf.protection.outlook.com, /msftrecon auto-fires as part of the Acquire phase. Results feed back into the subject registry as infrastructure findings (tenant ID, federation type, MDI presence) and into /exposure scoring.

/case pipeline walkthrough (M365-hosted Domain/Org): (a) standard DNS/WHOIS/subdomain/traffic/scam-check/breach-deep checks run first, (b) if M365 indicators present → /msftrecon fires automatically with no extra flag, (c) tenant ID discovered becomes a pivot for /branch in Enrich phase (search other domains under the same tenant). No user intervention required.

Parallel enrichment (3+ subjects): When Acquire discovers 3+ subjects, enrichment commands fan out in parallel via AgentFlow DAG orchestration. Each subject's enrichment runs independently, results merge with dedup before Assess phase. Disable with --sequential flag. See techniques/agentflow-enrichment.md.

Exposure Score Bands

Tool Priority & Fallback

1. Check agent-browser availability first
2. Use agent-browser for: screenshot evidence, interactive UI, complex multi-step browser flows
3. Use Scrapling DynamicFetcher for: JS-heavy sites, SPA content, auto-escalation from static
4. Use Scrapling StealthyFetcher for: anti-bot bypass, Cloudflare-protected targets
5. Use Scrapling Fetcher for: fast static page collection, HTML parsing (~2ms)
6. Fall back to web search → web fetch → direct curl — no investigation blockers
7. Tag each finding with collection method: [browser] · [scrapling-dynamic] · [scrapling-stealth] · [scrapling-static] · [search] · [fetch] · [manual] · [whois-lib] · [whois-cli] · [whois-api]

Tool Auto-Install Policy

Before running any CLI tool, check if it exists on the system. If not, install it automatically and silently. This ensures zero-friction investigation — the analyst never stalls on missing dependencies.

Auto-Install Protocol

1. Check: command -v <tool> >/dev/null 2>&1 (or python -m <module> --help for Python modules)
2. Install: If missing, run the install command from the table below
3. Verify: Confirm installation succeeded before proceeding
4. Log: Note [auto-installed] in the finding's collection method tag
5. Continue: Proceed with the investigation — never block on tool availability

Install Commands by Tool

Behavior Rules

• Silent install: Do not ask permission — install and proceed. Tool installation is a normal part of the investigation workflow.
• pip vs pipx: Use pip by default. Use pipx only for tools that explicitly require it (Sherlock).
• Go tools: Require Go installed. If command -v go fails, note the gap and fall back to next tool in cascade.
• apt tools: May require root. Use sudo apt install -y if not running as root.
• Git-based install: For tools without PyPI packages (ShareTrace), clone the repo and install dependencies via git clone ... && cd ... && pip3 install -r requirements.txt
• Fallback on install failure: If installation fails, skip to the next tool in the cascade — never block the investigation.