PyOTI is an API framework to easily query threat intel APIs to get fast, accurate and consistent enrichment data to provide added context to your indicators of compromise. Built as a modular framework to make it easy to use any of the available APIs without needing to be an experienced coder. If a service or tool you use isn’t already in PyOTI it is simple to add a new enrichment module or you may open an issue for a feature request and we can work to get it added into the project.
| Indicator Types | APIs |
|---|---|
| Domains | CheckDMARC, CIRCLPDNS, IrisInvestigate |
| Email Addresses | DisposableEmails, EmailRepIO |
| Hashes | CIRCLHashLookup, MalwareBazaar, MalwareHashRegistry |
| IP Addresses | AbuseIPDB, GreyNoise, SpamhausIntel |
| URLs | GoogleSafeBrowsing, LinkPreview, Phishtank, ProofpointURLDecoder |
| Multis | BinaryEdge, CIRCLPSSL, CiscoUmbrellaInvestigate, DNSBlockList, FileScanIO, HybridAnalysis, IP2Location/IP2WHOIS, JoeSandbox, MaltiverseIOC, MetaDefenderCloudV4, MISP, Onyphe, OTX, Pulsedive, Stairwell, ThreatFox, Triage, URLhaus, URLscan, VirusTotalV3, WhoisXML, XForceExchange |
It is advised to use a virtual environment.
python3 -m pip install pyotiIf you want to also use the Jupyter Notebook please install additional dependencies.
python3 -m pip install pyoti[jupyter_notebook]Windows instructions can be found in the docs directory here.
Linux instructions can be found in the docs directory here.
For a quick tutorial on the ease and benefit of using PyOTI you can view the Phishing URL Triage Jupyter Notebook here.
Copyright © 2021-2025, RH-ISAC
This work is free software. You may redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or at your option, any later version.
This work is distributed in the hope that it will be useful, but is made available WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
Please review the GNU General Public License at https://www.gnu.org/licenses/ for additional information.