Fast and secure analysis of Indicators of Compromise (IOC) directly in your browser
Website | Features | Installation | Usage | Privacy | Development | API Keys | Versioning
This is a major release bringing AI-powered analysis, new threat intelligence providers, and a complete UI overhaul.
- 3 AI Providers - Claude (Anthropic), Gemini (Google), GPT-4o (OpenAI)
- 3 Analysis Modes - Summary (quick triage), Analysis (escalation), Detailed (investigation)
- Structured Responses - Consistent JSON output with verdict, risk level, confidence scores
- Smart Caching - Language-aware AI result caching with 24-hour expiry
- Export Options - Copy as Markdown, Export as PNG image
- URLhaus - Malicious URL database by abuse.ch (unlimited free)
- Pulsedive - Threat intelligence with risk scoring (250 req/day free)
- Scamalytics - IP fraud detection (5,000 credits/month free)
- Fresh Color Palette - Lime green accent (#C7F54D), coral red danger (#E63946)
- Responsive Design - Mobile-optimized action buttons and layouts
- Drag-and-Drop Provider Order - Customize how providers appear
- Modern Result Cards - Enhanced UI for all providers
Claude (Sonnet 4) | Gemini (2.0 Flash) | GPT-4o (Mini)
VirusTotal | OTX AlienVault | AbuseIPDB | MalwareBazaar | ARIN | Shodan | GreyNoise | URLhaus | Pulsedive | Scamalytics
- Smart API Usage - Only queries providers supporting the IOC type
- Rate Limit Protection - Confirmation system for GreyNoise and Shodan
- No API Key Required - ARIN WHOIS & URLhaus (always available)
View Complete Changelog - Full version history and detailed release notes
Automatically detects and analyzes various types of security indicators:
| Network | IPv4/IPv6 addresses, Domains, URLs |
| Hashes | MD5, SHA1, SHA256 file hashes |
| Identity | Email addresses, CVE numbers |
| Crypto | Bitcoin, Ethereum addresses |
- Select any text on any webpage
- Floating button appears instantly
- One-click analysis
- Results in beautiful side panel
| Service | Purpose | Rate Limit |
|---|---|---|
| VirusTotal | Malware & URL scanning | 4 req/min (free) |
| OTX AlienVault | Threat intelligence & IOC pulses | 10,000 req/day |
| AbuseIPDB | IP reputation & abuse reports | 1,000 req/day (free) |
| MalwareBazaar | Malware hash database & sample repository | No strict limit (free) |
| ARIN | IP WHOIS & network registration | 15 req/min (no key required) |
| Shodan | Device search & vulnerability scanning | 100 results/month (free) * |
| GreyNoise | Internet noise detection & classification | 50 searches/week (free) * |
| URLhaus | Malicious URL & malware distribution database | Unlimited (free) |
| Pulsedive | Threat intelligence with IOC enrichment | 250 req/day (free) |
| Scamalytics | IP fraud score & scam detection | 5,000 credits/month (free) |
Note: Rate-limited providers include confirmation system to protect your quota
- Real-time Support Detection - Each IOC shows compatible providers via badges
- Optimized API Calls - Only queries providers that support the IOC type
- No Wasted Requests - Saves API rate limits by skipping unsupported types
- Clear Messaging - Informative explanations when providers don't support an IOC type
- Google Translate-style floating button
- Tab-based provider results - Switch between all providers seamlessly (VirusTotal, OTX, AbuseIPDB, MalwareBazaar, ARIN, Shodan, GreyNoise)
- Provider support badges - See which providers support each IOC at a glance
- Informative empty states - Clear explanations when providers don't support an IOC type
- Clean, professional design
- Dark mode optimized
- Smooth animations
- Non-intrusive UX
- All API keys stored locally on your device
- No data collection or tracking
- Secure HTTPS connections only
- Optional caching with configurable retention
- Open source and transparent
- Content Security Policy compliant
- Read our Privacy Policy | Gizlilik Politikasi (TR)
Visit our website: ahtapot.me for detailed installation guides and documentation
The easiest way to install Ahtapot:
- Visit the Chrome Web Store
- Click "Add to Chrome"
- Confirm the permissions
- Start analyzing IOCs!
# Clone the repository
git clone https://github.com/yourusername/ahtapot-extension.git
cd ahtapot-extension
# Install dependencies
npm install
# Build the extension
npm run build- Open Chrome and navigate to
chrome://extensions - Enable "Developer mode" (top-right corner)
- Click "Load unpacked"
- Select the
distfolder from the project directory
We take your privacy seriously. Here's what you need to know:
- API Keys: Stored securely on your device using Chrome's encrypted storage
- Cached Results: Previously analyzed IOCs (optional, user-configurable retention period)
- User Preferences: Language selection and settings
- No Tracking: Zero analytics or telemetry
- No Servers: We don't operate any servers
- No Data Transmission: Nothing leaves your device except API calls to security services
- No Sale of Data: Your data is yours, period
- No Third-Party Sharing: Only you and the security APIs you configure
- Configure how long analyzed IOCs are kept (1-30 days, default: 7 days)
- Automatic cleanup of old cached data
- Manual cache clearing anytime
- All cached data stored locally only
Read the complete privacy policy:
- Click the Ahtapot extension icon → Settings
- General Settings Tab:
- Choose your language (English/Türkçe)
- Configure cache retention period (optional)
- API Keys Tab:
- Add your API keys for enhanced analysis
- See API Keys section for how to obtain them
Choose your preferred method:
Method A: Text Selection
1. Select text containing IOCs on any webpage
2. Floating button appears automatically
3. Click "Analyze" button
4. View results in side panel
Method B: Context Menu
1. Select text with IOCs
2. Right-click → "Analyze with Ahtapot"
3. Results appear in side panel
Method C: Manual Entry
1. Click extension icon → Open side panel
2. Paste IOCs into text area
3. Click "Detect IOCs" → "Analyze"
Results are color-coded for quick threat assessment:
- Safe - No threats detected (green)
- Suspicious - Potential threat, investigate further (yellow)
- Malicious - Confirmed threat, take action (red)
- Unknown - Insufficient data for assessment (gray)
Ahtapot integrates with leading AI providers to deliver intelligent IOC analysis. Get instant verdicts, risk assessments, and actionable recommendations.
| Provider | Model | Best For |
|---|---|---|
| Claude | Claude Sonnet 4 | Advanced reasoning, detailed analysis |
| Gemini | Gemini 2.0 Flash | Fast analysis, free tier available |
| GPT-4o | GPT-4o Mini | Balanced performance, cost-effective |
IOC analysis results can be presented in 3 different modes. Each mode is optimized for different use cases and SOC levels.
| Feature | Summary | Analysis | Detailed |
|---|---|---|---|
| Target Audience | L1 Triage | L1/L2 Handoff | L2/L3 + IR Team |
| Word Count | ~200 | 400-600 | 800-1200 |
| Read Time | 10 sec | 1-2 min | 3-5 min |
| Use Case | Quick triage decision | Escalation decision | Full investigation |
| MITRE ATT&CK | - | Basic | Detailed + Evidence |
| IR Guidance | Single action | 2-3 actions | Full playbook |
| Detection Rules | - | - | Sigma + Hunting queries |
| Threat Attribution | - | If available | Full analysis |
Designed for rapid triage decisions. Readable within 10 seconds with immediate actionable output.
Best for: Alert queue management, initial triage, high-volume environments
Output includes:
- Verdict with color-coded indicator
- Risk and confidence levels
- TL;DR (1-2 sentences)
- Key signals (detection, reputation, associations)
- Single recommended action
Provides sufficient context for escalation decisions. Used during L1 to L2 handoff process.
Best for: Escalation decisions, L1/L2 handoff documentation, alert validation
Output includes:
- Everything in Summary, plus:
- Provider-by-provider breakdown table
- Consensus and conflict analysis
- False positive indicators
- Basic MITRE ATT&CK mapping
- Multiple prioritized actions
- Analyst notes and limitations
Provides full investigation support. IR workflow-compatible structure with evidence-based analysis.
Best for: Full incident investigation, IR team handoff, threat hunting, post-incident documentation
Output includes:
- Everything in Analysis, plus:
- Deep dive per IOC
- Threat actor/campaign attribution
- Kill chain phase assessment
- CIA impact analysis
- Full IR playbook (Containment → Eradication → Recovery)
- Sigma rule suggestions
- SIEM/EDR hunting queries
- External intelligence references
- Related IOCs for pivoting
All modes use consistent verdict indicators:
| Color | Verdict | Meaning |
|---|---|---|
| Red | MALICIOUS | Confirmed threat, immediate action required |
| Orange | SUSPICIOUS | Likely threat, investigation recommended |
| Yellow | LIKELY BENIGN | Probably safe, verify if needed |
| Green | CLEAN | No threats detected |
| Gray | UNKNOWN | Insufficient data for assessment |
┌─────────────────────────────────────────────────────────────┐
│ Which mode to use? │
├─────────────────────────────────────────────────────────────┤
│ │
│ Need quick triage decision? │
│ └─► Summary │
│ │
│ Need to decide on escalation? │
│ └─► Analysis │
│ │
│ Investigating confirmed incident? │
│ └─► Detailed │
│ │
│ Writing IR report or hunting threats? │
│ └─► Detailed │
│ │
└─────────────────────────────────────────────────────────────┘
Note: AI analysis requires API keys from the respective providers. Configure them in Settings → API Keys → AI Providers.
| Type | Example | Pattern |
|---|---|---|
| IPv4 | 192.168.1.1 |
0-255.0-255.0-255.0-255 |
| IPv6 | 2001:0db8:85a3::8a2e:0370:7334 |
Full/compressed |
| Domain | example.com |
Valid TLD required |
| URL | https://example.com/path |
HTTP/HTTPS |
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
32 hex chars |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
40 hex chars |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
64 hex chars |
[email protected] |
RFC 5322 | |
| CVE | CVE-2021-44228 |
CVE-YYYY-NNNNN |
| Bitcoin | 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa |
Base58/Bech32 |
| Ethereum | 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb |
0x + 40 hex |
- Node.js 18+ and npm
- Chrome browser
- TypeScript knowledge (recommended)
- Framework: React 18 + TypeScript
- Build Tool: Vite 5
- Styling: CSS3 with CSS Variables
- Icons: Lucide React
- Extension: Manifest V3
- Storage: Chrome Storage API
- Clone the repository
- Install dependencies:
npm install - (Optional) Copy
.env.exampleto.envand add your API keys for development - Build the extension:
npm run build - Load
distfolder in Chrome - Test on various websites
In development mode, API keys can be automatically loaded from a .env file:
# Copy the example file
cp .env.example .env
# Edit .env and add your keysSupported Environment Variables:
| Variable | Provider |
|---|---|
VITE_VIRUSTOTAL_API_KEY |
VirusTotal |
VITE_URLHAUS_API_KEY |
URLhaus |
VITE_PULSEDIVE_API_KEY |
Pulsedive |
VITE_SCAMALYTICS_API_KEY |
Scamalytics |
VITE_OTX_API_KEY |
AlienVault OTX |
VITE_ABUSEIPDB_API_KEY |
AbuseIPDB |
VITE_SHODAN_API_KEY |
Shodan |
VITE_GREYNOISE_API_KEY |
GreyNoise |
VITE_MALWAREBAZAAR_API_KEY |
MalwareBazaar |
VITE_CLAUDE_API_KEY |
Claude (Anthropic) |
VITE_GEMINI_API_KEY |
Gemini (Google) |
VITE_OPENAI_API_KEY |
OpenAI |
Note: Environment keys are only loaded in development mode (
npm run dev) and only if no key exists in storage.
Get free API keys to unlock full analysis capabilities:
- Purpose: Malware, file, URL, IP, and domain analysis
- Free Tier: 4 requests per minute
- Supported IOCs: IPv4, IPv6, Domain, URL, File Hashes (MD5, SHA1, SHA256)
- Get Key: virustotal.com/gui/join-us
- Features:
- Real-time malware scanning
- Comprehensive threat analysis
- Detection statistics from 70+ antivirus engines
- Purpose: Threat intelligence and IOC pulse analysis
- Free Tier: 10,000 requests per day (10 req/sec)
- Supported IOCs: IPv4, IPv6, Domain, URL, File Hashes (MD5, SHA1, SHA256), CVE
- Get Key: otx.alienvault.com/api
- Features:
- Community-driven threat intelligence
- Pulse-based threat information
- Malware family identification
- Targeted countries and adversary information
- Custom threat scoring algorithm
- Purpose: IP address reputation and abuse confidence scoring
- Free Tier: 1,000 requests per day
- Supported IOCs: IPv4, IPv6 only
- Get Key: abuseipdb.com/register
- Features:
- Abuse confidence scoring (0-100%)
- Detailed abuse reports and categories
- Geographic and network information
- ISP and usage type detection
- Community-reported abuse data
- Purpose: Malware sample database and hash reputation lookup
- Free Tier: No API key required, no strict rate limits
- Supported IOCs: File Hashes (MD5, SHA1, SHA256) only
- Documentation: bazaar.abuse.ch/api
- Note: Part of the abuse.ch project (same organization as URLhaus)
- Features:
- Malware sample information and metadata
- File type and signature detection
- Malware family classification
- Submission date and first seen information
- Community-driven malware intelligence
- No authentication required for basic lookups
- Purpose: IP address WHOIS and network registration information
- Free Tier: No API key required (public read-only access)
- Supported IOCs: IPv4, IPv6 only
- Documentation: arin.net/resources/registry/whois/rws
- Features:
- Network registration details
- Organization information
- IP address allocation ranges
- CIDR notation and network blocks
- Registration and update dates
- Parent network relationships
- Always available without configuration
- Purpose: Internet-connected device search and vulnerability analysis
- Free Tier: 100 results per month (rate-limited with confirmation)
- Supported IOCs: IPv4, IPv6, Domain
- Get Key: Visit developer.shodan.io/api → Click "Show API Key" (top right)
- Features:
- Open port and service detection
- CVE vulnerability identification
- Device banners and service versions
- Geographic location data
- ISP and organization information
- Historical scan data
- Subdomain discovery for domains
- Purpose: Internet-wide noise detection and threat classification
- Free Tier: 50 searches per week (rate-limited with confirmation, combined with Visualizer usage)
- Supported IOCs: IPv4 only
- Get Key: viz.greynoise.io/account/details
- Features:
- Internet scanner detection (mass scanning vs targeted)
- RIOT (Rule It Out) - benign service identification
- Classification (malicious, benign, unknown)
- Actor information and tags
- Last seen timestamps
- Metadata about scanning activity
- Purpose: Malicious URL and malware distribution database
- Free Tier: Unlimited (free account)
- Supported IOCs: URL, Domain, IPv4, IPv6, MD5, SHA256
- Documentation: urlhaus.abuse.ch/api
- Note: Part of the abuse.ch project (same organization as MalwareBazaar)
- Features:
- Malicious URL database
- Payload and threat classification
- URL status monitoring (online/offline)
- Malware distribution tracking
- Blacklist status (Spamhaus DBL, SURBL)
- Purpose: Threat intelligence platform with IOC enrichment
- Free Tier: 250 requests/day (2,500/month)
- Supported IOCs: IPv4, IPv6, Domain, URL, MD5, SHA1, SHA256
- Get Key: pulsedive.com/account
- Features:
- Risk level assessment (none/low/medium/high/critical)
- Threat feed tracking
- Risk factor analysis
- Geographic and organization data
- Community-driven intelligence
- Purpose: IP fraud score and scam detection
- Free Tier: 5,000 credits/month (15-day PREMIUM trial)
- Supported IOCs: IPv4, IPv6 only
- Get Key: scamalytics.com/ip/api (requires manual approval)
- Note: Registration requires manual review. You'll receive API credentials via email within 24 hours.
- Features:
- IP fraud risk score (0-100)
- Datacenter & VPN detection
- TOR exit node detection
- External blacklist checks
- Proxy detection (iCloud Private Relay, AWS, Google)
Privacy Note: All API keys are stored locally in Chrome's secure storage. They never leave your device except when making API calls to the respective services.
Rate Limit Protection: GreyNoise and Shodan require user confirmation before consuming your limited quota. You can choose to analyze or skip these providers for each request.
Live Validation: Test your API keys directly in the settings page before saving to ensure they work correctly.
Smart Optimization: Extension automatically detects which providers support each IOC type and only makes necessary API calls, saving your rate limits.
- User selects text → Content script detects IOCs
- Content script sends IOCs to background via messages
- Background worker makes secure API calls
- Results returned to side panel for display
- No sensitive data stored permanently
Contributions are welcome! This project is actively maintained.
- Fork the repository
- Create a feature branch
git checkout -b feature/amazing-feature
- Commit your changes
git commit -m 'Add amazing feature' - Push to your branch
git push origin feature/amazing-feature
- Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- Website: ahtapot.me
- Chrome Web Store: Install Extension
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Privacy Questions: See Privacy Policy
- Security Vulnerabilities: Please report security issues privately via GitHub Security tab
This project follows Semantic Versioning 2.0.0 (SemVer).
Version Format: MAJOR.MINOR.PATCH
- MAJOR - Backward-incompatible changes (e.g., removing a provider)
- MINOR - New features, backward compatible (e.g., adding a provider)
- PATCH - Bug fixes and minor improvements
For detailed information:
VERSIONING.md - Complete versioning strategy and contributor guidelines CHANGELOG.md - Full version history and release notes
Current Version: 3.0.0
Built for the cybersecurity community
