CTI Expert

Cyber Threat Intelligence & OSINT Analysis Toolkit

Transform Claude into a trained intelligence analyst — 67+ commands, 38 techniques, zero API keys required for core functionality.

View Demo | Quick Start | Commands | Contribute

_{Built by Hieu Ngo • [email protected] • chongluadao.vn}

What is CTI Expert?

A Claude Code skill that transforms Claude into a trained cyber threat intelligence and open-source intelligence analyst. It runs structured intelligence collection using 67+ commands across 36 techniques — no API keys required for core functionality. Some techniques offer optional enhanced access via free API keys (e.g., Wigle, VirusTotal, URLScan.io).

Core Capability

Multi-vector reconnaissance on any target type — person, domain, organization, username, email, IP, WiFi — with automated finding validation, exposure scoring, and structured intelligence delivery.

AEAD Workflow

Acquire raw data → Enrich with pivot expansion → Assess findings → Deliver structured reports (Markdown + Word with charts, diagrams, styled formatting).

Demo

Full Case Investigation

CTI Report Generation

CTI Report Demo — Markdown + DOCX report output

Screenshots

INTSUM Report	Network Topology	Risk Assessment

What's New in v2.4

Category	What's New	Details
Platform	Cross-platform OS detection (Windows/macOS/Linux)	OS-aware auto-install; self-healing DOCX (UTF-8 + auto-located pandoc)
Packaging	uv-first toolchain	`uv venv` / `uv pip` / `uv tool`; PEP 723 `uv run` zero-setup scripts; pip/pipx/venv fallback
Portability	Cross-agent support	Runs in Claude Code and OpenAI Codex via `AGENTS.md` + a ready-to-copy `/cti-expert` Codex prompt
CTI	Infostealer-log analyzer (`/stealer-log`)	Family ID, victim-vs-operator profiling, cross-log actor correlation, IOC + raw-artifact extraction
Recon	Admin / sensitive-endpoint detection	Subdomain-prefix + path + CJK classifier (`admin`, `adm`, `kef`, `ador`, `panel`…)
Collection	agent-browser integration	Primary interactive browser (vercel-labs): CDP, accessibility-tree snapshots, screenshots; complementary to Scrapling, no API key for core
Reliability	Fresh-VPS install hardening + CI	root/sudo + prereq bootstrap; smoke test + GitHub Actions on a minimal root Ubuntu container

What's New in v2.3

What's New in v2.3

Category	What's New	Details
WHOIS	Universal WHOIS for all TLDs	whoisdomain + CLI + Whoxy API; .vn, .th, .sg, .kr, 27+ ccTLD servers
WHOIS	Reverse & historical WHOIS (free)	Whoxy reverse API, historical lookup, ViewDNS
Web Collection	Scrapling adaptive scraping	3-tier: static → anti-bot → JS rendering; headless auto-open
Web Collection	Headless browser auto-open default	JS-heavy sites auto-detected and rendered via DynamicFetcher
Orchestration	AgentFlow parallel enrichment	DAG-based parallel pivot expansion for 3+ subjects
Performance	HTML parsing ~2ms	Scrapling parser replaces slow HTTP scraping
Platform	Python 3.10+ minimum	Required by Scrapling and AgentFlow

What's New in v2.2

What's New in v2.2

Category	What's New	Details
Image Forensics	Face search, reverse image, manipulation detection, AI geolocation	FaceCheck.id, TinEye, FotoForensics, Forensically, picarta.ai, GeoSpy, Pic2Map
Blockchain	Crypto wallet tracing, transaction graphs, scam detection	Blockchair, Etherscan, WalletExplorer, OXT.me, Chainabuse, Breadcrumbs
Transport	Aircraft tracking (unfiltered), vessel AIS, vehicle VIN lookup	ADS-B Exchange, Flightradar24, Marine Traffic, VesselFinder, NICB VINCheck
Darknet	Tor search, ransomware monitoring, onion service discovery	Ahmia.fi, onionsearch, DarknetLive, ransomwatch
Social Media	Reddit, Instagram, TikTok, Telegram investigation	Osintgram, instaloader, toutatis, RedditMetis, TGStat, TelegramDB, Bellingcat TikTok Timestamp
People Search	US people search engines, free reverse lookups	TruePeopleSearch, FastPeopleSearch, IDCrawl, That's Them
Mega-Dorks	11 cross-platform Google dork templates covering 73 unique domains	Social, Telegram ecosystem, dev platforms, forums, paste sites, darknet, breach DBs, business, image, messaging, jobs
IoT	Webcam directories, IoT device search	Insecam, Thingful

What's New in v2.1

Category	New Commands	What It Does
Intelligence	`/cti-expert /render threat-path`, `/cti-expert /render attack-surface`	Attack path flow + infrastructure exposure visualization
Intelligence	`/cti-expert /snapshots`, `/cti-expert /diff`	Wayback Machine snapshots and version diffing
Intelligence	`/cti-expert /drift`, `/cti-expert /report ioc`	Temporal risk tracking + IOC export (STIX 2.1)
UX	`/cti-expert /onboard`, `/cti-expert /clarify`, `/cti-expert /quality`	First-time tutorial, finding explanation, quality scoring
UX	`/cti-expert /blind-spots`, `/cti-expert /source-check`	Gap analysis + batch URL verification
UX	`/cti-expert /workspace diff`	Compare two saved investigation sessions
Data Model	Source Reliability A-F	Complements trust scores with source-level grading
Data Model	4 new entity types	Device, Image, Crypto Address, Custom
Data Model	HIGH conflict severity	4-level severity: CRITICAL/HIGH/NOTABLE/MINOR

Installation

Recommended: Use Claude Code CLI — it gives you the full terminal workflow, persistent sessions, and direct skill invocation. Download here or run npm install -g @anthropic-ai/claude-code.

Why Claude Code CLI?

The entire CTI Expert workflow is optimized for Claude Code CLI. The CLI gives you:

Persistent sessions — investigations survive terminal restarts via /cti-expert /workspace save
Full tool access — file writes, Python scripts, DOCX generation, all run natively
Skill invocation — type /cti-expert directly in the terminal, no browser required
Background agents — parallel enrichment via AgentFlow works best with the CLI

🖥️ Where to run it — the CLI is best for this skill

[!IMPORTANT]
CTI Expert is execution-heavy: it runs uv/Python, installs OSINT tools, writes .md/.docx/.json reports, reaches many external sites, and saves case workspaces. What matters is a real local shell + persistent files + open network — a CLI or local desktop agent gives you that; an ephemeral cloud sandbox does not. This applies equally to Claude and Codex.

Environment	Running cases	Why
Claude Code CLI · Codex CLI	✅ Best	Real shell, persistence, background tasks, open network — what the skill is built for
Claude Code Desktop · Codex IDE extension	✅ Great	Same local execution; nicest for reading rendered reports, charts & diagrams
claude.ai/code (web) · Codex cloud / ChatGPT web	⚠️ Limited	Reasoning & query generation work, but files don't persist to your disk and outbound network is often restricted

[!TIP]
Run investigations in a CLI (Claude Code or Codex); open the generated .docx/report in a Desktop/IDE window if you prefer reading there. Use web/cloud surfaces only for analyst-reasoning, not execution-heavy recon.

Step 1 — Install Claude Code CLI

npm install -g @anthropic-ai/claude-code

Requires Node.js 18+. Full docs: docs.anthropic.com/en/docs/claude-code/overview

Step 2 — Clone + All-in-One Installer

The installer handles everything: Python dependencies, system tools (whois, dig, jq, exiftool), OSINT tools (maigret, sherlock, holehe, h8mail, and more), and optional headless browser + Go tools. It is powered by uv (Astral's ultra-fast Rust package manager) — the script bootstraps uv, then uses uv venv / uv pip / uv tool for all Python installs, falling back to pip/pipx/venv only if uv can't be installed. Use install.ps1 on Windows (PowerShell) or install.sh on macOS/Linux/Git Bash/WSL.

Platform Command

Linux / macOS

git clone https://github.com/7onez/cti-expert.git ~/.claude/skills/cti-expert
bash ~/.claude/skills/cti-expert/scripts/install.sh

Windows (Git Bash or WSL)

git clone https://github.com/7onez/cti-expert.git ~/.claude/skills/cti-expert
bash ~/.claude/skills/cti-expert/scripts/install.sh

Windows (PowerShell — native)

git clone https://github.com/7onez/cti-expert.git "$env:USERPROFILE\.claude\skills\cti-expert"
powershell -ExecutionPolicy Bypass -File "$env:USERPROFILE\.claude\skills\cti-expert\scripts\install.ps1"

Windows users: install.ps1 is a full native installer (winget system tools + Python venv + OSINT tools) — no Git Bash or WSL required. It accepts the same -Headless, -Go, and -All flags (e.g. install.ps1 -All). Git Bash / WSL users can run install.sh instead. The DOCX generator self-heals UTF-8 output and auto-locates pandoc, so reports build on Windows with no extra environment setup. The skill itself detects the OS at runtime and installs any missing tool with the right manager (winget / brew / apt) — see scripts/platform-setup.md.

Installer Options

macOS / Linux / Git Bash / WSL:

bash scripts/install.sh               # Core: Python deps + system tools + OSINT tools
bash scripts/install.sh --headless    # + Scrapling headless browser (~200MB Chromium)
bash scripts/install.sh --go          # + Go tools (subfinder, amass, gau, gitleaks, httpx)
bash scripts/install.sh --all         # + Everything above

Windows (PowerShell):

powershell -ExecutionPolicy Bypass -File scripts\install.ps1              # Core
powershell -ExecutionPolicy Bypass -File scripts\install.ps1 -Headless    # + Scrapling headless browser
powershell -ExecutionPolicy Bypass -File scripts\install.ps1 -Go          # + Go tools
powershell -ExecutionPolicy Bypass -File scripts\install.ps1 -All         # + Everything above

Flag	What it installs	Size
(none)	Python packages, whois, dig, jq, exiftool, maigret, sherlock, holehe, h8mail, theHarvester, trufflehog, waymore, xeuledoc, agentflow	~50 MB
`--headless`	Scrapling StealthyFetcher + DynamicFetcher + Chromium	+200 MB
`--go`	subfinder, amass, gau, gitleaks, httpx, phoneinfoga	+150 MB
`--all`	Everything	~400 MB

Verify Installation

claude   # opens Claude Code CLI
# then type:
/cti-expert

If the skill loads, you'll see the CTI Expert command menu. Type /cti-expert /help for the full command list.

Use in ChatGPT / Codex (cross-agent)

CTI Expert is portable: the analyst logic is plain Markdown and the scripts are OS-detecting Python/shell, so it runs in OpenAI Codex (and other AGENTS.md-aware agents), not just Claude Code.

# 1. Clone the skill anywhere
git clone https://github.com/7onez/cti-expert.git

# 2a. In-repo: open Codex inside the clone — it auto-loads AGENTS.md. Then ask it to follow SKILL.md.
# 2b. Slash command: copy the bundled Codex prompt so /cti-expert works in the Codex CLI/IDE
cp cti-expert/codex/cti-expert.md ~/.codex/prompts/cti-expert.md   # Windows: copy to %USERPROFILE%\.codex\prompts\

AGENTS.md is the cross-agent runtime contract (OS detection, uv, paths). Codex auto-concatenates it from the repo root; you can also reference it from ~/.codex/AGENTS.md.
codex/cti-expert.md is a ready-to-copy custom prompt → gives Codex a /cti-expert <target> slash command.
Plain ChatGPT (no code execution): the reasoning, query generation, and report drafting all work (load SKILL.md/AGENTS.md as instructions or Custom-GPT knowledge); only local steps (DOCX build, CLI tool runs) need a code-capable harness like Codex or Claude Code.

Paths are resolved relative to the skill directory (the folder containing SKILL.md), so nothing assumes the Claude-specific ~/.claude/skills/ location.

Alternative — Claude Code Desktop (macOS / Windows)

Download: claude.ai/download — available for macOS and Windows

Step-by-step (no terminal needed):

Install Claude Code Desktop — Download from claude.ai/download and install the app
Download CTI Expert — Go to the GitHub repository, click the green "Code" button, then select "Download ZIP"

Extract to your skills folder — Unzip the downloaded file, then move the extracted folder to your skills directory and rename it to cti-expert:

Platform	How to navigate
macOS	Open Finder → Press Cmd + Shift + G → Type `~/.claude/skills/` → Press Go → Move the folder here
Windows	Open File Explorer → Type `%USERPROFILE%\.claude\skills\` in the address bar → Press Enter → Move the folder here

Note: If the skills folder does not exist, create it inside the .claude folder first.

Run the installer — Open Claude Code Desktop terminal and run:

bash ~/.claude/skills/cti-expert/scripts/install.sh

Or on Windows PowerShell (Python only):

pip3 install -r "$env:USERPROFILE\.claude\skills\cti-expert\scripts\requirements.txt"

Restart Claude Code Desktop — Close and reopen the app
Verify — Type /cti-expert in the chat to confirm the skill is loaded

System Requirements

Requirement	Version	Purpose
Claude Code CLI	Latest	Recommended terminal runtime
Claude Code Desktop	Latest	GUI runtime (macOS/Windows)
Node.js	18+	Required by Claude Code CLI
uv	Latest	Recommended — bootstrapped by the installer; manages Python, venv, packages & CLI tools
Python	3.10+	DOCX report generation, Scrapling, AgentFlow (uv can install this for you)
pip packages	See `requirements.txt`	Charts, diagrams, styling
git	Any	Clone the repository

Quick Start

How to run commands: All commands below use the /cti-expert prefix. Type /cti-expert followed by the command in Claude Code.

Example: /cti-expert /case example.com — not just /case example.com

1 — Full Autonomous Case

/cti-expert /case example.com

Runs every applicable technique for the target type. Auto-generates .md and .docx reports.

2 — Guided Flows

/cti-expert /flow person           # Person investigation workflow
/cti-expert /flow domain           # Domain reconnaissance workflow
/cti-expert /flow image            # Image verification workflow

3 — Targeted Reconnaissance

/cti-expert /sweep @username                    # Multi-vector recon on handle
/cti-expert /query example.com                  # 12-15 advanced search queries
/cti-expert /username johndoe                   # Platform enumeration (3000+)
/cti-expert /email-deep [email protected]         # Deep email investigation
/cti-expert /subdomain example.com              # Certificate transparency + brute-force
/cti-expert /github-osint github.com/org/repo   # GitHub profiles, repos, code, commits, forks
/cti-expert /threat-check 185.1.1.1             # IP/domain/URL threat intelligence
/cti-expert /scam-check suspicious-site.xyz     # Phishing/scam domain check
/cti-expert /breach-deep [email protected]        # Multi-source breach lookup

4 — Analysis & Assessment

/cti-expert /exposure domain.com                # Composite risk score (0-100)
/cti-expert /threat-model                       # Build threat model from findings
/cti-expert /validate                           # Verify all findings
/cti-expert /coverage                           # Check investigation completeness

5 — Reporting

/cti-expert /report                             # Technical INTSUM report
/cti-expert /report brief                       # Executive summary
/cti-expert /brief                              # Plain-language summary
/cti-expert /workspace save                     # Save workspace + auto-generate .docx

Features

Identity & People

Person lookup — 50+ data points
Phone — carrier, reputation, associations
Email — accounts, breaches, infrastructure
Username — 3000+ platform enumeration
GitHub developer footprint — profiles, orgs, repos, commits, forks

Domain & Infrastructure

Subdomain enumeration via CT logs
CMS, CDN, analytics fingerprinting
DNS forensics & WHOIS deep/reverse
Traffic analysis & audience demographics

Analysis & Verification

Face search (FaceCheck.id) & reverse image (TinEye)
Image forensics (FotoForensics, Forensically)
AI photo geolocation (picarta.ai, GeoSpy)
Document/email metadata forensics
Google Docs identity extraction
100+ paste sites & breach DBs

WiFi, Geo & Transport

SSID/BSSID lookup via Wigle.net
W3W, Plus Codes, MGRS, Street View
Aircraft tracking (ADS-B Exchange, Flightradar24)
Vessel tracking (Marine Traffic, VesselFinder)
Vehicle VIN lookup & plate recognition

Security Auditing

Cloud audit (AWS/GCP/Azure)
OWASP Top 10 source code review
CVE & supply chain vulnerability checks
LLM/agent/MCP prompt injection audit

Reporting & Export

INTSUM, executive brief, plain-language
DOCX with charts, diagrams, timelines
Save/load case workspaces
Legal, journalist, HR, threat analyst formats

AEAD Case Lifecycle

Every investigation follows four automated phases:

                         ╭──────────────────────────────────────╮
                         │         AEAD CASE LIFECYCLE          │
                         ╰──────────────────────────────────────╯

   ┌─── ACQUIRE ────────────────────────────────────────────────────────┐
   │  Collect raw data via /sweep, /query, /username, /phone, etc.     │
   │  Database search, enumeration, collection gap logging             │
   └────────────────────────────────┬───────────────────────────────────┘
                                    ▼
   ┌─── ENRICH ─────────────────────────────────────────────────────────┐
   │  Expand leads via /branch, /crossref, /link-subjects, /signatures │
   │  Shared identifier detection, relationship mapping                │
   └────────────────────────────────┬───────────────────────────────────┘
                                    ▼
   ┌─── ASSESS ─────────────────────────────────────────────────────────┐
   │  Score & verify via /exposure, /threat-model, /validate, /coverage│
   │  Risk scoring, completeness check, evidence chains                │
   └────────────────────────────────┬───────────────────────────────────┘
                                    ▼
   ┌─── DELIVER ────────────────────────────────────────────────────────┐
   │  Package output via /report, /brief, /render, /workspace save     │
   │  Auto-save .md + .docx with charts & diagrams                     │
   └────────────────────────────────────────────────────────────────────┘

Run /progress at any point to see current phase and pending tasks.

Command Reference

Full command list: See SKILL.md for comprehensive reference.

Acquire — Data collection commands

Command	Purpose
`/cti-expert /case [target]`	Full pipeline — every applicable technique
`/cti-expert /sweep [target]`	Multi-vector recon (person/domain/org/username/email/IP)
`/cti-expert /query [subject]`	12-15 advanced search operator queries
`/cti-expert /username [handle]`	3000+ platform enumeration
`/cti-expert /phone [number]`	Carrier lookup, reputation, associations
`/cti-expert /email-deep [email]`	Accounts, breaches, infrastructure
`/cti-expert /subdomain [domain]`	CT logs + passive enumeration
`/cti-expert /github-osint [target]`	GitHub user/org/repo profiles, code, commits, forks
`/cti-expert /threat-check [target]`	IP/domain/URL/hash threat intelligence
`/cti-expert /breach-deep [email]`	Multi-source breach lookup

Enrich — Lateral expansion commands

Command	Purpose
`/cti-expert /branch [data]`	Lateral expansion (email→username, username→email, etc.)
`/cti-expert /crossref`	Shared identifier detection across subjects
`/cti-expert /link-subjects [A] [B]`	Define connection between subjects
`/cti-expert /show-connections`	Display logged connections
`/cti-expert /graph`	Full ASCII subject relationship map

Assess — Scoring & verification commands

Command	Purpose
`/cti-expert /exposure [target]`	Composite risk score (0-100)
`/cti-expert /threat-model`	Build threat model from findings
`/cti-expert /validate`	Verify finding evidence chains
`/cti-expert /coverage`	Check investigation completeness

Deliver — Report generation commands

Command	Purpose
`/cti-expert /report`	Technical INTSUM report
`/cti-expert /report brief`	Executive summary
`/cti-expert /brief`	Plain-language summary
`/cti-expert /workspace save`	Save workspace + auto-generate .docx

Skill Tiers

Novice Practitioner Specialist

Low-jargon mode, step-by-step guidance, pre-built templates for due diligence, background checks, security reviews.

Entry: /cti-expert /flow person, /cti-expert /flow domain, /cti-expert /template list

Advanced search operators, manual pivot expansion, custom threat modeling, guided flows with explanation.

Entry: /cti-expert /query [target], /cti-expert /branch [data], /cti-expert /crossref, /cti-expert /threat-model

Raw technique access, custom evidence weighting, CONTESTED finding resolution, direct database queries.

Entry: /cti-expert /username [handle], /cti-expert /email-deep [email], /cti-expert /secrets [target], /cti-expert /threat-check [target]

Technique Catalog

36 techniques — click to expand full catalog

Technique	Coverage	API Key Required?
`fx-metadata-parsing.md`	EXIF, email headers, document forensics	No
`fx-image-verification.md`	Image authenticity, provenance, reverse search	No
`fx-breach-discovery.md`	Breach database + paste site enumeration	Optional (HIBP bulk, DeHashed paid)
`fx-http-fingerprint.md`	HTTP signature analysis, server fingerprinting	No
`fx-leak-monitoring.md`	Leak and breach monitoring automation	Mixed (IntelligenceX/Shodan paid)
`fx-dns-cert-history.md`	Historical DNS + SSL/TLS certificate timeline	No
`fx-document-forensics.md`	PDF/Office authorship, creation chain, hidden content	No
`fx-network-mapping.md`	Network topology, entity graph construction	No
`username-osint.md`	3000+ platform enumeration	No
`phone-osint.md`	Carrier lookup, VoIP, FreeCNAM, WhoCalld	No
`email-osint.md`	Deep email investigation, breach history	No
`threat-intel.md`	GreyNoise, AbuseIPDB, OTX, VirusTotal, CIRCL CVE, NVD	Optional (VT/URLScan free keys)
`web-traffic-analysis.md`	SimilarWeb, Semrush estimation	No
`domain-advanced.md`	CT logs, Amass, Subfinder, passive enum	No
`social-media-platforms.md`	Twitter/X, Discord, Strava, BlueSky, ShareTrace, Reddit, Instagram, TikTok, Telegram	Partial (Discord needs token)
`image-forensics-and-face-search.md`	FaceCheck.id, TinEye, FotoForensics, Forensically, picarta.ai, GeoSpy, Pic2Map	No
`blockchain-investigation.md`	Blockchair, Etherscan, WalletExplorer, OXT.me, Chainabuse, Breadcrumbs	Optional (Etherscan API for bulk)
`transport-tracking.md`	ADS-B Exchange, Flightradar24, Marine Traffic, VesselFinder, VIN decode	No
`darknet-investigation.md`	Ahmia.fi, onionsearch, DarknetLive, ransomwatch	No
`advanced-geolocation-techniques.md`	W3W, Plus Codes, MGRS, Overpass Turbo	No
`wifi-ssid-osint.md`	Wigle.net SSID/BSSID geolocation	Free account (Wigle API)
`web-dns-forensics.md`	Zone transfers, GitHub, Telegram, WHOIS	Optional (WHOIS API)
`scam-check.md`	Phishing/scam domain verification	No
`ioc-export.md`	IOC export (STIX 2.1, flat list)	No
`cloud-audit.md`	AWS/GCP/Azure IAM, network, compute audit	No
`dependency-audit.md`	CVE, supply chain, CI/CD security	No
`disk-forensics.md`	Sleuth Kit, file carving, artifact recovery	No
`incident-triage.md`	NIST 800-61, containment, IOC extraction	No
`owasp-audit.md`	OWASP Top 10 source code review	No
`prompt-injection-audit.md`	LLM/agent/MCP security assessment	No
`fx-visitor-intelligence.md`	Visitor stats, tech stack, geo analysis	No
`fx-social-topology.md`	Social graph construction and analysis	No
`fx-geolocation.md`	GPS, W3W, Plus Codes, MGRS, Street View	No
`secret-scanning.md`	Credential/secret detection in code	Optional (GitHub token for GitDorker)
`github-osint.md`	GitHub profile, org, repo, code, commit, fork, and collaboration recon	Optional (GitHub token for higher API limits)
`fx-email-header-analysis.md`	Email header analysis, SPF/DKIM	No

Report Formats

Every /report, /brief, and /case auto-saves two files:

Markdown Report

INTSUM format (technical)
Executive brief (decision-makers)
Plain-language summary (non-technical)
Legal evidence format (attorneys)

Word Document (.docx)

Cover page with classification
Table of contents & styled finding cards
Charts: pie, bar, gauge, timeline
Entity relationship & network topology diagrams
Source attribution table with page numbers

_{Generated by scripts/generate-cti-docx.py}

Architecture

Project structure — click to expand

cti-expert/
├── SKILL.md                       Command reference & skill definition
├── README.md                      This file
│
├── engine/                        Case data model & state management
│   ├── subject-registry.md        How subjects are tracked
│   ├── finding-framework.md       Finding lifecycle & evidence chains
│   ├── workspace-format.md        Workspace serialization spec
│   └── conflict-resolver.md       CONTESTED finding resolution
│
├── techniques/                    Collection techniques (32 files)
│   ├── whois-universal.md         Universal multi-TLD WHOIS cascade
│   ├── web-collection-scrapling.md Scrapling adaptive web collection
│   ├── agentflow-enrichment.md    Parallel enrichment orchestration
│   ├── fx-metadata-parsing.md, fx-image-verification.md, ...
│   ├── username-osint.md, phone-osint.md, email-osint.md
│   ├── cloud-audit.md, dependency-audit.md, disk-forensics.md
│   └── ...
│
├── experience/                    UX, tiers, guided flows
│   ├── guided-flows/              Interactive workflows
│   ├── case-templates/            Pre-built case templates
│   └── accessibility/             Glossary, low-jargon mode
│
├── analysis/                      Pattern detection & intelligence engines
│   ├── deviation-detector.md      Behavioral anomaly detection
│   ├── cross-reference-engine.md  Shared identifier detection
│   └── exposure-model.md          Risk score calculation
│
├── output/                        Report & visualization specs
│   ├── reports/                   Report templates
│   └── visuals/                   Chart & render engine specs
│
├── scripts/                       DOCX report generation
│   ├── generate-cti-docx.py       Main generator
│   ├── cti_docx_charts.py         Chart rendering
│   ├── cti_docx_diagrams.py       Entity relationship diagrams
│   └── requirements.txt           Python dependencies
│
├── workflows/                     Professional use-case guides
│   ├── wf-journalist.md           Journalist source verification
│   ├── wf-threat-analyst.md       Cyber threat intelligence
│   └── wf-hr-screening.md        Background checks
│
├── guides/walkthroughs/           Worked case examples
│   ├── walkthrough-person-lookup.md
│   ├── walkthrough-domain-sweep.md
│   └── walkthrough-username-trace.md
│
└── validation/                    Quality assurance
    ├── coverage-matrix.md         Investigation area coverage
    ├── quality-scoring.md         Finding scoring methodology
    └── verification-checklist.md  Evidence chain validation

Professional Workflows

Workflow	Audience	File
Journalist Source Verification	Reporters, fact-checkers	`workflows/wf-journalist.md`
HR Screening	HR professionals, recruiters	`workflows/wf-hr-screening.md`
Cyber Threat Intelligence	Security analysts, IR teams	`workflows/wf-threat-analyst.md`
Private Investigator	Licensed PIs, legal teams	`workflows/wf-private-investigator.md`

Activate with /cti-expert /flow [type] for interactive guided prompts.

Ethics & Responsible Use

This skill is for lawful research and professional security investigation only.

Permitted	Prohibited
Journalist fact-checking & source verification HR background screening (with consent) Corporate security research & threat intelligence Authorized penetration testing & security audits Legal/compliance investigation Personal reputation monitoring (self-search)	Doxxing, harassment, or stalking Unauthorized surveillance Social engineering or fraud Privacy violations Criminal activity

You are responsible for all use of this skill. Comply with local laws, regulations, and platform terms of service. Always respect privacy and consent boundaries.

Contributing

We welcome research contributions, new techniques, and workflow improvements.

Contribution guidelines

Adding techniques:

Create techniques/fx-[name].md with method description, free tool lists, limitations

Workflow improvements:

Document in workflows/ with success criteria

Pull request process:

Fork and create feature branch: git checkout -b feature/technique-name
Document changes in SKILL.md and README.md
Test on at least 3 real-world targets
Submit PR with description

Bug reports: File issues with command output, environment, and target type.

License

MIT License + Ethical Use Addendum

You are free to use, modify, and distribute this skill under the MIT license, provided that you include original attribution, comply with the ethical use guidelines above, and clearly mark any derivatives.

See LICENSE for full text.

🙏 Acknowledgments & Credits

CTI Expert stands on the shoulders of the open-source community and free, public-interest data providers. A huge thank-you to every project, vendor, and free API below — this skill simply would not exist without your work. (Listing here does not imply affiliation or endorsement; always respect each provider's terms of service.)

Category	Projects & free services we're grateful to
Agents & runtime	Anthropic — Claude Code · OpenAI — Codex · Astral — uv · Python · Node.js · Rust
Browser & web collection	agent-browser — Vercel Labs · Scrapling · Chromium
Username, people & social	Maigret · Sherlock · Blackbird · instaloader · Osintgram · toutatis · ShareTrace
Email & breach data	Holehe · h8mail · theHarvester · Have I Been Pwned · Hudson Rock · LeakCheck
Domains, DNS & infrastructure	Subfinder · Amass · httpx · GAU · crt.sh · Whoxy · ViewDNS · whoisdomain · Shodan InternetDB · ipwho.is
Threat intelligence	VirusTotal · URLScan.io · GreyNoise · AbuseIPDB · AlienVault OTX · abuse.ch (URLhaus · ThreatFox · MalwareBazaar) · CIRCL · NVD · ransomware.live
Secrets & code	TruffleHog · Gitleaks · GitHub CLI
Phone	PhoneInfoga · FreeCNAM · WhoCalld
Geolocation & WiFi	OpenStreetMap · what3words · Overpass Turbo · WiGLE
Image forensics	ExifTool · TinEye · FaceCheck.id · FotoForensics · picarta.ai
Blockchain	Blockchair · Etherscan · WalletExplorer · Chainabuse
Transport tracking	ADS-B Exchange · Flightradar24 · MarineTraffic · VesselFinder
Darknet	Ahmia · OnionSearch · ransomwatch
Cloud & documents	MSFTRecon · Xeuledoc · oletools · poppler · qpdf · mat2 · The Sleuth Kit
Web archives	Internet Archive — Wayback · Waymore
Reporting & utilities	pandoc · python-docx · Matplotlib · NetworkX · jq · ASN
Standards & frameworks	OWASP · MITRE ATT&CK · STIX 2.1 (OASIS) · NIST SP 800-61 · CWE

Built something here we should credit, or want your project's listing changed/removed? Open an issue or PR — we'll fix it fast. 💙

Made with purpose by Hieu Ngo

_{If this tool helps your work, consider giving it a star. It helps others find it.}