foxsec-intel-pipeline is an analyst-first enrichment and scoring pipeline for security triage.
It takes a domain, IP, or URL artefact and produces a structured intelligence output that can be used in SOC workflows, reports, and automation.
Version 1 focuses on domain intelligence with:
- DNS resolution
- DMARC and SPF posture checks
- ASN and provider enrichment
- Basic risk scoring
- JSON output for downstream tooling
Security analysts often waste valuable triage time jumping between tools to answer basic but critical questions:
- Is this domain configured like a legitimate sender
- Who owns the hosting network
- Does routing context increase risk
- Is this likely low risk, medium risk, or high risk
This project exists to standardise that first-pass enrichment and scoring into one repeatable workflow.
- Accept a domain input
- Resolve DNS and extract core records
- Check DMARC and SPF posture
- Enrich with ASN and provider information
- Calculate a basic risk score
- Output a structured analyst result in JSON
flowchart TD
A[Input artefact: domain or IP or URL] --> B[Collection layer]
B --> C[DNS resolution and TXT lookups]
C --> D[DMARC and SPF posture checks]
C --> E[MX and nameserver quality checks]
B --> F[ASN and provider enrichment]
F --> G[Country and hosting risk signals]
D --> H[Analysis and scoring engine]
E --> H
G --> H
H --> I[Risk breakdown and confidence]
I --> J[JSON output]
I --> K[CSV output]
I --> L[Markdown summary]
I --> M[HTML analyst report]
python foxsec_scan.py --domain example.com --output json
python foxsec_scan.py --domain example.com --output csv
python foxsec_scan.py --domain example.com --output markdown
python foxsec_scan.py --domain example.com --output html > report.html
python foxsec_scan.py --domain example.com --output json --risk-config config/risk_profiles.json
# Batch mode: one domain per line
python foxsec_scan.py --input-file domains.txt --output json
python foxsec_scan.py --input-file domains.txt --output csv > batch.csv
python foxsec_scan.py --input-file domains.txt --output markdown
python foxsec_scan.py --input-file domains.txt --output html > batch-report.htmlAdd this to your ~/.bash_profile:
alias foxscan='python3 ~/r/repos/foxsec-intel-pipeline/foxsec_scan.py'Then reload your shell and run:
source ~/.bash_profile
foxscan --domain example.com --output json
foxscan --input-file domains.txt --output markdown{
"domain": "example.com",
"dmarc": "present",
"spf": "softfail",
"asn": "AS13335",
"provider": "Cloudflare",
"risk_score": 28,
"risk_level": "low"
}- v0.1: Domain pipeline (DNS, DMARC, SPF, ASN, score, JSON)
- v0.2: URL parsing and hostname extraction path
- v0.3: IP-first mode and reverse mapping context
- v0.4: HTML report renderer for analyst handoff
- v0.5: Batch mode and CSV input support
- v0.6: Confidence scoring and evidence weighting
- v0.7: Optional connectors for SIEM and SOAR
- Batch input examples:
examples/domains.txt - Output generation examples:
examples/README.md
Run unit tests:
python3 -m unittest discover -s tests -p 'test_*.py' -v- BGP-Intel: ASN and prefix exposure analysis
- DNS-analysis: DNS security posture checks
- PhishSense: Phishing analysis workflow tooling
- WebPage-Analysis: Web artefact analysis helpers