CTI Expert

Cyber Threat Intelligence & OSINT Analysis Toolkit

Transform Claude into a trained intelligence analyst — 67+ commands, 35 techniques, zero API keys required for core functionality.

<br> <p> <a href="#demo">View Demo</a>  |  <a href="#quick-start">Quick Start</a>  |  <a href="#command-reference">Commands</a>  |  <a href="#contributing">Contribute</a> </p> <br>  <p> <a href="https://github.com/7onez/cti-expert"><img src="https://img.shields.io/badge/version-2.1-0080ff?style=for-the-badge&logo=semver&logoColor=white" alt="Version 2.1"></a>  <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-00c853?style=for-the-badge&logo=opensourceinitiative&logoColor=white" alt="License: MIT"></a>  <a href="#command-reference"><img src="https://img.shields.io/badge/commands-67+-ff6d00?style=for-the-badge&logo=windowsterminal&logoColor=white" alt="67+ Commands"></a>  <a href="#technique-catalog"><img src="https://img.shields.io/badge/techniques-35-aa00ff?style=for-the-badge&logo=hackthebox&logoColor=white" alt="35 Techniques"></a>  <a href="#installation"><img src="https://img.shields.io/badge/API_keys-none_for_core-00bfa5?style=for-the-badge&logo=shield&logoColor=white" alt="No API Keys for Core"></a> </p>  <p> <a href="https://github.com/7onez/cti-expert/stargazers"><img src="https://img.shields.io/github/stars/7onez/cti-expert?style=flat-square&logo=github&label=Stars" alt="Stars"></a>  <a href="https://github.com/7onez/cti-expert/network/members"><img src="https://img.shields.io/github/forks/7onez/cti-expert?style=flat-square&logo=github&label=Forks" alt="Forks"></a>  <a href="https://github.com/7onez/cti-expert/releases"><img src="https://img.shields.io/github/downloads/7onez/cti-expert/total?style=flat-square&logo=github&label=Downloads&color=brightgreen" alt="Downloads"></a>  <a href="https://github.com/7onez/cti-expert/issues"><img src="https://img.shields.io/github/issues/7onez/cti-expert?style=flat-square&logo=github&label=Issues" alt="Issues"></a>  <a href="https://github.com/7onez/cti-expert/pulls"><img src="https://img.shields.io/github/issues-pr/7onez/cti-expert?style=flat-square&logo=github&label=PRs" alt="Pull Requests"></a>  <a href="https://github.com/7onez/cti-expert/commits"><img src="https://img.shields.io/github/last-commit/7onez/cti-expert?style=flat-square&logo=github&label=Last%20Commit" alt="Last Commit"></a>  <a href="https://github.com/7onez/cti-expert"><img src="https://img.shields.io/github/repo-size/7onez/cti-expert?style=flat-square&logo=github&label=Size" alt="Repo Size"></a>  <a href="https://github.com/7onez/cti-expert/graphs/contributors"><img src="https://img.shields.io/github/contributors/7onez/cti-expert?style=flat-square&logo=github&label=Contributors" alt="Contributors"></a> </p>  <p> <a href="#what-is-cti-expert"><img src="https://img.shields.io/badge/lang-English-blue?style=flat-square" alt="English"></a>  <a href="#vietnamese"><img src="https://img.shields.io/badge/lang-Tiếng_Việt-red?style=flat-square" alt="Tiếng Việt"></a>  <a href="#chinese"><img src="https://img.shields.io/badge/lang-中文-red?style=flat-square" alt="中文"></a> </p> <br>  <table> <tr> <td>

Claude Desktop Users: You MUST use "Code" mode

CTI Expert is a Claude Code skill — it requires terminal/shell access to run commands, fetch web data, and generate reports. It does NOT work in Chat or Co-Work mode.

Claude Desktop 用户：必须使用 "Code" 模式 — 此技能需要终端访问权限，在 Chat 或 Co-Work 模式下无法运行。

Người dùng Claude Desktop: BẮT BUỘC dùng chế độ "Code" — Skill này cần quyền truy cập terminal, không hoạt động ở chế độ Chat hay Co-Work.

Open Claude Desktop → Click the mode selector (top-left) → Select "Code" → Then use CTI Expert commands.

</td> </tr> </table> <br>

<sub>Built by <a href="https://www.linkedin.com/in/hieu-minh-ngo-hieupc/"><b>Hieu Ngo</b></a> • <a href="mailto:hieu.ngo@chongluadao.vn">hieu.ngo@chongluadao.vn</a> • <a href="https://chongluadao.vn">chongluadao.vn</a></sub>

</div> <br>

<br>

What is CTI Expert?

A Claude Code skill that transforms Claude into a trained cyber threat intelligence and open-source intelligence analyst. It runs structured intelligence collection using 67+ commands across 35 techniques — no API keys required for core functionality. Some techniques offer optional enhanced access via free API keys (e.g., Wigle, VirusTotal, URLScan.io).

Core Capability

Multi-vector reconnaissance on any target type — person, domain, organization, username, email, IP, WiFi — with automated finding validation, exposure scoring, and structured intelligence delivery.

</td> <td width="50%">

AEAD Workflow

Acquire raw data → Enrich with pivot expansion → Assess findings → Deliver structured reports (Markdown + Word with charts, diagrams, styled formatting).

</td> </tr> </table> <br>

<br>

What's New in v2.2

| Category | What's New | Details | |----------|-----------|---------| | Image Forensics | Face search, reverse image, manipulation detection, AI geolocation | FaceCheck.id, TinEye, FotoForensics, Forensically, picarta.ai, GeoSpy, Pic2Map | | Blockchain | Crypto wallet tracing, transaction graphs, scam detection | Blockchair, Etherscan, WalletExplorer, OXT.me, Chainabuse, Breadcrumbs | | Transport | Aircraft tracking (unfiltered), vessel AIS, vehicle VIN lookup | ADS-B Exchange, Flightradar24, Marine Traffic, VesselFinder, NICB VINCheck | | Darknet | Tor search, ransomware monitoring, onion service discovery | Ahmia.fi, onionsearch, DarknetLive, ransomwatch | | Social Media | Reddit, Instagram, TikTok, Telegram investigation | Osintgram, instaloader, toutatis, RedditMetis, TGStat, TelegramDB, Bellingcat TikTok Timestamp | | People Search | US people search engines, free reverse lookups | TruePeopleSearch, FastPeopleSearch, IDCrawl, That's Them | | Mega-Dorks | 11 cross-platform Google dork templates covering 73 unique domains | Social, Telegram ecosystem, dev platforms, forums, paste sites, darknet, breach DBs, business, image, messaging, jobs | | IoT | Webcam directories, IoT device search | Insecam, Thingful |

| Category | New Commands | What It Does | |----------|-------------|--------------| | Intelligence | /cti-expert /render threat-path, /cti-expert /render attack-surface | Attack path flow + infrastructure exposure visualization | | Intelligence | /cti-expert /snapshots, /cti-expert /diff | Wayback Machine snapshots and version diffing | | Intelligence | /cti-expert /drift, /cti-expert /report ioc | Temporal risk tracking + IOC export (STIX 2.1) | | UX | /cti-expert /onboard, /cti-expert /clarify, /cti-expert /quality | First-time tutorial, finding explanation, quality scoring | | UX | /cti-expert /blind-spots, /cti-expert /source-check | Gap analysis + batch URL verification | | UX | /cti-expert /workspace diff | Compare two saved investigation sessions | | Data Model | Source Reliability A-F | Complements trust scores with source-level grading | | Data Model | 4 new entity types | Device, Image, Crypto Address, Custom | | Data Model | HIGH conflict severity | 4-level severity: CRITICAL/HIGH/NOTABLE/MINOR |

</details> <br>

<br>

Demo

Full Case Investigation

<div align="center"> <i>GIF/video placeholder — Record a <code>/case example.com</code> session and place the file in <code>assets/demo-full-case.gif</code></i> </div> <br>

Report Generation

<div align="center"> <i>GIF/video placeholder — Record a <code>/report</code> session showing Markdown + DOCX output and place in <code>assets/demo-report.gif</code></i> </div> <br>

Screenshots

<sub><i>Replace placeholders above with actual screenshots. Recommended size: 800x500px.</i></sub>

</div> <br>

Video Walkthrough

<div align="center"> <i>Video placeholder — Upload walkthrough to YouTube and replace <code>VIDEO_ID</code> above</i>

Cti Expert

Install / Use

README

CTI Expert

Cyber Threat Intelligence & OSINT Analysis Toolkit

What is CTI Expert?

What's New in v2.2

Demo

Full Case Investigation

Report Generation

Screenshots

Video Walkthrough