Python License Platform Version
IRIS is an automated threat intelligence aggregation, correlation, and alerting platform built for red teams and security operations. It pulls from 8+ industry TI feeds, cross-references indicators against your target scope, correlates findings across sources, and generates actionable alerts.
- Multi-Feed Aggregation — VirusTotal, Shodan, AbuseIPDB, URLhaus, abuse.ch, Phishtank, Tor Exit Nodes, Censys
- Correlation Engine — detect shared ASNs, registrants, infrastructure across feeds; confidence-scored results
- Continuous Monitoring — watch targets in the background; alert on new findings
- Historical Database — SQLite (default) or PostgreSQL; full indicator history and trend analysis
- Rich CLI — colorized output, tables, progress bars
- Multi-Channel Alerting — Email, Slack, Discord, syslog
- Web Dashboard — optional browser UI for real-time feed status, alerts, correlation visualization
- Flexible Scope — JSON/YAML scope files with IPs, CIDRs, domains, hashes
git clone https://github.com/xdrew87/iris.git
cd iris
pip install -r requirements.txt# Initialize your workspace (creates config.yaml) python src/main.py init # Scan a single indicator python src/main.py scan 1.2.3.4 python src/main.py scan malware.example.com python src/main.py scan d41d8cd98f00b204e9800998ecf8427e # Correlate a scope file python src/main.py correlate --scope scope.json # Watch targets continuously python src/main.py watch --scope scope.json # Generate a report python src/main.py report --format json --output report.json # Launch web dashboard python src/main.py dashboard --port 8080
Copy config.yaml and fill in your API keys — or set them as environment variables (recommended):
| Feed | Environment Variable |
|---|---|
| VirusTotal | IRIS_VT_API_KEY |
| Shodan | IRIS_SHODAN_API_KEY |
| AbuseIPDB | IRIS_ABUSEIPDB_API_KEY |
| Censys | IRIS_CENSYS_API_ID + IRIS_CENSYS_API_SECRET |
| Slack Alert | IRIS_SLACK_WEBHOOK |
| Discord | IRIS_DISCORD_WEBHOOK |
URLhaus, abuse.ch, Phishtank, and Tor exit nodes require no API key.
{
"targets": [
{"type": "ip", "value": "1.2.3.4", "label": "C2 Server"},
{"type": "domain", "value": "evil.example.com"},
{"type": "hash", "value": "d41d8cd98f00b204e9800998ecf8427e", "label": "Malware Sample"}
]
}╔══════════════════════════════════════════════╗
║ IRIS Threat Intelligence Report ║
╚══════════════════════════════════════════════╝
Target: 1.2.3.4
─────────────────────────────────────────────
Feed Status Confidence Flags
VirusTotal MALICIOUS 92% Malware C2
AbuseIPDB MALICIOUS 87% SSH Brute Force
Shodan INFO — Port 22,80,443
Tor Exit FLAGGED 100% Known Exit Node
Correlation: AbuseIPDB + VirusTotal = Same ASN AS12345
Overall Confidence: 89% — HIGH RISK
docker-compose up
See CONTRIBUTING.md.
See SECURITY.md to report vulnerabilities.
MIT © 2026 xdrew87