ready ← site
case: none entities: 0 graph: 0n/0e timeline: 0 evidence: 0 watchlist: 0
add entities then add to graph
select case · add entities · click + all entities
sources: * = needs abuse.ch key
📡 click ↻ refresh to load live threat intelligence Set your proxy URL first via ⚡ proxy button, then refresh.
FeodoTracker · URLhaus · CISA KEV · OpenPhish · Spamhaus · Ransomware.live work without keys.
Add abuse.ch key for ThreatFox + MalwareBazaar feeds.
search CVEs or click "recent" / "🔥 exploited" NVD API via proxy · CISA KEV catalog
No key needed: ip-api · GreyNoise community · URLhaus · NVD CVEs · Shodan InternetDB · crt.sh (certs) · RDAP (WHOIS) · BGP Rank
With key: VirusTotal · AbuseIPDB · AlienVault OTX · ThreatFox · Shodan full · URLScan · HIBP (email) · GreyNoise full
MITRE ATT&CK — Enterprise click techniques to tag them to current case
Watchlist items are automatically checked against incoming feed data when you refresh the Live Feed. Hits trigger alerts.
no watchlist entries — add IOCs or keywords to monitor
no events yet
no evidence yet
🕵 Threat Actor Database
Select a threat actor to view full profile

Database covers:
· Major APT groups (APT1–APT45+)
· Russian GRU/FSB/SVR units
· North Korean Lazarus group
· Iranian MuddyWater, APT33
· Ransomware gangs (LockBit, ALPHV, etc.)
🎣 PhishStats — Live Phishing Intelligence
🎣click ↻ refresh to load PhishStats feedReal-time phishing URLs with confidence scores · No API key required
total: 0 critical (8+): 0 high (6+): 0
🦊 ThreatFox — IOC Hunt & Intelligence
⚠ ThreatFox requires an abuse.ch key for full access. Add it in ⚙ API Keys. Some queries work without a key.
🦊search IOCs or load recent ThreatFox intelligence
🌐 MISP Community Feeds
SELECT FEEDS TO PULL
🌐Select feeds on the left and click ↻ pullPublic MISP community feeds — no authentication required
IOCs are fetched via your proxy and parsed locally
⚡ IOC Bulk Extractor
paste text and click extract
extracted IOCs appear here
🌍 Geo IP Map
select a case and click ↻ map
select a case to preview report
New Investigation Case
Add Entity
// Kitsune CTI — User Guide
WHAT IS KITSUNE
Purpose
Browser-based CTI platform for investigating threats, mapping infrastructure, enriching IOCs, and producing reports — all in one place. No installation needed.
Core concept
Everything revolves around Cases. A case is an investigation (e.g. "APT28 C2 Campaign"). Add entities, enrich them, tag MITRE techniques, export a report.
FIRST INVESTIGATIONstep by step
01
Create a case
Click + new case in the header. Give it a name (e.g. "Ransomware Campaign May 2026"), set priority and status. This is your investigation container — all entities, timeline, evidence, and reports live inside it.
02
Add entities (IOCs)
Use the left sidebar buttons — IP Domain Hash URL Actor Email Wallet Org. Each has TLP, IOC status, confidence, and notes. Or use ⚡ Bulk Extract tab to paste raw text and extract all IOCs at once.
03
Build the relationship graph
Go to Graph tab → click + all entities. Drag nodes to arrange. Click draw edge to connect related entities (IP → Domain → Actor). Click edges to label or delete them.
04
Enrich your IOCs
Go to Enrich tab → paste any IP, domain, hash, URL, email, or CVE ID → click enrich →. Kitsune queries Shodan, ip-api, GreyNoise, crt.sh, RDAP, URLhaus and your keyed APIs simultaneously.
05
Tag MITRE ATT&CK techniques
Go to MITRE tab → click any technique to tag it to the current case. Or go to Actors, find the threat actor, and click tag MITRE techniques to auto-import all their known TTPs.
06
Export your report
Go to Report tab. Preview the full case report — IOC table, MITRE techniques, timeline, evidence. Export as HTML, PDF, or copy as Markdown. Push IOCs to MISP if configured.
⬡ Graph
Visual relationship map. Drag nodes, draw edges, auto-layout. Confirmed IOCs show a dashed ring. Zoom with scroll wheel.
📡 Live Feed
Real-time threat intel from FeodoTracker, URLhaus, CISA KEV, OpenPhish, Spamhaus, Ransomware.live, ThreatFox, MalwareBazaar. Filter by category. Add items to case.
⚡ CVEs
Search NVD by keyword, CVE ID, or severity. Load recent CVEs or CISA KEV exploited vulnerabilities. Requires NVD API key for full access.
🔍 Enrich
Multi-source IOC enrichment. Free: Shodan InternetDB, ip-api, GreyNoise, crt.sh, RDAP, URLhaus. Keyed: VirusTotal, AbuseIPDB, OTX, URLScan, HIBP, Shodan full.
🛡 MITRE ATT&CK
Full Enterprise ATT&CK matrix. Click techniques to tag. Export as ATT&CK Navigator JSON layer for sharing with your team.
👁 Watchlist
Add IOCs or keywords to monitor. Auto-checked on every Live Feed refresh. Pops an alert with matching items when a hit is found.
⏱ Timeline
Chronological event log for the investigation. Add events by date and type (IOC Detected, C2 Infrastructure, Attribution, etc.).
📋 Evidence
Paste raw data, WHOIS output, Shodan results, Telegram intel, stealer logs. Tagged and timestamped evidence locker per case.
🕵 Actors
15+ built-in APT and ransomware profiles. Import actor IOCs + MITRE TTPs into case with one click. Add and edit custom actors.
🎣 PhishStats
Live phishing URL feed with confidence scores (0-10). Filter by score threshold. Enrich any URL or resolved IP directly.
🦊 ThreatFox
Hunt in abuse.ch ThreatFox. Search by IOC, load recent 24h, or query by malware tag. Requires free abuse.ch API key.
🌐 MISP Feeds
Pull from public MISP feeds: CIRCL, Botvrij, FeodoTracker, URLhaus, CISA KEV, OpenPhish, OISD. Filter and add IOCs to case.
⚡ Bulk Extract
Paste any raw text — email, log, Telegram dump. Auto-extracts IPs, domains, hashes, CVEs, emails, BTC/ETH wallets, ASNs. Select and add all to case.
🌍 Geo Map
World map of case IPs. Pins colored by IOC status. Hover for country, city, ISP. Click pin to open entity detail panel.
📄 Report
Full case report with IOC table, MITRE techniques, timeline, evidence. Export HTML, PDF, Markdown. Push IOCs to MISP.
ransomwareInvestigating a ransomware incident
  1. Create case: "Ransomware — [victim] — [date]", priority Critical
  2. Actors tab → search ransomware group → + import to case (pulls IOCs + MITRE TTPs)
  3. Bulk Extract → paste ransom note, IR logs, forensic artifacts → add extracted IOCs to case
  4. Live Feed → filter by ransomware → check Ransomware.live for the group
  5. CVEs → click 🔥 exploited → search CVEs the group is known to exploit
  6. MITRE → tag all observed techniques → export Navigator layer
  7. Timeline → add: initial access date, lateral movement, encryption, ransom demand
  8. Report → export HTML/PDF for stakeholders and legal
phishingInvestigating a phishing campaign
  1. Create case: "Phishing Campaign — [target] — [date]", priority High
  2. Bulk Extract → paste email headers + body → extract sender IP, URLs, domains, hashes
  3. Enrich → enrich each domain → crt.sh reveals subdomains for infrastructure mapping
  4. PhishStats → refresh → search the sender domain in the phishing database
  5. ThreatFox → search sender IP or payload hash for existing intelligence
  6. Watchlist → add sender domain to watch for future hits in live feeds
  7. Geo Map → map all IPs to visualise hosting infrastructure geography
  8. Graph → build relationship map: email → URL → IP → hosting ASN
threat huntProactive threat hunting
  1. Live Feed → click ↻ refresh → review all critical and high severity items
  2. ThreatFox → click recent IOCs → scan last 24h malware infrastructure
  3. CVEs → click 🔥 exploited → check newly added KEV entries
  4. Watchlist → review any hits from monitored IOCs or keywords
  5. For any suspicious items → click enrich → run full multi-source enrichment
  6. Create new case for any confirmed threat → add IOCs → build graph → tag MITRE
aptAPT actor attribution
  1. Create case for the suspected campaign
  2. Actors tab → browse or search suspected APT groups → compare TTPs with observed activity
  3. Import matching actor → all known IOCs and MITRE techniques added automatically
  4. MISP Feeds → pull CIRCL OSINT feed → search for overlapping IOCs
  5. Enrich → enrich infrastructure IOCs → look for ASN/registrar/certificate patterns
  6. Graph → draw edges between actor, C2 IPs, domains, and malware hashes
  7. MITRE → verify technique overlap → export Navigator layer as attribution evidence
Click any orange IOC pill to enrich instantly
Every IOC shown in Live Feed, ThreatFox, PhishStats, and MISP Feeds is clickable. It jumps to the Enrich tab and runs enrichment automatically — no copy-paste needed.
Use defang mode for safe sharing
Toggle [ defang: off ] in the top-right header. All IOCs display as evil[.]com and hxxp:// format — safe to paste into Slack, emails, and reports without triggering security tools.
Collapse sidebars for full-screen analysis
Click the tab on the left sidebar to hide Cases+Entities. Click on the right to hide Entity Detail. The graph and feed expand to fill the space. Both states persist across sessions.
Get free API keys for deeper enrichment
Click API keys in the header. Free keys worth getting: abuse.ch (ThreatFox + MalwareBazaar), NVD (faster CVE search), VirusTotal (500 req/day), AbuseIPDB, OTX, URLScan. All stored locally in your browser.
Import/export cases for backup and sharing
Use export in the header to save all cases as JSON. Share with teammates — they import into their own Kitsune. Use import to load any saved file. Data never leaves your browser otherwise.
Watchlist runs automatically on every feed refresh
Add IOCs or keywords to Watchlist tab once. Every time you click ↻ refresh in Live Feed, Kitsune checks all items against the fresh feed data and pops an alert on any match.
Add custom threat actors
Actors tab → + add actor. Fill in name, nation, aliases, tools, MITRE TTPs, IOCs, targets. Hover any existing card and click ✎ edit to modify built-in actors. Export the full database as JSON for backup.
Use timeline + evidence as your case notebook
Timeline records when things happened (initial access, C2 beacon, data exfil). Evidence is for raw data — paste WHOIS output, Shodan results, stealer log snippets, Telegram screenshots as text. Both appear in the exported report.
IP IP address
C2 servers, malicious hosts, scanning IPs, Tor exit nodes. Fields: ASN, country, org, port. Enriched by Shodan InternetDB, ip-api, GreyNoise, AbuseIPDB, VirusTotal.
Domain Domain / hostname
Phishing domains, C2 domains, DGA hosts, typosquats. Fields: registrar, NS, created date. Enriched by crt.sh (subdomains), RDAP (WHOIS), URLhaus, GreyNoise, VirusTotal.
Hash File hash
Malware samples — MD5, SHA1, SHA256. Fields: algorithm, malware family, VT hits. Enriched by VirusTotal, MalwareBazaar, ThreatFox.
URL URL or CVE ID
Malicious URLs, phishing links, exploit URLs, or CVE IDs (e.g. CVE-2024-1234). CVEs enriched via NVD with CVSS score and KEV exploitation status.
Actor Threat actor
APT groups, ransomware gangs, cybercriminals, insider threats. Fields: aliases, origin country, motivation, APT group name. Link to IP/domain/hash entities.
Wallet Crypto wallet
Bitcoin, Ethereum, Monero addresses used for ransom payments or money laundering. Fields: chain, exchange. Link to actor and case timeline events.
Email Email address
Sender addresses in phishing, attacker-controlled accounts, registration emails for malicious domains. Enriched by HaveIBeenPwned (breach lookup) with HIBP key.
Org Organisation
Victim organisations, hosting companies, bullet-proof hosters, ASN owners. Fields: industry, country. Useful for grouping infrastructure by provider.
TLP levels: WHITE = public sharing · GREEN = community sharing · AMBER = limited sharing · RED = do not share. Set TLP on each entity when adding it. TLP appears in the exported report.
IOC status: Confirmed = actively malicious, high confidence · Suspected = under investigation · Not IOC = benign / false positive. Affects pin color on the Geo Map and graph node ring.
Add Threat Actor
Custom actors are saved to your browser (localStorage) and persist across sessions. Export to JSON to back them up.
⚡ Proxy Configuration
Deploy the included api/proxy.js to Vercel (free), then paste your deployment URL below.
Example: https://kitsune-proxy.vercel.app
The proxy routes all feed fetches through Vercel, bypassing CORS restrictions.
Leave blank to use direct fetch (works for feeds that support CORS natively like GitHub raw).
With proxy: ALL feeds work including CISA, NVD, OpenPhish, Spamhaus, Ransomware.live, HIBP, URLScan.
⚙ API Keys

Stored in your browser only (localStorage). Never transmitted anywhere except to the named API provider via your proxy.

// abuse.ch — unlocks malware feeds
abuse.ch Auth-Key
100% free: auth.abuse.ch → sign in → Generate Key
Enables: ThreatFox IOCs, MalwareBazaar samples, URLhaus enrichment
// threat intelligence APIs
VirusTotal
AbuseIPDB
AlienVault OTX
Shodan
URLScan.io
GreyNoise (full)
HIBP (email)
// NVD CVE (optional — increases rate limit)
NVD API Key
Works without key (slower via proxy). NVD key allows 50 req/30s vs 5/30s.
// MISP (optional — push IOCs to your instance)
MISP URL
MISP Auth Key