// project

VT Bulk Enricher

Automated bulk IOC enrichment tool that queries hundreds of file hashes, IPs, and domains against the VirusTotal API and returns a triage-ready CSV report in minutes.

PythonThreat HuntingIOC EnrichmentVirusTotal APISOC
View on GitHub
The Problem It Solves

During a triage session you might have 200 suspicious IPs from firewall logs, 50 file hashes from an endpoint alert, and a list of domains from a phishing email. Checking each one manually on the VirusTotal website is not viable at scale. This tool takes your full list, queries the VirusTotal v3 API for each indicator, and hands you back a clean CSV with verdicts and detection counts ready for triage.

It handles rate limiting automatically, prints live progress to the terminal, and flags anything malicious immediately so you know where to focus without waiting for the full run to complete.

Example Output
[1/5] 185.220.101.45 ... MALICIOUS (72/94)
[2/5] 8.8.8.8 ... CLEAN (0/94)
[3/5] 45.33.32.156 ... SUSPICIOUS (3/94)

MALICIOUS : 1
SUSPICIOUS: 1
CLEAN : 2
Verdict Thresholds
CLEAN
0 detections across all engines.
SUSPICIOUS
1-5 detections for hashes. 1-3 for IPs and domains.
MALICIOUS
6+ detections for hashes. 4+ for IPs and domains. Thresholds are configurable.