Radar is a passive intelligence enrichment CLI for IP addresses, domains, URLs, and file hashes.
This project was created with assistance from LLMs including Codex and Claude.
- Normalize and classify indicators.
- Refang common defanged input.
- Run matching passive providers concurrently.
- Cache successful provider results.
- Render Rich console output or JSON.
uv- Python 3.11+
Install from GitHub:
uv tool install git+https://github.com/m1thryn/radar.gitRun:
radar --helpUpgrade or uninstall:
uv tool upgrade radar
uv tool uninstall radarFor a repository checkout, use uv run radar ... instead of radar ....
radar evil[.]com
radar 8.8.8.8
radar hxxps://evil[.]com/path
radar evil.com --json
radar evil.com --json --raw
radar evil.com --no-cache
radar evil.com --verboseradar 8.8.8.8 --provider rdap
radar 8.8.8.8 --provider ip-api --provider rdapUsage: radar [OPTIONS] INDICATOR
Arguments:
indicator IP, domain, URL, or file hash to enrich. [required]
Options:
--json Render structured JSON output.
--no-cache Disable provider cache.
--provider TEXT Limit execution to one or more provider names.
--raw Include raw provider responses with --json.
--verbose, -v Show runtime details.
--help Show help and exit.
Radar currently supports:
| Provider | Purpose | API key | Indicator types |
|---|---|---|---|
| GreyNoise | Internet scanner and business-service IP context | Yes | ip |
| IP-API | IP metadata | No | ip |
| MalwareBazaar | Malware sample metadata | Yes | md5, sha1, sha256 |
| Pulsedive | Indicator risk, threats, feeds, and properties | Yes | ip, domain, url |
| RDAP | Registration metadata | No | domain, ip |
| Shodan | Internet-exposed services and DNS domain data | Yes | ip, domain |
| URLhaus | Malware URL, host, and payload metadata | Yes | url, domain, ip, md5, sha256 |
| urlscan | Passive URL scan search, page metadata, verdicts, screenshots | Yes | url, domain, ip, sha256 |
| ViewDNS | DNS records and reverse IP/DNS | Yes | domain, ip |
| VirusTotal | Reputation | Yes | domain, ip, url, md5, sha1, sha256 |
GreyNoise, MalwareBazaar, Pulsedive, Shodan, urlscan, ViewDNS, and VirusTotal are disabled unless API keys are present.
Set API keys as environment variables or place them in
~/.config/radar/radar.env.
The repository includes .env.example with the supported variable names and
empty values.
| Variable | Enables |
|---|---|
RADAR_ABUSECH_KEY |
MalwareBazaar, URLhaus |
RADAR_GREYNOISE_KEY |
GreyNoise |
RADAR_PULSEDIVE_KEY |
Pulsedive |
RADAR_SHODAN_KEY |
Shodan |
RADAR_URLSCAN_KEY |
urlscan |
RADAR_VIEWDNS_KEY |
ViewDNS |
RADAR_VIRUSTOTAL_KEY |
VirusTotal |
export RADAR_VIRUSTOTAL_KEY="..."Environment variables override values from the config file. To use a different file:
export RADAR_CONFIG_PATH=/path/to/radar.envSuccessful provider results are cached in SQLite:
~/.cache/radar/provider_cache.sqlite3
Override it with:
export RADAR_CACHE_PATH=/tmp/radar-cache.sqlite3Disable cache for one run:
radar evil.com --no-cacheRaw provider responses are only included in JSON when requested:
radar evil.com --json --rawInstall dependencies:
uv syncuv run pytest
uv run ruff format .
uv run ruff check .Apply safe lint fixes:
uv run ruff check . --fixThe test suite uses mocked/offline behavior and does not require live provider network access or API keys.
Manual checks:
uv run radar --help
uv run radar example.com --provider rdap --no-cache
uv run radar 8.8.8.8 --provider ip-api --jsonKeep provider behavior passive and tests offline by default.
- Add or update tests for provider parsing, renderer behavior, or CLI changes.
- Run
uv run ruff check .anduv run pytest. - Do not commit API keys, cache files, or sensitive live responses.
For new providers, implement the provider class, register it in
radar/providers/registry.py, document its API key and supported indicator
types, and add mocked tests.
radar/
cli/ CLI entrypoint
core/ models, normalization, classification
providers/ provider interface and implementations
cache/ SQLite cache
renderers/ console and JSON output
engine.py concurrent enrichment engine
config.py environment-backed runtime config
tests/