# Install wtfis with Homebrew, Nix

Passive hostname, domain, and IP lookup tool. Version 0.15.0 via Homebrew; verified 2026-05-15.

## Install

```sh
sudo av install brew:wtfis
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install wtfis
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#wtfis
```

  Evidence: nixpkgs package indexes: pkgs/by-name/wt/wtfis/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:wtfis
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/wtfis>
- **Version:** 0.15.0
- **Source summary:** Passive hostname, domain, and IP lookup tool
- **Homepage:** <https://github.com/pirxthepilot/wtfis>
- **Repository:** <https://github.com/pirxthepilot/wtfis>
- **Upstream docs:** <https://github.com/pirxthepilot/wtfis#readme>
- **License:** MIT
- **Source archive:** <https://files.pythonhosted.org/packages/de/32/9b20625e41f00c13706b03774790f31e4bcc26f3e5f39f7fce09f2d60729/wtfis-0.15.0.tar.gz>
- **Last updated:** 2026-05-15T11:13:24Z
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- wtfis (cli)
- wtfis (alias)

## Dependencies

- certifi
- pydantic
- python@3.14

## Install behavior

- Post-install hook: not defined
- Bottle: available on all

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.15.0
- Package-manager updated: 2026-05-15
- Local data: ok
- Upstream repository: https://github.com/pirxthepilot/wtfis
- info: No cached GitHub release or tag data was available.
## Project history and usage

wtfis is a Python command-line OSINT lookup tool for hostnames, domains, FQDNs, and IP addresses. Its niche is human-readable passive enrichment: it gathers reputation, resolution, WHOIS, geolocation, ASN, scanner-noise, and malware-distribution context from several services while trying to minimize API calls against free-tier accounts.

### Project history

The author introduced wtfis publicly in a 2022-08-13 blog post, explaining that it was written to replace repeated manual website lookups for FQDN and domain information with one terminal command. The README keeps the same design framing: the tool is for non-robots, organized into readable panels, and named as a play on `whois`.

The earliest PyPI release with files is version 0.0.3 on 2022-08-12, one day before the author's announcement post. By 2026-04-06, PyPI listed 0.15.0 as the current release, showing that the project continued beyond the initial personal utility into a maintained OSINT CLI.

### Adoption history

wtfis was adopted in the security-tooling niche because it wraps several common reputation and enrichment services behind one readable terminal output. The README documents VirusTotal, AbuseIPDB, GreyNoise, IP2Location, IP2Whois, IPinfo, IPWhois, Shodan, and URLhaus, with many optional so users can stay within quotas or add richer context when they have keys.

A Hacker News submission in May 2025 described it as a passive hostname, domain, and IP lookup tool for non-robots and drew visible discussion, which is a useful secondary signal that the project had moved beyond the author's personal workflow into the broader security-operations audience.

### How it is used

The basic workflow is `wtfis FQDN_OR_DOMAIN_OR_IP`, with optional flags to enable all enrichments or specific services such as Shodan, GreyNoise, AbuseIPDB, and URLhaus. It accepts defanged input, can limit displayed resolutions, can turn off color, and can present one-column output for terminals where layout matters.

Credentials are optional and are loaded from environment variables or `~/.env.wtfis`. That design matches its free-tier posture: useful defaults work without every service configured, while analysts can add API keys for more complete enrichment.

### Why package nerds care

wtfis is significant as a compact example of modern security CLI ergonomics: it does not try to be a full SIEM or threat-intelligence platform, but it packages the first few minutes of domain/IP triage into a readable terminal command.

### Timeline

- 2022-08-12: Earliest PyPI file-backed release, 0.0.3.
- 2022-08-13: The author announced wtfis as a passive FQDN and domain lookup tool.
- 2023: The README documented GreyNoise support as quota-sensitive and off by default.
- 2025-05-12: wtfis appeared on Hacker News as a passive lookup tool for non-robots.
- 2026-04-06: PyPI listed release 0.15.0.

### Related projects

- wtfis aggregates data from VirusTotal, AbuseIPDB, GreyNoise, IP2Location, IP2Whois, IPinfo, IPWhois, Shodan, and URLhaus.
- The author describes the project name as a play on the traditional `whois` command.

### Sources

- <https://github.com/pirxthepilot/wtfis#readme>
- <https://news.ycombinator.com/item?id=43967962>
- <https://pirx.io/posts/2022-08-13-wtfis-passive-fqdn-and-domain-lookup-tool/>
- <https://pypi.org/pypi/wtfis/json>


## Security Notes

No matching local secret-handling manifest was found for wtfis. Nucleus package metadata is still published here so future coverage has a stable package URL.



## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: ~/.env.wtfis

## Credential files

- Unix: ~/.env.wtfis
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** wtfis
- **Version Scheme:** 0
- **Revision:** 1
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - wtfis: normalized package name match | nixpkgs package indexes: pkgs/by-name/wt/wtfis/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [python@3.14](https://www.automicvault.com/pkg/brew/python-3-14/) - Runtime dependency declared by Homebrew.
- [maigret](https://www.automicvault.com/pkg/brew/maigret/) - Shares av.db curated category or tags: cli, osint, security.
- [phoneinfoga](https://www.automicvault.com/pkg/brew/phoneinfoga/) - Shares av.db curated category or tags: cli, osint, security.
- [recon-ng](https://www.automicvault.com/pkg/brew/recon-ng/) - Shares av.db curated category or tags: cli, osint, security.
- [sherlock](https://www.automicvault.com/pkg/brew/sherlock/) - Shares av.db curated category or tags: cli, osint, security.
- [sn0int](https://www.automicvault.com/pkg/brew/sn0int/) - Shares av.db curated category or tags: cli, osint, security.
- [urx](https://www.automicvault.com/pkg/brew/urx/) - Shares av.db curated category or tags: cli, osint, security.
- [amass](https://www.automicvault.com/pkg/brew/amass/) - Shares av.db curated category or tags: cli, osint, security.
- [bbot](https://www.automicvault.com/pkg/brew/bbot/) - Shares av.db curated category or tags: cli, osint, security.
- [cycode](https://www.automicvault.com/pkg/brew/cycode/) - Both packages touch the same language runtime or ecosystem. Shared terms: certifi, cli, pydantic, python, python-3-14.

## Combined YAML source

View the package source record on GitHub. [combined/wtfis.yml](https://github.com/automic-vault/db/blob/main/combined/wtfis.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
