Release History¶

1.1.3 - 2026-03-18¶

Fixed an issue in pcap enrich where multithreading was not being used in SOAR enrichment. The risk score enrichment is now faster for large captures.

New risklist create sub-command to build a custom risk list by merging one or more Recorded Future risk rules into a single deduplicated file. Supports CSV, JSON, and EDL output formats, optional minimum risk score filtering, and direct upload to Recorded Future Fusion.
New ioc bulk-lookup sub-command for fast bulk enrichment of IOCs. Batches up to 1,000 indicators per API call and returns risk score and triggered risk rules for each indicator. Supports all IOC types: IP, domain, URL, hash, and vulnerability.
pcap enrich JSON output now includes risk rule evidence details which details the specific evidence that caused the risk rule to trigger.

Fixed an issue in ioc lookup where multithreading was not being used, causing bulk lookups to run sequentially. Lookups are now up to 20x faster when enriching multiple indicators.
Fixed an issue in risklist fetch where the command would fail when parsing unusually large column values in CSV files.
Fixed an issue where pcap enrich would fail when parsing empty IOC links.
Fixed an issue in list commands where the error cause was not always printed correctly when an API error occurred.

New risklist command to download and check metadata for Recorded Future Risk Lists.
New rules command to search for and download detection rules (YARA, Snort, Sigma).
CVSS v4 field support in ioc search and ioc lookup commands.

list bulk-add and list bulk-remove now deduplicate user-supplied entities.
Fixed an issue where entity names with spaces were not parsing correctly in list bulk-add and list bulk-remove.
pba lookup now correctly handles alerts when image retrieval fails.

pcap enrich JSON output now includes risk rule evidence details and all risk rules the IOC triggered.
Upgraded PSEngine to v2.4.0.

Fixed an issue in pcap enrich where the program would exit unexpectedly if no IPs or domains were found in the pcap file.

Added support for filtering by alert status in the ca search command.
Added support for filtering by entity in the pba search command.
Added support for the malware_report category to all pba commands.
Pretty output (-p, --pretty) for ioc lookup and ioc search now includes the hash algorithm for hashes.
Pretty output (-p, --pretty) for ioc lookup and ioc search now includes the lifecycle stage for vulnerabilities.
Added -r/--risk-score option to pcap enrich to filter results by risk score.
Added -t/--threat-hunt option to pcap enrich to enable threat hunting.

Optimized field selection for each verbosity level in ioc lookup.
Extended ioc search to support verbosity levels 1 through 5 (default is 1).
Renamed the pcap analyze sub-command to pcap enrich.
pcap enrich now produces a refined JSON output, including a Wireshark-compatible filter query.
Upgraded PSEngine to v2.3.0.

Removed interactive TUI output from pba enrich; replaced with pretty output (--pretty, -p).

ioc search ENTITY_TYPE IOC now accepts whitespace separatated IOCs, instead of a comma-separated string.
pba lookup ALERT_ID -p output formatting improved.
ca search --triggered now supports time ranges.
ca search -r now accepts multiple rules by repeating -r (e.g. -r rule1 -r rule2), instead of a comma-separated string.
Upgraded PSEngine to v2.0.6.

Sub-command ioc lookup option -v now allows the user to pick a level of verbosity (from 1 to 5)
Sub-command ioc lookup now requires an entity type as an argument, for example banshee ioc lookup ip 8.8.8.8
Sub-command ca lookup now returns a refined pretty alert
PSEngine upgraded to v2.0.2

🚀 Brought to you by the Cyber Security Engineers at Recorded