Browser Extensions for IOC Research

We offer browser extensions for Google Chrome, Opera, Mozilla Firefox and Apple Safari which make it easy to pull up Recorded Future's intel summary pages on the following indicator types: IP address, file hashes, domains, vulnerabilities, malware, and threat actor (groups).


Out of the box, the browser extension works by scanning the current page for IOCs and listing them in the extension popup when the user clicks the browser extension icon (located towards the top in the browser menu bar). IOCs are sorted by name (in previous versions, the list was in random order).

Another useful feature is that you can also mark some text on the page, right-click on it and from the context menu select “Open Intel Card in Recorded Future”. We then try to match the content of the selected text and open a Recorded Future Intel Card for the selected entity. 


Risk scores

In browser extension version 2.0.0 and higher, Recorded Future customers can enter an optional API token to increase the extension utility by getting enriched data about the IOCs found on the page.

After a valid API Token is saved in the extension settings, the list of IOCs on the page will also display the current criticality level (indicated by a colored plupp*) and the risk score for the IOC. The list is sorted by risk score and by name.

*Plupp is the official developer name of the colored dot indicating a criticality level. Plupp is an actual Swedish word meaning “blob” or “thingy”.

There is no API credit cost for displaying the criticality and risk score.  Under each IOC that has a non-zero risk score is an option to expand the selection to see "triggered risk rules".  Doing so will pull in the "Risk Evidence" portion of our intel cards and this action costs 1 API credit per lookup.

Google Chrome

You can get the "Recorded Future Look Up" from Google Chrome's extension webstore:  


The Recorded Future Look Up is now available on the Opera add-on site:

Mozilla Firefox

You can get the "Recorded Future Look Up" from Mozilla's "add on" webstore:

Note: The version currently available does not support vulnerability, malware, or threat actor lookups.  

Apple Safari

The Recorded Future Look up extension is available through Apple's Extension store:

After installing the extension, you can right-click on a highlighted IP address, domain, file hash, vulnerability, malware, and threat actor (group) in any web page and immediately pull up a Recorded Future Intel Card that summarizes everything Recorded Future has found about that specific entity.

Authorized Recorded Future users will see a full Intel Card; Authorized users that also have an API subscription can enter a valid API token into the extension and enable the browser extension to lookup Risk Scores and related risk evidence.  Non Recorded Future users can still use the browser extension but will only have access to a truncated set of information. 

The Chrome, Opera, and Safari Extensions also scan the current web page and provide users with a summary of all IP addresses, domains, file hashes, and vulnerabilities found on the web page in a drop down menu available in the toolbar (see below):



Add an API token

The API token is stored in the extension settings, the location of the settings page differs between different browsers, but here are the details on how to get to the settings:


Chrome offers at least three different ways of adding your API token.

  1. Click the cog wheel in the top right corner of extension popup
  2. or right-click on the extension icon in the top bar of the browser and select “Options”
  3. or go to your extension in the browser by either by going to the address chrome://extensions/ or by clicking the three dots in the top right corner of the browser top bar and select More Tools > Extensions.
    From there click Options

You will then see the options window where you can enter your API token. Don’t forget to press Save.



Firefox has two ways of adding the API token.

  1. Click the cog wheel in the top right corner of extension popup
  2. or click the hamburger menu in the top right corner of the browser and select Add-onsimage14.png
    Locate the Recorded Future Look Up extension from the list and click Preferences.


you get to the settings page, add your API token, and click Save.



Opera is quite similar to Chrome.

  1. Click the cog wheel in the top right corner of extension popup
  2. Right click extension icon and selectimage8.png
  3. Select View > Show Extensions from the Mac OS top bar.
    Click Options

Enter your API token in the field and press Save


The Safari version has been submitted and may not be available immediately; when it is available, the settings page is a bit unintuitive to find.

Click Safari in the Mac OS top bar and select Preferences…

Click Extensions in the menu bar of the Settings window.


Locate the Recorded Future Look Up extension and add the API token in the field. There is no Save button here, the token is stored automatically.



Note about API Queries

By adding a valid API token to the browser extension, users get automatic risk score lookups and the ability to get triggered risk rules.  The API calls only make lookup calls specific to the IP addresses, domains, hashes, vulnerabilities, or user-highlighted text observed on the current website; no other information about the browsing behavior or use is communicated via API to Recorded Future.  




Was this article helpful?
0 out of 0 found this helpful

The content of this article is confidential and intended solely for the use of individuals with authorized access to the Recorded Future service. Do not download or distribute this article.
Have more questions? Submit a request



Please sign in to leave a comment. Please note that your name will be displayed.