Browser Extensions for IOC Research

We offer browser extensions for Google Chrome, Opera, Mozilla Firefox and Apple Safari which make it easy to pull up Recorded Future's Intelligence Cards on the following indicator types: IP address, file hashes, domains, vulnerabilities, malware, and threat actor (groups).


Out of the box, the browser extension works by scanning the current page for IOCs and listing them in the extension popup when the user clicks the browser extension icon (located towards the top in the browser menu bar). IOCs are sorted by name.

Users concerned about the extension parsing indicators from a web page with sensitive material can now use an 'off' switch to disable the page scanning feature in the extension settings. No IOCs or other data will be sent to Recorded Future when this feature is disabled. See Note about API Queries.

Another useful feature is that you can also mark some text on the page, right-click on it and from the context menu select “Open Intelligence Card in Recorded Future”. We then try to match the content of the selected text and open a Recorded Future Intelligence Card for the selected entity. 


Risk scores

In browser extension version 2.0.0 and higher, Recorded Future clients can enter an optional API token to increase the extension utility by getting enriched data about the IOCs found on the page.  

After a valid API Token is saved in the extension settings, the list of IOCs on the page will also display the current criticality level (indicated by a colored dot) and the risk score for the IOC. The list is sorted by risk score and by name. Each IOC with a non-zero risk score can be expanded to see the triggered risk rules.

There is no API credit cost for displaying the criticality, risk score, and triggered risk rules. The API token is used only for authentication.

Google Chrome

You can get the "Recorded Future Look Up" from Google Chrome's extension webstore:  


The Recorded Future Look Up is now available on the Opera add-on site:

Mozilla Firefox

You can get the "Recorded Future Look Up" from Mozilla's "add on" webstore:

Note: This version does not currently support vulnerability, malware, or threat actor lookups.  

Apple Safari

The Recorded Future Look up extension is available through Apple's Extension store:

After installing the extension, you can right-click on a highlighted IP address, domain, file hash, vulnerability, malware, and threat actor (group) in any web page and immediately pull up a Recorded Future Intelligence Card that summarizes everything Recorded Future has found about that specific entity.

Authorized Recorded Future users will see a full Intelligence Card; Authorized users that also have an API subscription can enter a valid API token into the extension and enable the browser extension to lookup Risk Scores and related risk evidence.  Non-Recorded Future users can still use the browser extension but will only have access to a truncated set of information. 

The Chrome, Opera, and Safari Extensions also scan the current web page and provide users with a summary of all IP addresses, domains, file hashes, and vulnerabilities found on the web page in a drop-down menu available in the toolbar (see below):



Add an API token

The API token is stored in the extension settings, the location of the settings page differs between different browsers, but here are the details on how to get to the settings:


Chrome offers at least three different ways of adding your API token.

  1. Click the cog wheel in the top right corner of extension popup
  2. or right-click on the extension icon in the top bar of the browser and select “Options”
  3. or go to your extension in the browser by either by going to the address chrome://extensions/ or by clicking the three dots in the top right corner of the browser top bar and select More Tools > Extensions.
    From there click Options

You will then see the options window where you can enter your API token. Don’t forget to press Save.


Firefox has two ways of adding the API token.

  1. Click the cog wheel in the top right corner of extension popup
  2. or click the hamburger menu in the top right corner of the browser and select Add-onsimage14.png
    Locate the Recorded Future Look Up extension from the list and click Preferences.


you get to the settings page, add your API token, and click Save.



Opera is quite similar to Chrome.

  1. Click the cog wheel in the top right corner of extension popup
  2. Right click extension icon and selectimage8.png
  3. Select View > Show Extensions from the Mac OS top bar.
    Click Options

Enter your API token in the field and press Save


The Safari version has been submitted and may not be available immediately; when it is available, the settings page is a bit unintuitive to find.

Click Safari in the Mac OS top bar and select Preferences…

Click Extensions in the menu bar of the Settings window.


Locate the Recorded Future Look Up extension and add the API token in the field. There is no Save button here, the token is stored automatically.



Note about API Queries

By adding a valid API token to the browser extension, users get automatic risk score lookups and the ability to get triggered risk rules.  The API calls only make lookup calls specific to the IP addresses, domains, hashes, vulnerabilities, or user-highlighted text observed on the current website; no other information about the browsing behavior or use is communicated via API to Recorded Future.  

For teams that are interested in reviewing the browser extension code, we recommend the following steps:

  1. Chrome Extension
  2. FireFox Extension
    • go to the firefox app store and find the link to Recorded Future's FireFox lookup add-on:
    • On the "Add to Firefox" button, right click and choose "save link as..."
    • The downloaded file has an "xpi" extension; rename this to "zip" and unzip the file.  The source code will be uncompressed and available for review.  The code is in javascript and found in the 'scripts' folder.



Was this article helpful?
0 out of 0 found this helpful

The content of this article is confidential and intended solely for the use of individuals with authorized access to the Recorded Future service. Do not download or distribute this article.
Have more questions? Submit a request



Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.