
Cyber Threat Intelligence Feed
A cyber threat intelligence platform that collects malicious IPs and domains from internet sensors, enriches them with geolocation, ownership, and MITRE ATT&CK context, and serves them through a REST API and an interactive dashboard. A master–replica design keeps collection private and exposes only read-only data to clients.
A FastAPI service handles collection, enrichment, and the rate-limited API, while a Next.js 15 dashboard with D3 geo-maps and NextAuth serves analysts. Data lives in MySQL 8 with master–replica replication, TLS-encrypted connections, API-key authentication, and bcrypt-hashed accounts. Deployment is automated with install scripts and systemd, running under non-root service users.
Multi-source collection
Indicators come from Tor exit nodes, community blocklists, AbuseIPDB, VirusTotal, and URLhaus, with optional Splunk-driven enrichment.
Automatic enrichment
Each indicator gains GeoIP, ASN, RDAP/WHOIS history, and MITRE ATT&CK tactics and techniques, with historical snapshots kept for auditing.
Machine-readable feeds
Threat data is served as JSON or exported as STIX 2.1 bundles and CSV, ready to drop into existing SOC tooling.
Master–replica delivery
MySQL replication separates the private collection server from a read-only client replica, for high availability with a small attack surface.
