Back to portfolio
Cyber Threat Intelligence Feed

Cyber Threat Intelligence Feed

A cyber threat intelligence platform that collects malicious IPs and domains from internet sensors, enriches them with geolocation, ownership, and MITRE ATT&CK context, and serves them through a REST API and an interactive dashboard. A master–replica design keeps collection private and exposes only read-only data to clients.

// Architecture

A FastAPI service handles collection, enrichment, and the rate-limited API, while a Next.js 15 dashboard with D3 geo-maps and NextAuth serves analysts. Data lives in MySQL 8 with master–replica replication, TLS-encrypted connections, API-key authentication, and bcrypt-hashed accounts. Deployment is automated with install scripts and systemd, running under non-root service users.

// Key capabilities

Multi-source collection

Indicators come from Tor exit nodes, community blocklists, AbuseIPDB, VirusTotal, and URLhaus, with optional Splunk-driven enrichment.

Automatic enrichment

Each indicator gains GeoIP, ASN, RDAP/WHOIS history, and MITRE ATT&CK tactics and techniques, with historical snapshots kept for auditing.

Machine-readable feeds

Threat data is served as JSON or exported as STIX 2.1 bundles and CSV, ready to drop into existing SOC tooling.

Master–replica delivery

MySQL replication separates the private collection server from a read-only client replica, for high availability with a small attack surface.

// Technology stack
Python / FastAPINext.jsMySQLSplunkSTIX 2.1
// Inside the project
Cyber Threat Intelligence Feed — 1
// Contact

Have a project in mind?|

Tell us what you're building, and we'll get back to you.

orv:~$new-project
or reach us directly
Telegram@OrvTeam
GitHub@ItsOrv
Email
orv© 2026