Self-Hosted Threat Intelligence Platforms

This project is a comprehensive, community-curated directory of resources and methodologies for open-source intelligence gathering. It serves as a centralized reference framework for researchers, providing a structured index of specialized tools, databases, and search techniques used to collect and analyze publicly available information from across the global internet. The directory distinguishes itself through a hierarchical taxonomy that organizes complex investigative domains, ranging from cyber threat intelligence and digital forensic investigation to geospatial analysis and operational security. By leveraging a crowdsourced model, the repository ensures that its collection of investigative tools remains current, with a distributed network of contributors validating links and maintaining the integrity of the resource list. The project covers a broad capability surface, including advanced search operators, reverse image lookup, social network analysis, and domain infrastructure research. It also provides guidance on privacy-focused browsing and anonymity protection to support sensitive research workflows. The entire knowledge base is maintained as a version-controlled markdown repository, offering a portable and searchable index for professionals and researchers conducting deep web investigations or fact-checking tasks.

T-Pot is a multi-honeypot platform and threat intelligence framework that deploys a collection of containerized decoy services to capture attacker behavior and network telemetry. It functions as a Docker-based deception system, simulating vulnerable network environments to gather intelligence on threat actors. The system features a distributed sensor network using a hub-and-spoke architecture, allowing remote sensors to transmit logs back to a central management hub. It integrates large language models to create a dynamic deception engine capable of adaptive interactions with attackers. The platform covers a broad range of security capabilities, including the emulation of vulnerable services, passive network traffic analysis, and the use of HTTP tarpitting to exhaust attacker resources. Captured event logs are aggregated into real-time dashboards and geographic maps for threat data visualization. Administrative access to the tool suite and dashboards is managed through a reverse proxy and authenticated web access control.

This application is a desktop network traffic analyzer that provides real-time monitoring and forensic inspection of data packets. By interfacing directly with low-level system drivers, it captures raw network traffic from physical or virtual adapters to identify communication patterns, track bandwidth usage, and diagnose connectivity issues. The system distinguishes itself through an immediate-mode graphical interface that rebuilds the display state every frame, ensuring high responsiveness during live data updates. It maintains performance by using asynchronous message passing to decouple the packet capture engine from the rendering thread. To provide context for network activity, the application performs real-time enrichment through high-speed database lookups, enabling features like autonomous system identification, host location mapping, and reverse DNS resolution. Beyond basic monitoring, the tool includes comprehensive diagnostic and security capabilities. Users can apply granular traffic filtering, manage alert conditions for specific network events, and utilize automated threat detection to identify and block suspicious connections. The software also supports the recording of traffic data into standard file formats for offline analysis and provides configuration options for operation within isolated containerized environments.

CrowdSec is a collaborative, distributed security engine designed for threat detection and infrastructure protection. It functions as an intrusion detection system that parses logs and network traffic to identify malicious patterns, utilizing a bucket-based threshold detection model to aggregate events and trigger alerts. The platform is built on a modular architecture that includes a centralized local API server for managing security signals and a relational database for persistent storage of remediation decisions. What distinguishes the project is its decoupled enforcement model, which offloads active blocking to lightweight external components known as bouncers. These bouncers query the central API to synchronize threat intelligence and apply real-time remediation across distributed environments. The system also features a hub-based configuration management framework, allowing users to download and deploy community-curated security scenarios, parsers, and collections to ensure consistent protection against evolving threats. The platform provides a comprehensive suite of tools for security operations, including automated log parsing pipelines, event-driven plugin systems for notification workflows, and extensive command-line utilities for infrastructure management. It supports flexible deployment patterns across standalone, containerized, and cloud-native environments, enabling centralized orchestration of security agents and fleet-wide monitoring of threat activity. The project includes a robust documentation and command-line interface that facilitates the lifecycle management of security components, from initial service discovery and configuration to the validation of detection logic and the auditing of active security policies.

This project is an automated security testing suite designed to detect and exploit database vulnerabilities. It functions as a command-line utility that streamlines the identification, verification, and exploitation of web application flaws by automating the injection of malicious payloads into input parameters. The tool provides a comprehensive framework for database enumeration, allowing users to extract schema information, user data, and system configurations from identified injection points. What distinguishes this tool is its sophisticated engine for dynamic payload adaptation and heuristic fingerprinting, which adjusts injection techniques in real-time based on server responses. It supports advanced post-exploitation capabilities, including remote command execution on the underlying host operating system and file system access through database-level vulnerabilities. To navigate restricted environments, the software incorporates out-of-band data exfiltration channels and a middleware pipeline for applying user-defined transformations to bypass security filters and web application firewalls. The suite covers a broad range of operational requirements, including stateful session management, anti-CSRF token handling, and extensive request customization. It supports various target specification methods, such as proxy log analysis and remote API management, while offering granular control over scan performance and detection thresholds. The software is distributed as a command-line application, with configuration management supported through external file loading and command-line arguments.

This project is a network reconnaissance framework and internet metadata database used for collecting, storing, and analyzing data from active scanners and passive traffic captures. It functions as a threat intelligence aggregator and passive traffic analysis tool, merging scan results from multiple tools into a unified dataset for security investigation. The system distinguishes itself through its ability to visualize network assets using heatmaps and geographic charts to correlate autonomous systems and domain names. It provides external attack surface management by aggregating metadata to monitor the security posture of public internet assets and mapping connections between nodes to track communication patterns. The platform covers a broad range of capabilities including active asset scanning, firewall log ingestion, and the archiving of network certificates and keys. It includes a search service for indexing devices across private or public internet ranges and integrates third-party network tools via a plugin-based system. Access to the data is managed through a web interface using key-based authentication and external headers.

Pi-hole is a self-hosted network utility that functions as a DNS sinkhole server to provide network-wide ad blocking. By acting as a dedicated network gateway, it intercepts and discards requests for known advertising, tracking, and malicious domains across an entire local network, preventing unwanted content from loading on any connected device. The software operates through a lightweight background daemon that handles high volumes of concurrent DNS queries with minimal resource overhead. It utilizes a host-file injection mechanism to redirect traffic toward its local filtering engine and applies regex-based pattern matching to identify and block specific domain requests. Users manage these operations and monitor network traffic statistics through a centralized, web-based configuration interface. Beyond blocking, the project provides tools for comprehensive DNS traffic management and home network security. By resolving domain names locally, it offers increased visibility into outgoing internet traffic and helps optimize network performance by preventing the download of resource-heavy tracking scripts and advertisements.

SpiderFoot is an open-source reconnaissance and intelligence automation framework designed to streamline the collection and correlation of data for security investigations. It functions as a comprehensive platform that automates the querying of hundreds of public data sources to map digital footprints, identify exposed assets, and uncover potential security threats across an organization's external perimeter. The platform distinguishes itself through a modular, plugin-based architecture that executes data gathering tasks in parallel, supported by a directed graph data model that tracks relationships between discovered entities. It utilizes dynamic workflow orchestration and event-driven correlation to guide users through multi-stage investigations, automatically triggering follow-up queries based on newly discovered indicators of compromise. Beyond core reconnaissance, the system provides extensive capabilities for attack surface management, credential leak monitoring, and threat actor tracking. It supports proactive security operations by facilitating automated threat hunting, generating detection signatures, and simulating attack scenarios to identify visibility gaps. The platform also manages the full intelligence lifecycle, from aggregating disparate data feeds and enriching findings with contextual analysis to producing actionable reports for risk evaluation.

TheZoo is a centralized repository and management system designed for the storage, organization, and retrieval of live malicious software samples. It provides a structured environment for security researchers and educators to access, track, and analyze dangerous code for the purpose of threat intelligence and defense development. The system utilizes a command-line interface to manage the lifecycle of malware samples, including the preparation of new submissions and the querying of a centralized database. To ensure safety and authenticity, the platform stores binaries in password-protected, encrypted archives and performs cryptographic hash verification on all samples. This approach allows for the controlled distribution and study of malicious code while preventing accidental execution. The repository supports comprehensive research workflows by indexing samples based on specific attributes such as platform and architecture. This metadata-driven organization enables efficient searching and categorization, facilitating the systematic examination of attack vectors and emerging cyber threats.

This project is a comprehensive cybersecurity tool collection designed to support security research, penetration testing, and vulnerability assessment. It functions as a unified penetration testing suite, providing a centralized environment where professionals can access a wide range of offensive security utilities to identify system weaknesses and study attack vectors. The platform distinguishes itself through a modular architecture that aggregates disparate security scripts into a single, hierarchical command-line interface. It simplifies the management of these utilities by integrating external repositories, allowing users to fetch and organize third-party tools directly into a structured local directory. By utilizing a categorized menu system and shell-based process execution, the suite enables efficient navigation and direct invocation of specialized tools for tasks ranging from forensic analysis and reverse engineering to exploit development. The toolkit covers a broad spectrum of security domains, including web and wireless attack vectors, cloud security, payload creation, and social media analysis. It also incorporates automated environment setup to handle the installation of necessary system packages and language runtimes, ensuring compatibility across its diverse collection of utilities.

Amass is an attack surface management tool designed to identify, map, and inventory an organization's internet-facing digital assets. It functions as a security asset discovery engine that systematically expands an organization's known infrastructure footprint through recursive domain name resolution and the collection of intelligence from diverse public data sources. The platform distinguishes itself by utilizing a graph-based modeling approach to organize discovered resources. By maintaining a persistent graph database, it tracks the relationships between infrastructure components and normalizes data from multiple intelligence feeds into a unified schema. This allows for the visualization of complex network topologies and the long-term monitoring of infrastructure changes. The framework supports comprehensive security visibility by integrating modular data collection tasks and asynchronous processing to handle large-scale network scanning. It provides a centralized repository for asset records, enabling consistent tracking and analysis of an entity's technical landscape for threat intelligence and vulnerability identification.

Gitleaks is a security scanning engine designed to identify hardcoded credentials, API keys, and other sensitive information within version control systems and local file structures. It functions as a static analysis tool that automates the detection of secrets, helping to prevent the accidental exposure of sensitive data during the development lifecycle. The tool distinguishes itself through its ability to perform deep forensic analysis of git history, allowing users to audit entire project timelines or enforce security gates within continuous integration pipelines. It supports complex detection logic through composite rules and provides mechanisms for baseline management, which enables teams to ignore existing findings and focus exclusively on new security risks. By offering pre-commit hook integration and exit-code-based orchestration, it allows for the enforcement of security policies directly within developer workflows and automated build environments. Beyond core scanning, the project provides a broad set of utilities for managing security findings, including support for decoding obfuscated strings, inspecting compressed archives, and filtering results through allowlisting or path exclusions. It facilitates compliance and reporting by exporting structured data, which can be integrated into external dashboards or tracking systems. The tool is built to handle various input sources, including direct file system traversal and standard input streams, ensuring compatibility with diverse development and deployment environments.

Sn1per is a vulnerability management platform and penetration testing orchestrator designed to automate reconnaissance, vulnerability scanning, and exploit verification. It functions as a dockerized security toolkit that coordinates multiple tools into a unified automated pipeline to identify security flaws across network and web assets. The platform features an attack surface manager for discovering internet-facing assets through OSINT, DNS enumeration, and certificate transparency. It distinguishes itself with an AI-powered security analyzer that uses large language models to summarize scan outputs and triage vulnerabilities, alongside an active exploit validation engine to eliminate false positives. Its broader capabilities cover mobile application auditing for Android and iOS binaries, dark web leak monitoring, and asset risk assessment. The system provides a security analysis dashboard for managing multi-user workspaces, generating structured reports, and configuring security tools via a web interface. The environment is deployed using containers and persistent volumes to ensure a reproducible runtime.

Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations across container images, filesystems, and infrastructure as code files. It functions as a software composition analysis tool and an infrastructure security scanner, providing automated checks for CI/CD pipelines and cloud environments to ensure the integrity of the software supply chain. The tool distinguishes itself through a modular, plugin-based architecture that allows for the independent inspection of diverse targets. It utilizes a declarative policy engine to evaluate configurations against compliance standards and relies on a remote, periodically updated vulnerability database to maintain current detection logic without requiring binary updates. By employing static analysis pattern matching, it maps disparate scan results into a unified output schema for consistent reporting. Beyond its core scanning capabilities, the project supports cloud infrastructure auditing and deep inspection of local and remote environments. It is distributed as a single cross-platform executable, and comprehensive configuration and usage details are available in the project's official user guide.

This project is a comprehensive repository of curated domain blocklists designed for network-wide DNS filtering. It functions as a DNS sinkhole feed, providing the necessary data to intercept and block unwanted network requests at the resolution layer before they reach their destination. By returning null or loopback addresses for identified domains, it prevents connections to malicious infrastructure, advertising servers, and tracking endpoints across all devices on a network. The repository distinguishes itself through a tiered categorization logic that allows users to select protection levels based on their specific security and compatibility requirements. It aggregates data from multiple threat intelligence and privacy sources, processing them through an automated pipeline to ensure the lists remain current. The output is generated in multiple standard formats, ensuring compatibility with a wide range of DNS server software and network appliances. Beyond basic ad and tracker blocking, the project supports granular content restrictions, including the ability to filter adult content, gambling sites, and social media platforms. It also includes specialized protections against security threats such as phishing, malware, and command-and-control servers, while mitigating unauthorized telemetry and preventing DNS rebinding attacks.

The framework is a comprehensive penetration testing platform designed for the development, testing, and execution of security exploits. It serves as a research toolkit and automated assessment environment, enabling security professionals to identify and validate vulnerabilities within networked systems and infrastructure through repeatable, standardized procedures. The platform distinguishes itself through a modular architecture that supports reflective payload injection, allowing for the execution of code directly in memory without writing to disk. It utilizes an asynchronous event loop to manage high-performance, concurrent network connections and features a transport-agnostic communication layer that abstracts protocols to maintain persistent command and control. Users can extend the core functionality through a plugin system and define complex exploit logic using a domain-specific language. The framework provides robust capabilities for remote payload management, including the configuration of network settings like sleep intervals and timeout thresholds. It maintains state persistence across long-running sessions by storing discovered host information and vulnerability data in a relational database. The software is designed for cross-platform deployment, with installation support available for Linux, macOS, and Windows environments.

This project is a curated, version-controlled directory of software and resources designed for cybersecurity professionals and researchers. It functions as a centralized knowledge base that aggregates and organizes external security utilities into a structured taxonomy to facilitate discovery and access for specialized research and testing tasks. The repository distinguishes itself through a community-driven model where external resource locations are verified and maintained by contributors. By leveraging a distributed version control system, the project ensures the historical integrity and consistency of its collection, allowing users to track changes and updates to the indexed toolsets over time. The directory covers a broad spectrum of security domains, including penetration testing, digital forensics, network analysis, and threat intelligence gathering. It provides access to frameworks and utilities for tasks such as vulnerability scanning, password auditing, automated software fuzzing, and the deployment of decoy systems. Additionally, the project includes resources for managing competitive security challenges and infrastructure orchestration.

Trufflehog is a security tool designed to continuously monitor code repositories and cloud environments to detect, verify, and remediate exposed sensitive credentials and API keys. It functions as a comprehensive secret scanning engine that integrates directly into deployment pipelines and version control systems to intercept sensitive data before it is committed or pushed. By utilizing read-only operations and volatile memory processing, the system ensures that discovered credentials are never stored persistently, maintaining strict data privacy throughout the scanning lifecycle. The platform distinguishes itself through a privacy-focused architecture that relies on cryptographic fingerprinting to track and deduplicate findings without ever transmitting or storing raw sensitive values. It supports distributed scanning via independent agents that connect to a central dashboard, allowing for localized analysis while maintaining network isolation. Furthermore, the system provides automated incident response capabilities, including secret rotation and revocation, which help organizations minimize the window of vulnerability for compromised credentials. Beyond core detection, the project offers a broad capability surface for enterprise-wide access governance and security compliance. It includes modular detection logic for custom rule definitions, integration with external identity providers for role-based access control, and extensive monitoring across cloud storage, container infrastructure, and collaboration platforms. The system also provides detailed metadata tracing to link findings to specific users, pipelines, or commits, facilitating efficient remediation and auditability across large-scale development environments.

This project provides a system-wide content filtering utility that controls network traffic by redirecting domain resolution requests to local null addresses. By mapping unwanted hostnames to these addresses at the operating system level, it effectively blocks connections to advertising, tracking, and malicious domains across all applications on a machine. The core of the system is a data-driven build pipeline that aggregates multiple curated source lists into a single, unified configuration file. This process is highly customizable, allowing users to employ declarative filtering logic through external blacklist and whitelist files to define exactly which domains are included or excluded. The build process is managed via a command-line interface, which supports various flags to control output formats, source selection, and custom domain mappings. Beyond basic aggregation, the project supports diverse deployment scenarios, including containerized environments and integration with local network resolver services. It provides platform-specific utilities to ensure consistent application of these filtering rules, including mechanisms to manage local DNS client services for immediate configuration updates. The resulting output is designed to be environment-agnostic, maintaining compatibility across a wide range of operating systems and network services.

This project is a comprehensive, curated directory of cybersecurity resources, software, and documentation designed to support system and network protection. It serves as a centralized knowledge base and index for security professionals, aggregating industry-standard practices and open-source tools across a wide range of technical domains. The repository distinguishes itself by providing a structured collection of methodologies and frameworks for security operations. It covers critical areas including threat intelligence, digital forensics, infrastructure auditing, and vulnerability assessment management. By organizing these materials, the project assists in the discovery and implementation of solutions for network monitoring, incident response, and the maintenance of consistent security configurations across diverse environments.