THREAT OPS
Real-time global cyber threat intelligence dashboard. Aggregates gov-CERT advisories, vendor research, IOC feeds, and live cert observations into a single operator surface for threat-intel analysts.
Scoring rubric
AI-Tech (0-100) — AI lab brands (Anthropic, Claude, OpenAI, Gemini, Mistral, Cohere, HuggingFace), hyperscalers (AWS, Azure, GCP, Cloudflare), ML-infra (Kubernetes, GPUs, model weights, training data, vector DBs), dev supply chain (GitHub, npm, PyPI, Docker), identity (Okta, Entra, SAML, OAuth, SSO), nation-state actor tags (APT41, Volt Typhoon, …), AI-targeted TTPs (model theft, prompt injection, training-data poisoning, AI supply chain).
Each category has a per-category cap; total caps at 100.
Sources & refresh cadences
| Source | Cadence | Notes |
|---|---|---|
| CISA KEV, CISA Advisories, NCSC-UK, CCCS-CA, JPCERT, HKCERT | 5–60 min | National CERTs / vulnerability authorities |
| Mandiant, MSTIC, Unit42, Talos, SentinelOne, CrowdStrike, Volexity, Securelist, ESET, Huntress, Recorded Future, DFIR Report, Krebs, BleepingComputer, Check Point, JPCERT-blog, Google TAG | 30–60 min | Vendor research blogs |
| abuse.ch URLhaus, ThreatFox, MalwareBazaar, Feodo | 5 min | Public CSV feeds (no API key) |
| NVD CVE, GitHub Security Advisories | 60 min | Vulnerability authorities |
| GDELT cyber-themed events | 15 min | Near-real-time global news |
| CertSpotter (10 brand domains) | 10 min | Phishing-cert early warning |
| CertStream WebSocket | continuous | Brand watchlist filter |
| MITRE ATT&CK STIX, MISP threat-actor galaxy | weekly | One-shot seeds |
| CINS Army, FireHOL Level-1 | 60 min | IP blocklists |
Retention
Reports older than 24 hours are pruned automatically every 30 minutes.
Cert observations are kept until manually pruned. Watchlist + suppression
state lives in localStorage (per browser).
What's filtered out as non-IOC noise
The IOC extractor drops anything matching:
- major platform / docs hosts (microsoft.com, learn.microsoft.com, github.com, cloudflare.com, w3.org, …)
- news publishers (wsbtv.com, theguardian.com, scmp.com, axios.com, morningsun.net, …) — never promoted to IOC even if mentioned in their own articles
- site assets (
*.css,*.webp,/wp-content/,/uploads/) - private RFC1918 + loopback IPs
- shared infra hosts (api.telegram.org, discord.com, pastebin.com, ngrok.io,
trycloudflare.com, raw.githubusercontent.com): surfaced with a
shared infra — do not blockflag rather than treated as plain IOCs
Real-time architecture
One SSE stream at /api/stream pushes report.new,
report.enriched, report.enrich_progress,
cert.new, source.status, stream.heartbeat,
and a periodic snapshot with stats + sources + top actors.
The browser pauses fetching while the tab is hidden and reconnects
with exponential backoff.
Audit hooks
/healthz— process liveness/metrics— Prometheus-style counters- Hidden ops drawer — press g then o (collision-free). Ctrl+Shift+O still works as a legacy alias but collides with Firefox's Bookmarks Library, so the g o sequence is preferred.
- IOC drawer shows extraction provenance (regex rule + ±60 char snippet)
- LLM enrichment box shows model name + prompt version + latency