APT Intel Dashboard

Load a database to begin

Infrastructure Pattern Analysis

Patterns discovered from vulnerability scan fingerprinting — SSL certificates, port signatures, and hosting indicators that link unknown hosts to known APT infrastructure.

Pattern Details

Scan Candidates (port fingerprint match)

Quick Exports

Run a query and download the results as CSV directly from the browser.

Database Commands

Run these in your terminal. After making changes, reload the .db file here.

Full Rebuild

python database/rebuild_db.py

Import New Vuln Scan

python scripts/import_data.py vulnscan scans/your_scan.csv

Import APT Report

python database/import_incremental.py apt-report reports/apt-targets/APT-TARGETS-xxx.md

Import New IPv4 IOCs

python database/import_incremental.py ipv4 iocs/new_ips.txt

Export Web DB

python database/export_web_db.py

CLI Stats

python database/query.py stats

Database Health Check

Click "Run Health Check" to analyze database integrity.

Load a database to begin

Recon Overview

Staging & Relay Servers

Servers detected as proxy/staging nodes coordinating C2 traffic. High confidence = strong proxy + multi-C2 signal.

Recon Candidates

New IPs, subnets, and ASNs identified through enrichment, subnet adjacency, and correlation analysis.

Enrichment Results

Geolocation, ASN, and hosting data gathered from online APIs for known IOCs.

ASN Intelligence Map

Top ASNs hosting threat infrastructure — ranked by IOC density.

Recon Pipeline Commands

Run these in your terminal to enrich data and discover new candidates.

1. Enrich Top IPs (online lookup)

Queries ip-api.com for geolocation, ASN, and hosting data on critical IPs.

python database/recon.py enrich-top 50

2. Detect Staging Servers

Analyzes proxy + C2 patterns to identify relay and coordination nodes.

python database/recon.py detect-staging

3. Run Full Candidate Discovery

Runs staging detection + ASN clustering + subnet adjacency + multi-source correlation.

python database/recon.py find-candidates

4. Enrich Single IP

python database/recon.py enrich-ip 196.251.69.100

5. Show Report

python database/recon.py report

6. Re-export Web DB (after recon)

python database/export_web_db.py

Load a database to begin

Validation Overview

Shodan InternetDB

Free, no key

AbuseIPDB

1000/day (API key)

VirusTotal

4/min (API key)

Quick IP Lookup (browser-side)

Queries Shodan InternetDB directly from browser (free, no key). Optional VirusTotal with your API key (never stored).

VirusTotal API Key (optional):

Validation Queue

Recent Validations

Validation Pipeline Commands

1. Build Queue

Queue unvalidated IPs, prioritized by subnet tier.

python database/validate.py queue 500

2. Run Shodan (free)

Validate via Shodan InternetDB. No API key needed.

python database/validate.py run shodan 100

3. Run AbuseIPDB

Requires ABUSEIPDB_KEY env var. Free: 1000/day.

export ABUSEIPDB_KEY=your_key && python database/validate.py run abuseipdb 100

4. Run VirusTotal

Requires VIRUSTOTAL_KEY env var. Free: 4/min.

export VIRUSTOTAL_KEY=your_key && python database/validate.py run virustotal 50

5. Check Single IP

Validate one IP against all available sources.

python database/validate.py check 91.231.182.187

6. Status Report

Show validation coverage and queue stats.

python database/validate.py status

Load a database to begin