A simple application that extracts your IoCs from garbage input and checks their reputation using multiple services.
🌐 demo.cyberbro.net
Inspired by Cybergordon and IntelOwl.
This project aims to provide a simple and efficient way to check the reputation of your observables using multiple services, without having to deploy a complex solution. Read the docs at https://docs.cyberbro.net/
Tip
To build custom reports, use Cyberbro with your favorite LLM (Claude, OpenAI gpt-4o...) via MCP (Model Context Protocol)
Checkout Cyberbro MCP for more information.
- Easy Input: Paste raw logs or IoCs—automatic parsing and extraction.
- Multi-Service Checks: Reputation lookup for IPs, hashes, domains, URLs, and Chrome extension IDs across many threat intel services.
- Comprehensive Reports: Advanced search, filtering, and export to CSV/Excel.
- Fast Processing: Multithreaded for speed.
- Automated Pivoting: Discover related domains, URLs, and IPs via reverse DNS and RDAP.
- Accurate Domain & Abuse Info: ICANN RDAP and abuse contact lookups.
- Integrations: Microsoft Defender for Endpoint, CrowdStrike, OpenCTI, Grep.App, Hudson Rock, and more.
- Proxy & Storage: Proxy support and results stored in SQLite.
- History & Graphs: Analysis history and experimental graph view.
- Cache: Caching for faster repeat lookups (enabled at multi-engines level, not each engine).
- Beginner-Friendly: Accessible for all skill levels.
- Chrome Extension ID Lookup: Get extension names and CTI data from IDs.
- Lightweight Deployment: Simple setup and use.
- Advanced TLD Extraction: Accurate root domain detection for better lookups.
- Pragmatic Data Gathering: Uses GitHub and Google to find overlooked IoCs.
- CTI Report Integration: Fetches IoC-related reports from IoC.One.
- EDR Integration: Checks observables against your own security tools (MDE, CrowdStrike).
Tip
If you are lazy, you need Docker.
Do a git clone ; copy secrets-sample.json to secrets.json ; docker compose up then go to localhost:5000. Yep, that's it!
- To get started, clone the repository
git clone https://github.com/stanfrbd/cyberbro
cd cyberbrocp secrets-sample.json secrets.json
Note
Don't have API keys? No problem, just copy the secrets-sample.json to secrets.json and leave all like this. Be careful if a proxy is used.
You will be able to use all free engines!
- Fill values (including proxy if needed) in the
secrets.jsonfile.
{
"abuseipdb": "token_here",
"alienvault": "token_here",
"criminalip_api_key": "token_here",
"crowdstrike_client_id": "client_id_here",
"crowdstrike_client_secret": "client_secret_here",
"google_safe_browsing": "token_here",
"ipinfo": "token_here",
"mde_client_id": "client_id_here",
"mde_client_secret": "client_secret_here",
"mde_tenant_id": "tenant_here",
"misp_api_key": "token_here",
"misp_url": "https://misp.local",
"opencti_api_key": "token_here",
"opencti_url": "https://demo.opencti.io",
"proxy_url": "",
"shodan": "token_here",
"virustotal": "token_here",
"webscout": "token_here"
}- Obtain API keys from the official documentation of each service.
- Microsoft Defender for Endpoint (MDE) is a paid service and can be skipped if you don't have an account (unchecked by default).
Important
You can modify the configuration via the GUI at http://127.0.0.1:5000/config.
This endpoint is disabled by default for security reasons, as it is not protected.
To enable it, set "config_page_enabled":true in secrets.json or use CONFIG_PAGE_ENABLED=true as environment variable.
This is not recommended for public or team use, as it exposes your API keys.
See Advanced options for deployment in the docs to get all custom option.
Warning
Make sure you install the compose plugin as docker compose and not docker-compose.
docker compose up # use -d to run in background and use --build to rebuild the image- Go to http://127.0.0.1:5000 and Enjoy.
Don't forget to edit the
secrets.jsonbefore building the image.
See Advanced options for deployment in the docs to get all Docker deployment options.
- Clone the repository and install the requirements.
You might want to create a venv before installing the dependencies.
pip install -r requirements.txt- Run the app with
gunicorn(clean mode).
gunicorn -b 0.0.0.0:5000 app:app- Run the app with in development mode.
python3 app.pySee all screenshots
Caution
If you intend to use this in a production environment, use well configured Reverse Proxy + WAF to prevent security issues.
- The API is available at
/api/and can be accessed via the GUI or command-line.
There are currently 3 endpoints:
/api/analyze- Analyze a text and return analysis ID (JSON)./api/is_analysis_complete/<analysis_id>- Check if the analysis is complete (JSON)./api/results/<analysis_id>- Retrieve the results of a previous analysis (JSON).
curl -X POST "http://localhost:5000/api/analyze" -H "Content-Type: application/json" -d '{"text": "20minutes.fr", "engines": ["reverse_dns", "rdap"]}'{
"analysis_id": "e88de647-b153-4904-91e5-8f5c79174854",
"link": "/results/e88de647-b153-4904-91e5-8f5c79174854"
}curl "http://localhost:5000/api/is_analysis_complete/e88de647-b153-4904-91e5-8f5c79174854"{
"complete": true
}curl "http://localhost:5000/api/results/e88de647-b153-4904-91e5-8f5c79174854"[
{
"observable": "20minutes.fr",
"rdap": {
"abuse_contact": "",
"creation_date": "2001-07-11",
"expiration_date": "2028-01-08",
"link": "https://rdap.nic.fr/domain/20minutes.fr",
"name_servers": [
"ns-1271.awsdns-30.org",
"ns-748.awsdns-29.net",
"ns-16.awsdns-02.com",
"ns-1958.awsdns-52.co.uk"
],
"organization": "",
"registrant": "20 MINUTES FRANCE SAS",
"registrant_email": "[email protected]",
"registrar": "GANDI",
"update_date": "2024-11-18"
},
"reverse_dns": {
"reverse_dns": [
"13.249.9.82",
"13.249.9.92",
"13.249.9.83",
"13.249.9.129"
]
},
"reversed_success": true,
"type": "FQDN"
}
]Note
The dedicated docs page gives all the names of usable engines.
- AbuseIPDB
- Abusix
- Alienvault
- CriminalIP
- CrowdStrike
- Github
- Google Safe Browsing
- Google DNS
- Grep.App
- Hudson Rock
- ICANN
- IPinfo
- IPquery
- Ioc.One
- Microsoft Defender for Endpoint
- MISP
- OpenCTI
- OpenRDAP
- Phishtank
- Shodan
- Spur.us
- ThreatFox
- URLscan
- VirusTotal
- WebScout
Note
Any questions? Check the https://docs.cyberbro.net or raise an issue
For the advanced config (tuning of supervisord.conf before deployment, selection of visible engines, change /api/ prefix...), check the dedicated docs page.
A huge thank you to all the amazing contributors who made pull requests and helped improve this project:
- Florian PILLOT who reworked engines (refactoring and optimizations).
- Axel who develops Ioc.One and added a specific User-Agent allowing scraping of Ioc[.]One.
- Jon Mark Allen who added a better secret management and tests. He refactored a lot and made many improvements to the codebase.
Your contributions are greatly appreciated!
MIT License
Copyright (c) 2025 stanfrbd
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
The logo used in this project is free for personal and commercial use and can be found here.
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}
