ThreatLens

Output for Harvester
output for scan
IOCs
CVEs
Foundation
IPs
Yara rules extraction and AI explanation
IOC explanation

Inspiration

Modern Security Operations Centers (SOCs) and campus IT departments are drowning in data. With hundreds of vulnerabilities and threat reports published daily, analysts suffer from severe 'alert fatigue.' We were inspired to build a tool that acts as a force multiplier, something that doesn't just collect news, but automatically filters the noise and hands defenders a synthesized, actionable killchain

What it does

ThreatLens is an automated Cyber Threat Intelligence (CTI) platform. It scrapes live intelligence from high-fidelity sources (Mandiant, NVD, Talos), extracts precise Indicators of Compromise (IOCs), and instantly verifies their toxicity using the AlienVault OTX and Shodan APIs. It then leverages Gemini 2.5 Flash to automatically generate a Predicted Attack Killchain and exports the threat data into enterprise-ready STIX 2.1 bundles.

How we built it

We built the backend engine using Python and Flask, operating entirely in-memory for maximum speed. For threat enrichment, we integrated the AlienVault OTX and Shodan APIs. For the intelligence synthesis, we utilized the Google Gemini API (v1beta). The frontend is a responsive, dark-mode dashboard built with Bootstrap, utilizing Chart.js and Mermaid.js for live telemetry and Diamond Model visualizations.

Challenges we ran into

Combating Alert Fatigue: Initially, our scraper was too aggressive and flagged legitimate reference links (like cisa.gov) as 'Suspicious Infrastructure.' We had to engineer a strict TRUSTED_DOMAINS allowlist to tune out the noise.
Containerization Constraints: We had to overcome Docker layer caching and internal networking constraints to achieve a secure, reproducible environment mapped to localhost.
Hardening the AI: We realized feeding raw, untrusted web data to the LLM opened the door for prompt injection. We mitigated this by implementing strict OWASP-aligned security guardrails and <<>> delimiters.

Accomplishments that we're proud of

We are incredibly proud of successfully translating raw, unstructured web data into the highly rigid STIX 2.1 schema, ensuring our tool can actually interoperate with enterprise SIEMs and firewalls. We're also proud of building a functional, enterprise-grade UI that actually looks like a tool a SOC analyst would want to use.

What we learned

We practically lived the life of Detection Engineers this weekend. We learned how technologies like Docker, AI APIs, and OSINT scrapers actually stitch together in a live environment, and we learned that tuning out false positives is just as important as finding the real threats.