Inspiration
Every day, hundreds of new software vulnerabilities (CVEs) and cyber threat advisories are published. For large enterprises, this information is managed by dedicated Security Operations Centers (SOCs) using tools like Splunk or CrowdStrike. However, for small and medium-sized businesses (SMBs)—which make up over 90% of the business landscape—enterprise-grade security tooling is financially and operationally out of reach.
According to the Verizon Data Breach Investigations Report (DBIR), 43% of cyberattacks target small businesses, and the average cost of an SMB breach exceeds $200,000. Most SMB owners fly blind because they lack the cybersecurity budget and the technical background to decipher dense, jargon-filled security alerts.
We built ThreatLens to democratize enterprise-grade threat intelligence. We wanted to create a platform that makes cybersecurity accessible, readable, and actionable for non-technical users, helping them protect their digital assets without needing a dedicated security team.
What it does
ThreatLens is an AI-powered threat intelligence platform that acts as a translator and triage system for cybersecurity threats.
Continuous Data Ingestion: Automatically scans and normalizes live threat feeds from trusted public databases including the National Vulnerability Database (NVD), CISA's Known Exploited Vulnerabilities (KEV) Catalog, and AbuseIPDB. AI Plain-English Translation: Uses the GROQ API to transform complex, technical CVE advisories into clear, 2–4 sentence summaries tailored for a non-technical business owner, along with direct, step-by-step mitigation instructions (e.g. "Update your web server immediately to version X" instead of "Apply patch CVE-XXXX-XXXX"). Composite Risk Scoring: Calculates a customized 1–10 Business Risk Score by weighting the CVSS base score, CISA active exploitation status, AI business impact assessment, and patch availability. Personalized Dashboard & Alerts: Allows users to specify their industry (healthcare, retail, finance, etc.) and tech stack, filtering out irrelevant noise to present only the threats that directly impact their operations. It displays data in an interactive dashboard with a color-coded risk matrix, trend charts, and sends alerts via email or webhooks.
How we built it
We built ThreatLens using a decoupled, async-first full-stack architecture:
Frontend: Built with React 18 and styled with Tailwind CSS. Data visualizations (trend charts and risk scatter plots) are powered by Recharts, while state management is coordinated using Zustand and React Query for caching and server state synchronization. Hosted on Vercel. Backend: Powered by FastAPI (Python 3.11) to deliver high-performance, asynchronous REST endpoints. Hosted on Render. Task Scheduling & Worker Queue: Background tasks are scheduled via APScheduler to poll feeds every 6 hours. To keep ingestion fast and decouple it from slow AI tasks, new threats are queued in an Upstash Redis list (queue:ai_processing) where a persistent background worker drains and processes them asynchronously. Database: PostgreSQL hosted on Neon, with Alembic handling migrations and SQLAlchemy serving as the asynchronous ORM (asyncpg). AI Engine: Connects to the GROQ API using rapid, cost-effective models (like llama-3.1-8b-instant and llama-3.3-70b-versatile) with structured JSON response formats. Responses are cached in Redis with a 7-day TTL to optimize api usage.
Challenges we ran into
During the final sprint and deployment phase, we ran into several technical hurdles:
SQLAlchemy Asyncpg Driver Compatibility: Neon PostgreSQL connection strings require ?sslmode=require by default. However, Python's async driver (asyncpg) does not support the sslmode query parameter directly and crashed on database initialization. We overcame this by implementing a middleware utility in our database initialization script to parse and strip the sslmode query parameter, while dynamically passing ssl=True inside SQLAlchemy's engine connect_args. Upstash Redis Connection Timeouts: Connecting to Upstash Redis initially failed with Connection closed by server errors. We diagnosed that Upstash requires secure SSL/TLS connections (rediss://), whereas the default unencrypted redis:// was dropping silently. Additionally, our background worker's blocking BRPOP poll was conflicting with a short socket_timeout (5s), leading to read timeouts during idle states. We resolved this by implementing an automatic URL normalizer in our configuration code and increasing the socket timeout to 30 seconds. CORS credentials configuration: When configuring CORS to allow cross-origin communication between Vercel and Render, using wildcard origins ("*") alongside allow_credentials=True was rejected by browsers. We modified the FastAPI middleware to explicitly white-list only the specific Vercel frontend domain and local development origins, resolving the block.
Accomplishments that we're proud of
Decoupled Asynchronous Queue Pipeline: We successfully built a highly resilient ingestion pipeline. Pushing threats to a Redis queue and having an asynchronous worker process AI summarization means that the main API remains fast, responsive, and unaffected by external model latency. Effective Jargon Translation: Refining our system prompts to convert cryptic CVE CVE-2026-X details into actionable checklists (e.g. explaining what an SQL Injection means for a coffee shop website) yields surprisingly readable, premium results. Clean & Professional UI: The Tailwind dashboard presents a premium aesthetic with dark modes, color-coded severity badges, and readable charts that immediately convey risk status.
What we learned
Async SQLAlchemy and Drivers: Working with async database adapters in Python requires careful attention to URI schemes and driver-specific quirks, particularly when connecting to modern serverless databases like Neon. Redis Connection Management: We gained deeper insights into serverless Redis (Upstash) connection management, keepalive, and how TLS wrapper layers function for secure connections. Prompt Engineering for Structured JSON: We learned how to enforce strict JSON schemas on LLM outputs using the GROQ API's structured JSON configuration, preventing formatting errors during parsing.
What's next for Threatlens
Natural Language Security Advisor: Integrating a retrieval-augmented generation (RAG) bot where business owners can ask, "What should I do about the new SSH exploit?" or upload their configuration files for instant safety advice. Active Domain & Breach Monitoring: Adding integration with breach lookup APIs (e.g. Have I Been Pwned) to check if employee emails or business domains have been compromised. Native Integrations: Launching native Slack, Microsoft Teams, and Discord webhooks to push critical alerts directly into corporate messaging spaces.
Log in or sign up for Devpost to join the conversation.