Inspiration
Honestly, the idea came from a simple but unsettling question we asked ourselves: "If someone wanted to hack us right now, where would they even start?"
We started googling our own names, domains, and emails — and what we found genuinely scared us. Old passwords in breach databases. Subdomains we forgot existed. GitHub repos with exposed API keys. LinkedIn profiles giving away enough information to craft a perfect phishing email.
The scariest part wasn't what we found. It was realizing that any attacker could find the exact same things in under an hour — and we had no idea.
We looked at existing tools and they all had the same problem. They check one thing at a time. You scan a domain here, check a breach database there, run a port scanner somewhere else. But attackers don't think in isolated checks. They think in chains. They find one small weakness and use it to reach the next one, and the next one, until they're inside.
No tool was showing people the full picture — the connected, chained, realistic view of how an actual attack would unfold. So we decided to build it ourselves.
What it does
ThreatTrace maps your entire digital attack surface and shows you what an attacker would see if they targeted you — before they actually do.
You enter a domain or company name, and ThreatTrace gets to work. It discovers every exposed asset connected to your organization: subdomains, APIs, employee emails, public GitHub repositories, exposed cloud storage, outdated services, and more. Then it cross-references everything against breach databases and vulnerability records to find the weak points.
But the part we're most proud of is the attack graph. Instead of dumping a list of vulnerabilities on you, ThreatTrace connects the dots. It uses AI to map out realistic attack chains — showing exactly how an attacker could move from a LinkedIn profile to a leaked password to an exposed admin panel to full database access. Each path has a likelihood score and an impact rating so you know what to worry about most.
On top of that, ThreatTrace generates a prioritized remediation roadmap. Not just "fix this vulnerability" — but "fix this one first, because it's the entry point for your three highest-risk attack paths, and it only takes 30 minutes to close."
The goal is simple: stop thinking about security as a checklist and start thinking about it the way attackers do.
How we built it
We built ThreatTrace as a full-stack web application using Next.js and TypeScript on the frontend with TailwindCSS for styling. The backend runs on Python FastAPI, which handles all the scanning logic, API orchestrations, and AI processing.
For the data layer we used PostgreSQL through Supabase to store scan results, discovered assets, vulnerabilities, and attack paths. We added Redis for caching repeated lookups so scans wouldn't hammer the same APIs multiple times.
The intelligence behind ThreatTrace comes from several security APIs working together. We used Shodan to find exposed services and open ports, SecurityTrails for subdomain and DNS enumeration, Have I Been Pwned to check for credential breaches, VirusTotal for domain reputation, and the GitHub API to surface any publicly exposed repositories that might contain sensitive information.
The attack chain generation is powered by Gemini, which takes all the discovered assets and vulnerabilities and reasons through how a real attacker would connect them. We put a lot of effort into the prompting to make sure the output was structured, realistic, and actually useful rather than generic.
For the attack graph visualization we used React Flow, which let us build the interactive node graph where you can click on any asset or vulnerability and see its connections, risk score, and details. That component alone probably took the most time to get right, but it became the centerpiece of the entire demo.
Challenges we ran into
The biggest challenge was honestly the data. Security APIs return information in completely different formats, with different rate limits, different reliability levels, and sometimes conflicting results. Stitching all of that together into one coherent picture took a lot more work than we expected.
We also struggled with the attack chain generation early on. Our first prompts to Gemini were too open-ended and the responses were all over the place — sometimes too generic, sometimes hallucinating vulnerabilities that weren't actually there. We had to iterate a lot on the prompting structure and add validation layers to make sure the AI was only connecting real discovered assets and real confirmed vulnerabilities.
The React Flow graph was another challenge. Getting it to look good and feel intuitive took significant effort. Nodes kept overlapping, edges were crossing in confusing ways, and on larger attack surfaces the graph became a mess. We ended up writing a custom layout algorithm to organize nodes by category and attack stage, which made a huge difference.
Time was obviously a constant pressure. We had to make some hard calls about what to cut. We dropped several features we really wanted — continuous monitoring, team collaboration, a browser extension — just to make sure the core experience was polished and the demo worked flawlessly.
Accomplishments that we're proud of
We're genuinely proud that ThreatTrace works. Not just as a demo but as a real, functional tool. You can enter an actual domain and get back real data, real vulnerabilities, and a real attack graph within minutes. That was the bar we set for ourselves and we hit it.
The attack graph is something we're especially proud of. We've never seen another tool visualize security risk this way — as a connected journey rather than a flat list. When you see it for the first time and you realize you're looking at your own organization's attack surface laid out like a map an attacker would follow, it hits differently. That moment of realization was exactly what we were going for.
We're also proud of how approachable we made it. Cybersecurity tools have a reputation for being intimidating and technical. We worked hard on the UX to make sure someone who isn't a security expert can look at the dashboard, understand what they're seeing, and know exactly what to do next. You shouldn't need a CISSP to understand that your admin panel is one leaked password away from being compromised.
And honestly, we're proud that we finished. This was a brutally hard scope to take on in a hackathon and we pulled it together.
What we learned
We learned a tremendous amount about how attackers actually think and operate. Going into this we knew the basics of cybersecurity but building ThreatTrace forced us to deeply understand attack methodology — how threats chain together, how attackers prioritize targets, how they use publicly available information in ways most people never consider.
We also learned a lot about prompt engineering for structured, reliable AI output. Getting an LLM to produce consistent, validated, security-relevant attack chains that only reference real data is genuinely hard. The difference between a vague prompt and a well-engineered one is enormous.
On the technical side, working with multiple third-party security APIs simultaneously taught us a lot about resilience and fault tolerance. When one API is slow or returns unexpected data, your whole pipeline can't break. We built retry logic, fallbacks, and timeouts in ways we wouldn't have thought to do before.
But maybe the biggest thing we learned is how exposed most people and organizations actually are without realizing it. That was a sobering realization that made us feel like ThreatTrace is genuinely needed in the world, not just a cool hackathon project.
What's next for ThreatTrace
We want to keep building this because we genuinely believe it fills a gap that existing tools don't address.
The most immediate next step is continuous monitoring. Right now ThreatTrace is a point-in-time scan. The real power comes from watching your attack surface over time and alerting you the moment a new vulnerability appears, a new subdomain is exposed, or your credentials show up in a fresh breach.
After that we want to add team collaboration features — so security teams can assign remediation tasks, track progress, leave notes, and work through the attack graph together rather than sharing a static PDF report.
We're also planning a browser extension that gives individuals a lightweight version of ThreatTrace — checking sites they visit for known vulnerabilities and alerting them if their personal credentials are exposed.
Longer term, we want to explore industry-specific threat profiles. The attack surface of a healthcare company looks completely different from a fintech startup or an e-commerce platform. ThreatTrace should understand those differences and tailor its attack chain modeling accordingly.
Most importantly, we want to make ThreatTrace available to small businesses and nonprofits who face real security threats but can't afford enterprise security tools. That's the impact that would really mean something to us.
Log in or sign up for Devpost to join the conversation.