Inspiration
Every time I opened a suspicious file or clicked an unknown link, I had to juggle five different tools — VirusTotal for hashes, URLScan for links, OWASP ZAP for web scanning, and still had no idea what the results actually meant. I wanted one platform that did it all and explained it in plain English. That frustration became ZeroRisk Sentinel.
What It Does
ZeroRisk Sentinel is a hybrid, multi-layered cybersecurity analysis platform that detects threats across three attack vectors:
- File Analysis — YARA rule scanning, Shannon entropy detection, PE structure validation, extension spoofing detection, and VirusTotal hash lookup across 70+ AV engines
- URL Scanner — checks Google Safe Browsing, URLHaus, VirusTotal, AbuseIPDB, SecurityTrails, SSL/TLS validity, DNS records, WHOIS age, and unwinds redirect chains up to 5 hops
- APK Inspector — parses Android APKs with AndroGuard, scores permissions by severity (OTP interception, accessibility abuse, VPN hijacking), and combines with VirusTotal APK lookup
- AI Explanations — Groq API (Llama 3.3 70B) converts raw threat findings into human-readable analysis: what the threat does, why it's dangerous, and what to do next
- Sandbox Analysis — submits files to Hybrid Analysis for live execution in an isolated Windows VM, with MITRE ATT&CK technique mapping
The system follows a hybrid architecture: client-side JavaScript performs instant triage (entropy, magic bytes, extension spoofing) with zero latency, while the Python Flask backend provides deep intelligence when available. Core detection always works — even offline.
How I Built It
The backend is a modular Flask API with six specialized modules:
file_scanner.py— YARA + VirusTotal + entropy + PE analysisurl_scanner.py— 9-source URL intelligence pipelineapk_analyzer.py— AndroGuard + custom permission heuristicsai_explainer.py— Groq Llama 3.3 70B integration with graceful fallbacksandbox_scanner.py— Hybrid Analysis live execution integrationserver.py— Flask routing, CORS, and API key management
The frontend is pure HTML/CSS/JS with a cyberpunk Matrix-themed UI. It performs client-side analysis first, then calls the backend for enhanced intelligence. Reports are generated in JSON and PDF formats with threat scores, confidence levels, and remediation steps.
Challenges I Ran Into
- API rate limits — VirusTotal, Google Safe Browsing, and URLHaus all have different rate limits and response schemas. Building a unified, normalized response format that gracefully handles partial failures took significant effort.
- Offline-first design — Making core detection work without any backend calls meant reimplementing entropy analysis, magic byte detection, and extension validation entirely in JavaScript.
- YARA in Flask — Getting YARA rules to compile and run reliably inside a Flask server with proper error handling for malformed rules was trickier than expected.
- AI prompt engineering — Getting Groq LLM to return consistently structured, actionable explanations (not generic responses) required significant prompt iteration.
What I Learned
- How real malware detection actually works under the hood — entropy, PE headers, YARA signatures
- How to build resilient systems that degrade gracefully when external APIs fail
- The difference between detecting a threat and communicating it — the AI explanation layer taught me that security tools fail non-experts not because of detection, but because of explanation
- Full-stack security tooling: connecting browser JS → Flask API → multiple threat intel APIs → LLM → PDF report in one coherent pipeline
What's Next
- Docker containerization for one-command deployment
- Community YARA rule repository on GitHub
- Browser extension for real-time URL scanning
- Team dashboard with SaaS model for SMBs
- CI/CD pipeline integration for automated repo scanning
Log in or sign up for Devpost to join the conversation.