ZeroRisk Sentinel

The Spark

Every day, millions of people download files and click links without knowing what's really lurking inside. I got tired of seeing friends get burned by fake PDFs that were actually executables, or phishing links that looked just close enough to the real thing. ZeroRisk Sentinel started with a simple question: what if you could peek inside a file without ever running it?

No sandboxes. No execution. Just pure static analysis that tells you "this looks sus" before you double-click.

What It Actually Does

ZeroRisk Sentinel is a client-side security scanner that analyzes files and URLs in your browser—nothing gets uploaded to any server.

For files: It cracks open the binary, checks headers against known signatures, hunts for keylogger patterns, spots extension spoofing (like invoice.pdf.exe), and flags suspicious code structures. It even handles APKs through an optional backend that inspects Android permissions.

For URLs: It runs heuristic checks—HTTPS validation, phishing keyword detection, brand impersonation attempts, suspicious TLDs, obfuscated shorteners—then gives you a risk score and plain-English explanation of why that link might be trouble.

Two scan modes: Quick Scan for rapid sampling, Deep Scan for thorough streamed analysis. Your choice.

How It Came Together

Built the frontend with vanilla HTML/CSS/JS—no frameworks, no bloat. Added a Matrix-style background because cybersecurity tools should feel like cybersecurity tools. Tailwind for styling, Anime.js for smooth transitions, ECharts for threat visualizations.

The tricky part was making it all run in the browser. FileReader API for slicing binaries, regex patterns for signature matching, and careful chunking so we don't choke on massive files. For APK analysis, I wired up a lightweight Python backend using androguard to extract permissions without executing anything.

The URL analyzer is entirely client-side. Parses the structure, runs weighted heuristics, and generates AI-assisted explanations (with graceful fallback to heuristic summaries if the AI service is down).

The Battles

Browser limitations were the first boss. You can't just fopen() in JavaScript. Had to learn the FileReader API inside out, handle async chunking, and make sure we don't lock up the UI on large files.

False positives nearly broke me. Early versions flagged every JavaScript file as suspicious because of eval() detection. Spent days tuning severity weights and adding context checks—network activity in a JS file is different than in a CSS file.

The APK backend was a saga. androguard is powerful but finicky. Had to wrestle with temporary file handling, cleanup on crashes, and keeping the API surface minimal so it doesn't become a malware distribution vector itself.

Making it feel legit. A security tool needs visual authority. Iterated hard on the threat meter animations, the terminal console aesthetic, the color-coded severity badges. If it looks like a toy, nobody trusts it.

Wins Worth Bragging About

100% client-side file analysis—your data never leaves your machine
Real-time threat visualization with animated orbital charts showing risk proximity
Explainable results—every flag comes with a human-readable why
Demo mode with safe sample files so users can test without risk
Mobile swipe navigation because yes, people scan files on phones

Most importantly: it actually catches stuff. Extension spoofing, RTL override attacks, permission abuse in APKs—things that slip past casual inspection.

Lessons Learned

Static analysis is underrated. Everyone wants AI-powered behavioral detection, but pattern matching on headers and strings catches 80% of amateur malware without any execution risk.

UX matters more than features. A scanner that spits raw hex is useless to normal humans. Every finding needs context: what was detected, why it matters, and how confident we are.

Graceful degradation is key. The AI explainer is nice, but the tool works offline with heuristic explanations. Backend down? No problem. Browser-only? Still functional.

What's Next

Sandboxed dynamic analysis as an optional layer for uncertain files
Expanded format support—Office docs, PDF internals, more archive types
Verifiable reports—cryptographically signed analysis results you can share
Community signatures—crowdsourced detection patterns

ZeroRisk Sentinel will stay true to its roots: transparent, explainable, and user-controlled security. No black boxes. No forced cloud uploads. Just clear answers about what you're about to open.

Built for the paranoid. Designed for everyone.

Built With

androguard
anime.js
echarts
flask
github
groq
html5
javascript
python
tailwind
typed.js

Updates

Shlok Shah posted an update — Feb 11, 2026 07:48 AM EST

What's New in ZeroRisk Sentinel v2.1

New Deployment

Live URL: https://zerorisk-sentinel.vercel.app/
The project has been completely restructured and redeployed on Vercel for better performance and reliability.

Major Architecture Overhaul

Hybrid Client-Server Analysis

The biggest shift from the original submission is the move from 100% client-side to a hybrid architecture:

Client-side: Fast initial screening, file header analysis, pattern matching, local heuristics
Python Backend: Enhanced threat intelligence when available (YARA rules, VirusTotal, AI explanations)
Graceful Degradation: Works fully offline with local heuristics when backend is unavailable

New Backend Stack (`server.py`)

Flask-based API with CORS support for frontend communication
Modular scanner imports: File scanner, APK analyzer, URL scanner, AI explainer
Health check endpoint (/api/status) for real-time backend availability monitoring
Secure file handling with temp directories and automatic cleanup

Enhanced File Analysis (`file_scanner.py`)

YARA Rule Integration

Signature-based detection using compiled YARA rules (when available)
Automatic fallback to built-in JavaScript patterns when YARA unavailable
Tag-based categorization (surveillance, credential_harvest, etc.)

File Intelligence & Hashing

Multi-hash generation: MD5, SHA1, SHA256 for every scanned file
VirusTotal API integration for hash-based malware lookup
Entropy analysis (0-8 scale) to detect packed/encrypted files
Magic number detection for actual file type identification

Extension Spoofing Detection

Header vs extension comparison to catch invoice.pdf.exe attacks
Dangerous extension combo detection (e.g., .pdf.exe, .docx.scr)
RTL (Right-to-Left) override character detection for advanced spoofing

PE Structure Analysis

Windows executable inspection: PE32/PE64 header validation
Relocation table analysis (stripped = common in packed malware)
DLL vs EXE detection with suspicious characteristic flags

Two-Tier Scanning System

Quick Scan: Samples strategic file positions (start, middle, end) for speed
Deep Scan: Full file streaming with chunked processing for thoroughness
Dynamic progress tracking with real-time terminal output

URL Security Analysis (`url_scanner.py`)

Multi-Source Threat Intelligence

Google Safe Browsing API: Real-time phishing/malware URL checks
URLHaus integration: Community-driven malware distribution database
VirusTotal URL scanning: Aggregated results from 70+ security vendors

Technical Analysis

SSL/TLS certificate inspection: Validity, expiration, self-signing detection
DNS record analysis: A, MX, TXT (SPF) record queries
Redirect chain following: Up to 5 hops to detect suspicious destinations
Domain age checking: WHOIS lookup for newly registered domains

Local Heuristic Fallback

When backend is unavailable, client-side heuristics detect:

IP-based URLs (bypass domain reputation)
URL shorteners (hidden destinations)
Phishing keywords (login, verify, secure, bank)
Risky TLDs (.xyz, .tk, .ml, .ga, .cf)
Unusually long paths or excessive subdomains

AI-Powered Explanations (`ai_explainer.py`)

Groq API Integration

Llama 3.3 70B model for context-aware threat analysis
Intelligent prompt engineering with security analyst persona
Concise explanations (~100 words) focusing on:
- Most critical indicators and why
- Apparent code capabilities
- Unknowns due to static-only analysis
- Additional evidence needed for confirmation

Graceful Fallback System

Heuristic explanations when AI quota exhausted or backend offline
Spyware behavior profiling: surveillance, persistence, data exfiltration, stealth
Confidence scoring based on indicator severity and combinations

Android APK Analysis (`apk_analyzer.py`)

Permission-Based Risk Scoring

12 curated permission rules with severity weighting:
- Critical (35 pts): BIND_ACCESSIBILITY_SERVICE, READ_SMS, BIND_DEVICE_ADMIN
- High (20 pts): SYSTEM_ALERT_WINDOW, RECORD_AUDIO, BIND_VPN_SERVICE
- Medium (10 pts): RECEIVE_BOOT_COMPLETED, READ_CONTACTS
- Low (5 pts): INTERNET, basic permissions

Permission Combination Heuristics

Accessibility + Overlay = Clickjacking/keylogging risk (+25 pts)
Boot persistence + Internet = Malware persistence indicator (+15 pts)

Merged File Intelligence

APK analysis now combines with full file scanner:

Cryptographic hashes for VirusTotal lookup
Entropy analysis for packing detection
File type verification and extension mismatch detection

Report Generation (`generateReport.js`)

JSON Export

Machine-readable format with complete scan metadata
All hashes, findings, VirusTotal results preserved
Spyware behavior profiles and confidence scores
Timestamped and versioned for audit trails

PDF Report Generation

Professional formatted documents using jsPDF
Executive summary with security score and threat distribution
Per-file detailed breakdowns with severity indicators
Actionable recommendations based on threat types
Cover page with classification banner and metadata

Frontend Enhancements

New Pages & Navigation

url.html: Dedicated URL analysis interface with demo samples
results.html: Comprehensive results dashboard with visualizations
about.html: Detailed methodology and technology documentation
Swipe navigation for mobile (left/right to switch pages)

Visual Improvements

Threat proximity map: Animated orbital chart showing risk distribution
Security score gauge: ECharts-based gauge with color-coded zones
Real-time terminal: Matrix-style console with color-coded log levels
Expandable analysis cards: Collapsible sections for detailed findings

Demo Mode

Safe sample files for testing without risk:
- invoice_2025.pdf.exe (extension spoofing)
- keylogger-demo.py (surveillance patterns)
- apk-demo.apk (Android permissions)
- quick_scan_demo.js vs deep_scan_test.js (scan mode comparison)

Privacy & Security Improvements

Client-Side First Philosophy

No forced uploads: Initial analysis happens entirely in browser
Session-based storage: Results cleared when tab closes
Transparent processing: Real-time terminal shows all activity
Backend status indicator: Clear indication of local vs cloud analysis

Security Hardening

Input validation on all API endpoints
Secure filename handling with secure_filename()
Temp file cleanup with try/finally blocks
CORS configuration for cross-origin safety

Technical Stack Updates

Component	Original	Updated
Deployment	cyberthon-zeta.vercel.app	zerorisk-sentinel.vercel.app
Backend	None	Python Flask + Gunicorn
AI Service	None	Groq API (Llama 3.3 70B)
File Analysis	JS-only patterns	YARA + JS fallback
Hash Lookup	None	VirusTotal API
APK Analysis	None	AndroGuard integration
URL Analysis	Basic heuristics	Multi-source threat intel
Reports	None	JSON + PDF export
Mobile	Basic responsive	Swipe navigation

Key Metrics

3 scan types: Files, URLs, Android APKs
5 threat levels: Safe, Low, Medium, High, Critical
12+ permission rules for Android analysis
70+ security vendors via VirusTotal aggregation
100% client-side fallback when backend unavailable

What's Next (Roadmap)

[ ] Sandboxed dynamic analysis for uncertain files
[ ] Expanded format support (Office docs, PDF internals, archives)
[ ] Cryptographically signed analysis reports
[ ] Community signature contributions
[ ] Real-time threat feed integration

Built for the paranoid. Designed for everyone.

ZeroRisk Sentinel v2.1, Transparent, explainable, user-controlled security

Log in or sign up for Devpost to join the conversation.

Shlok Shah started this project — Feb 04, 2026 08:34 AM EST

Leave feedback in the comments!