A simple application that extracts your IoCs from garbage input and checks their reputation using multiple services.
🌐 demo.cyberbro.net

Inspired by Cybergordon and IntelOwl.

This project aims to provide a simple and efficient way to check the reputation of your observables using multiple services, without having to deploy a complex solution. Read the docs at https://docs.cyberbro.net/

• Easy Input: Paste raw logs or IoCs-automatic parsing and extraction.
• Multi-Service Checks: Reputation lookup for IPs, hashes, domains, URLs, and Chrome extension IDs across many threat intel services.
• Comprehensive Reports: Advanced search, filtering, and export to CSV/Excel.
• Fast Processing: Multithreaded for speed.
• Automated Pivoting: Discover related domains, URLs, and IPs via reverse DNS and RDAP / Whois.
• Accurate Domain & Abuse Info: RDAP / Whois and abuse contact lookups.
• Integrations: Microsoft Defender for Endpoint, CrowdStrike, OpenCTI, Grep.App, Hudson Rock, and more.
• Proxy & Storage: Proxy support and results stored in SQLite.
• History & Graphs: Analysis history and experimental graph view.
• Cache: Caching for faster repeat lookups (enabled at multi-engines level, not each engine).

• Beginner-Friendly: Accessible for all skill levels.
• Chrome Extension ID Lookup: Get extension names and CTI data from IDs.
• Lightweight Deployment: Simple setup and use.
• Advanced TLD Extraction: Accurate root domain detection for better lookups.
• Pragmatic Data Gathering: Uses GitHub and Google to find overlooked IoCs.
• CTI Report Integration: Fetches IoC-related reports from IoC.One.
• EDR Integration: Checks observables against your own security tools (MDE, CrowdStrike).

• To get started, clone the repository

git clone https://github.com/stanfrbd/cyberbro
cd cyberbro

cp .env.sample .env

• Fill values (including proxy if needed) in the .env file.

ABUSEIPDB=token_here
ALIENVAULT=token_here
CRIMINALIP_API_KEY=token_here
CROWDSTRIKE_CLIENT_ID=client_id_here
CROWDSTRIKE_CLIENT_SECRET=client_secret_here
DFIR_IRIS_API_KEY=token_here
DFIR_IRIS_URL=https://dfir-iris.local
GOOGLE_CSE_CX=cx_here
GOOGLE_CSE_KEY=key_here
GOOGLE_SAFE_BROWSING=token_here
IPAPI=token_here
IPINFO=token_here
MDE_CLIENT_ID=client_id_here
MDE_CLIENT_SECRET=client_secret_here
MDE_TENANT_ID=tenant_here
MISP_API_KEY=token_here
MISP_URL=https://misp.local
OPENCTI_API_KEY=token_here
OPENCTI_URL=https://demo.opencti.io
PROXY_URL=
RL_ANALYZE_API_KEY=token_here
RL_ANALYZE_URL=https://spectra_analyse_url_here
ROSTI_API_KEY=token_here
SHODAN=token_here
SPUR_US=token_here
THREATFOX=token_here
VIRUSTOTAL=token_here
WEBSCOUT=token_here

See Advanced options for deployment in the docs.

docker compose up # use -d to run in background and use --build to rebuild the image

• Go to http://127.0.0.1:5000 and Enjoy.

Don't forget to edit .env before building the image.

See Advanced options for deployment in the docs to get all Docker deployment options.

• Clone the repository and install the requirements.

You might want to create a venv before installing the dependencies.

pip install -r requirements.txt

• Run the app with gunicorn (clean mode).

gunicorn -c prod/gunicorn.conf.py app:app

• Run the app with in development mode.

python3 app.py

See all screenshots

• The API is available at /api/ and can be accessed via the GUI or command-line.

There are currently 3 endpoints:

• /api/analyze - Analyze a text and return analysis ID (JSON).
• /api/is_analysis_complete/<analysis_id> - Check if the analysis is complete (JSON).
• /api/results/<analysis_id> - Retrieve the results of a previous analysis (JSON).

curl -X POST "http://localhost:5000/api/analyze" -H "Content-Type: application/json" -d '{"text": "cyberbro.net", "engines": ["reverse_dns", "rdap_whois"]}'

{
  "analysis_id": "e88de647-b153-4904-91e5-8f5c79174854",
  "link": "/results/e88de647-b153-4904-91e5-8f5c79174854"
}

curl "http://localhost:5000/api/is_analysis_complete/e88de647-b153-4904-91e5-8f5c79174854"

{
  "complete": true
}

curl "http://localhost:5000/api/results/e88de647-b153-4904-91e5-8f5c79174854"

[
  {
    "observable": "cyberbro.net",
    "rdap_whois": {
      "abuse_contact": "registrar-abuse@cloudflare.com",
      "creation_date": "2024-12-20",
      "data_source": "rdap",
      "emails": [
        "registrar-abuse@cloudflare.com"
      ],
      "expiration_date": "2026-12-20",
      "link": "https://rdap.verisign.com/net/v1/domain/CYBERBRO.NET",
      "name_servers": [
        "anderson.ns.cloudflare.com",
        "lisa.ns.cloudflare.com"
      ],
      "organization": null,
      "registrant": null,
      "registrant_country": null,
      "registrant_email": null,
      "registrar": "Cloudflare, Inc.",
      "update_date": "2025-11-20"
    },
    "reverse_dns": {
      "reverse_dns": [
        "172.67.197.226",
        "104.21.42.7"
      ]
    },
    "reversed_success": true,
    "type": "FQDN"
  }
]

• AbuseIPDB
• Abusix
• Alienvault
• CriminalIP
• CrowdStrike
• crt.sh
• DFIR Iris
• Github
• Google Safe Browsing
• Google
• Google DNS
• Grep.App
• Hudson Rock
• ICANN
• IPapi
• IPinfo
• IPquery
• Ioc.One
• Microsoft Defender for Endpoint
• MISP
• OpenCTI
• OpenRDAP
• Phishtank
• ReversingLabs Spectra Analyze
• Rösti - Repackaged Open Source Threat Intelligence
• Shodan
• Spur.us
• ThreatFox
• URLscan
• VirusTotal
• WebScout

A huge thank you to all the amazing contributors who made pull requests and helped improve this project:

• Florian PILLOT who reworked engines (refactoring and optimizations).
• Axel who develops Ioc.One and added a specific User-Agent allowing scraping of Ioc[.]One.
• Jon Mark Allen who added a better secret management and tests. He refactored a lot and made many improvements to the codebase, including CriminalIP.
• cirosec GmbH - Felix Friedberger for adding crt.sh engine.
• Stig Dahl for enhancing crt.sh engine, adding DFIR IRIS search and fixing Bandit issues.
• 0xffr for fixing issue #98 - Grep.app engine broken and commenting properly in CriminalIP engine.
• Maxime Berthault - Maxou56800 for developing Cyberbro CLI.

Your contributions are greatly appreciated!

MIT License

Copyright (c) 2024-2026 stanfrbd

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.

The logo used in this project is free for personal and commercial use and can be found here.