How It Works

A technical deep dive into ShadowPulse's threat intelligence pipeline

System Architecture

Built for speed, scalability, and reliability

⚡

Frontend

Vanilla JavaScript with Tailwind CSS for responsive, real-time threat visualization

Bundle Size ~45KB

Framework Vanilla JS

Styling Tailwind

🔥

Backend

Hono framework with Edge Runtime for lightning-fast API responses

Runtime Edge

Language JavaScript

Cold Start ~5ms

🤖

AI Engine

Google Gemini for MITRE ATT&CK mapping and contextual threat assessment

Model Gemini 2.0

Analysis MITRE

Response ~2-3s

Intel Sources

<100ms

API Response

99.9%

Uptime

Global

Edge Coverage

Data Pipeline

From query to actionable intelligence in 4 steps

Query Detection

Automatic IOC type detection using regex patterns

if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(query)) return "ip";

if (/^https?:\/\//.test(query)) return "url";

if (/^[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(query)) return "domain";

Parallel Enrichment

Simultaneous queries to 6+ threat intelligence sources

VirusTotal

Malware Analysis

AbuseIPDB

IP Reputation

Shodan

Attack Surface

GreyNoise

Noise Detection

isMalicious

Multi-Source

AlienVault

Community Intel

Risk Calculation

Weighted risk assessment with adaptive scoring based on data availability

Risk Calculation Formula:

• VirusTotal: 35% weight - (malicious × 2 + suspicious) / total_scanners

• isMalicious: 25% weight - reputation-based scoring

• AbuseIPDB: 30% weight - abuse confidence percentage

• Shodan: 10% weight - open ports risk (ports × 5)

Final Score = Σ(source_score × weight) / available_weight

📊 Calculation Example:

🦠 VirusTotal (35% weight):

Raw: 5 malicious, 2 suspicious, 45 harmless, 8 undetected

Formula: ((5 × 2 + 2) / 60) × 100 = 20.00%

Weighted: 20.00% × 0.35 = 7.00%

🤖 isMalicious (25% weight):

Raw: 3 malicious, 1 suspicious, 40 harmless, 6 undetected

Formula: ((3 × 2 + 1) / 50) × 100 = 14.00%

Weighted: 14.00% × 0.25 = 3.50%

🚫 AbuseIPDB (30% weight):

Abuse Confidence: 85%

Weighted: 85% × 0.30 = 25.50%

🔍 Shodan (10% weight):

Open Ports: 8 (22, 80, 443, 3306, 8080)

Port Risk: SSH(25%) + HTTP(8%) + HTTPS(5%) + MySQL(20%) + Alt Web(10%) = 68%

Weighted: 68% × 0.10 = 6.80%

🎯 Final Risk Score: 7.00% + 3.50% + 25.50% + 6.80% = 42.80%

Note: GreyNoise data is used for classification but not included in risk scoring

AI Analysis

Google Gemini analyzes unified threat data to provide contextual insights and MITRE ATT&CK mapping

AI Analysis Components:

• Threat Summary: Contextual evidence analysis with contradictions

• MITRE ATT&CK: AI identifies techniques, database provides detailed detection rules

• Analyst Tips: Actionable recommendations and caveats

🔍 MITRE Database Integration:

🤖 AI Analysis Phase:

• Analyzes threat indicators and comments

• Identifies relevant MITRE ATT&CK techniques

• Extracts technique IDs (T1566, T1110, etc.)

🗄️ Database Lookup Phase:

• Queries local MITRE techniques database

• Retrieves official technique details

• Gets detection rules and guidance

• Links to official MITRE ATT&CK pages

Intelligence Sources

Integrating with leading threat intelligence platforms

VirusTotal

Multi-engine malware scanning with 70+ antivirus engines

Detection Rate 99.9%

Response Time ~200ms

AbuseIPDB

Community-driven IP abuse reporting with confidence scoring

Coverage Global

Categories 23

Shodan

Internet-connected device scanning for attack surface analysis

Devices Scanned 500M+

Ports Monitored 65,535

GreyNoise

Internet noise classification to distinguish targeted attacks

Classification Real-time

Context Tags 100+

isMalicious

Multi-source threat intelligence aggregation with WHOIS

Data Sources 15+

Reputation Score 0-100

AlienVault OTX

Open Threat Exchange with community-driven intelligence

Threat Pulses 200K+

IOC Database 19M+