Menu

Under the Hood

A technical deep dive into ShadowPulse's architecture.

System Architecture

Real-time data flow with sub-100ms latency

Frontend Layer

Vanilla JavaScript with Tailwind CSS for responsive design, real-time threat visualization, and interactive analysis results.

Bundle Size: ~45KB
Framework: Vanilla JS
Styling: Tailwind CSS

Hono Backend

Lightning-fast web framework with Edge Runtime, TypeScript support, and unified API endpoints for 6+ threat intelligence sources.

Runtime: Edge
Language: JavaScript
Cold Start: ~5ms
Google Gemini Icon

AI Analysis Engine

Google Gemini-powered analysis with MITRE ATT&CK mapping, risk scoring, and contextual threat assessment.

AI Model: Gemini 2.0 Flash
Analysis: MITRE ATT&CK
Response: ~2-3s
6+
Intel Sources
<100ms
API Response
99.9%
Uptime
Global
Edge Coverage

Data Processing Pipeline

1

Query Detection & Classification

Automatic detection of IOC types using regex patterns and validation algorithms.

// Automatic IOC type detection
if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(query)) return "ip";
if (/^https?:\/\//.test(query)) return "url";
if (/^[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(query)) return "domain";
if (/^[a-fA-F0-9]{32,}$/.test(query)) return "hash";
2

Parallel Threat Intelligence Enrichment

Simultaneous queries to 6 threat intelligence sources using Promise.allSettled() for optimal performance.

VirusTotal
Malware Analysis
AbuseIPDB
IP Reputation
Shodan
Attack Surface
GreyNoise
Internet Noise
isMalicious
Multi-Source Intel
AlienVault OTX
Community Intel
3

Data Unification & Threat Indicator Extraction

Normalization and extraction of key threat indicators from disparate data sources.

Extracted Indicators:
  • VirusTotal: Detection stats, reputation scores, tags
  • AbuseIPDB: Abuse confidence, report categories
  • Shodan: Open ports, services, JARM fingerprints
  • GreyNoise: Classification, scanning behavior (classification only)
  • isMalicious: Reputation scores, WHOIS data
  • AlienVault: Pulse data, threat tags, IOC associations
4

Dynamic Risk Score Calculation

Weighted risk assessment algorithm with adaptive scoring based on data availability.

Risk Calculation Formula:
VirusTotal: 35% weight - (malicious × 2 + suspicious) / total_scanners
isMalicious: 25% weight - reputation-based scoring
AbuseIPDB: 30% weight - abuse confidence percentage
Shodan: 10% weight - open ports risk (ports × 5)
Final Score = Σ(source_score × weight) / available_weight
📊 Calculation Example:
🦠 VirusTotal (35% weight):
Raw: 5 malicious, 2 suspicious, 45 harmless, 8 undetected
Formula: ((5 × 2 + 2) / 60) × 100 = 20.00%
Weighted: 20.00% × 0.35 = 7.00%
🤖 isMalicious (25% weight):
Raw: 3 malicious, 1 suspicious, 40 harmless, 6 undetected
Formula: ((3 × 2 + 1) / 50) × 100 = 14.00%
Weighted: 14.00% × 0.25 = 3.50%
🚫 AbuseIPDB (30% weight):
Abuse Confidence: 85%
Weighted: 85% × 0.30 = 25.50%
🔍 Shodan (10% weight):
Open Ports: 8 (22, 80, 443, 3306, 8080)
Port Risk: SSH(25%) + HTTP(8%) + HTTPS(5%) + MySQL(20%) + Alt Web(10%) = 68%
Weighted: 68% × 0.10 = 6.80%
🎯 Final Risk Score: 7.00% + 3.50% + 25.50% + 6.80% = 42.80%
Note: GreyNoise data is used for classification but not included in risk scoring
5

AI-Powered Contextual Analysis

Google Gemini analyzes unified threat data to provide contextual insights and MITRE ATT&CK mapping.

AI Analysis Components:
  • Threat Summary: Contextual evidence analysis with contradictions
  • MITRE ATT&CK: Technique mapping based on observed behaviors
  • Analyst Tips: Actionable recommendations and caveats
  • Pattern Recognition: Campaign associations and threat actor TTPs

Technical Specifications

Performance Optimizations

  • Parallel Processing: Promise.allSettled() for simultaneous API calls (3x faster than sequential)
  • Database Optimization: Indexed queries with parallel execution for sub-second response times
  • Real-time Updates: Immediate threat stats display independent of AI analysis completion
  • Error Resilience: Graceful degradation with partial results when sources are unavailable

Analytics & Tracking

  • Search Tracking: Response times, source usage, and threat detection rates
  • Threat Intelligence: Automated IOC categorization and threat pattern analysis
  • System Metrics: Uptime monitoring, API health checks, and performance metrics
  • Supabase Backend: PostgreSQL with real-time subscriptions and service role authentication

Threat Intelligence Sources

VirusTotal

Multi-engine malware scanning and URL analysis with 70+ antivirus engines.

Detection Rate: 99.9%
Response Time: ~200ms
Data Points: 50+

AbuseIPDB

Community-driven IP abuse reporting with confidence scoring and categorization.

Coverage: Global
Report Categories: 23
Confidence Score: 0-100%

Shodan

Internet-connected device scanning for attack surface analysis and port enumeration.

Devices Scanned: 500M+
Ports Monitored: 65,535
Service Detection: 1000+

GreyNoise

Internet background noise classification to distinguish between targeted attacks and scanning.

Classification: Malicious/Benign
Noise Detection: Real-time
Context Tags: 100+
isMalicious Logo

isMalicious

Multi-source threat intelligence aggregation with reputation scoring and WHOIS analysis.

Data Sources: 15+
Reputation Score: 0-100
WHOIS Data: Enhanced
AlienVault OTX Logo

AlienVault OTX

Open Threat Exchange with community-driven threat intelligence and IOC associations.

Threat Pulses: 200K+
IOC Database: 19M+
Community: 100K+ Users

Security & Privacy

Data Protection

  • Search queries and IOC analysis results are tracked for analytics
  • Encrypted API communications (HTTPS/TLS 1.3)
  • Basic usage analytics for platform improvement and abuse prevention
  • Service role authentication for secure database access

Access Control

  • API rate limiting and abuse prevention
  • Origin-based request validation
  • Secure environment variable management