Cyberbro is a lightweight, beginner-friendly application designed to extract Indicators of Compromise (IoCs) from unstructured text and query their reputation across numerous threat intelligence services. It caters to security analysts, researchers, and incident responders seeking an efficient, consolidated view of threat data without complex deployments.

How It Works

Cyberbro employs a multithreaded architecture to process user-provided text, automatically parsing and extracting IoCs such as IPs, hashes, domains, and URLs. It then queries a wide array of integrated CTI services, including VirusTotal, AbuseIPDB, and Microsoft Defender for Endpoint, to gather reputation data. The application stores results in SQLite and offers features like automated pivoting via reverse DNS and RDAP lookups, alongside caching for performance.

Quick Start & Requirements

• Install/Run: docker compose up (requires Docker and Docker Compose plugin).
• Prerequisites: API keys for various CTI services (optional, free services available without keys).
• Setup: Minimal, especially with Docker.
• Docs: https://docs.cyberbro.net/

Highlighted Details

• Extracts IoCs from raw logs and supports Chrome Extension ID lookups.
• Integrates with EDR solutions like Microsoft Defender for Endpoint and CrowdStrike.
• Provides automated pivoting and detailed domain/abuse contact information.
• Offers an API for programmatic access and custom report generation with LLMs via MCP.

Maintenance & Community

The project acknowledges contributions from Florian PILLOT, Axel, and Jon Mark Allen for engine refactoring, Ioc.One integration, and secret management improvements, respectively. Further community engagement and support are available via GitHub issues.

Licensing & Compatibility

The software is released under the MIT License, permitting free personal and commercial use without warranty.

Limitations & Caveats

The README advises using a reverse proxy and WAF for production environments due to potential security considerations with the default configuration. The GUI configuration endpoint is disabled by default for security and is not recommended for public or team use.