--:--:--UTC

Searching APEX

Starting…

  1. Searching Threats, IOCs & Threat Intelligence locally
  2. Querying external providers
  3. Asking AI Forensic Validator
  4. Creating new entry from validated hit

0s elapsed

About APEX Threat Analyzer


APEX Threat Intelligence Hub is a local research console that aggregates threat intelligence from multiple open feeds — CISA's Known Exploited Vulnerabilities catalog, the NVD CVE database, AlienVault OTX pulses, MalwareBazaar malware samples, ThreatFox IOCs, Emerging Threats community discussions, and the KEVin API — into a single SQLite-backed workspace. It deduplicates threats across sources, persists every IOC into a cross-referenceable index, runs on-demand web searches for remediations, and (when configured) performs AI-powered forensic analysis via Claude or a local Ollama model.

Developed and Maintained By: Alfredo J. Nacino JR.

Other Links

Links related to APEX Threat Intelligence Hub.


Contact the maintainer



© 2026 Alfredo Nacino. All rights reserved.


Data sources

Every URL APEX has been configured to gather data from, with the kind of data each contributes. This list is computed live from your database; admins can edit it via /sources and /threat-intel.

Configured scrapers (15)

SourceURLScraperStatusThreats contributed
Abuse.ch https://mb-api.abuse.ch/api/v1/ malware_bazaar active last: 2026-06-03 18:09 UTC 2952
AlienVaulkt OTX https://otx.alienvault.com/api/v1/pulses/subscribed otx active last: 2026-06-03 18:25 UTC 146
CISA KEV https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json cisa_kev_v2 active last: 2026-06-03 18:36 UTC 105
CISA KEV CVEs https://kevin.gtfkd.com/kev/recent?days=30 kevin active last: 2026-06-03 18:35 UTC 23
CISA Known Exploited Vulnerabilities https://www.cisa.gov/known-exploited-vulnerabilities-catalog cisa_kev active last: 2026-06-05 09:42 UTC 111
Emerging Threats Community https://community.emergingthreats.net emerging_threats active last: 2026-06-03 18:35 UTC 44
NVD Recent CVEs https://nvd.nist.gov nvd active last: 2026-06-03 18:37 UTC 2180
Paloalto Networks Security https://security.paloaltonetworks.com/ paloalto active last: 2026-06-03 18:40 UTC 243
Taxi II https://attack-taxii.mitre.org/ taxii active last: 2026-06-03 18:25 UTC 0
ThreatFox IOCs https://threatfox-api.abuse.ch/api/v1/ threatfox active last: 2026-06-05 09:45 UTC 3486
Threatfox IOCs/Threats https://threatfox-api.abuse.ch/api/v1/ threatfox active last: 2026-06-03 18:11 UTC 3344
ThreatFox Malwares https://threatfox-api.abuse.ch/api/v1/ threatfox active last: 2026-06-05 11:33 UTC 1002
URLhaus https://urlhaus-api.abuse.ch/v2 urlhaus active last: 2026-06-05 11:32 UTC 806
VirusTotal (enrichment) https://www.virustotal.com virustotal active last: 2026-06-03 18:11 UTC 0
Wordfence https://www.wordfence.com wordfence active last: 2026-06-05 11:17 UTC 1688

Threat-intel feeds (119 feeds, 1080894 indicators)

Top vendors by feed count (full list on /threat-intel):

  • montysecurity 18 feeds
  • Abuse.ch 15 feeds
  • Ipsum 8 feeds
  • Blocklist.de 8 feeds
  • threatview.io 8 feeds
  • drb-ra 4 feeds
  • urlabuse 4 feeds
  • Botvrij.eu 4 feeds
  • tweetfeed.live 4 feeds
  • virtualfabric 3 feeds
  • CyberCure 3 feeds
  • Carbon Black 3 feeds
  • mthcht 3 feeds
  • Daniel Austin MBCS 2 feeds
  • CISA 2 feeds

External enrichment services

APIs and feeds the code reaches out to that don't live in the configured-sources table — CVE record providers, IP geolocation, web search, AI, etc. Compiled from the scraper / service modules.

  • CVE Project cvelistV5 — Raw CVE 5.x JSON records (CVSS, CWE, references, affected products) — sparse-cloned and bulk-imported into /cves.
  • MITRE CVE Services API — Upstream-of-truth CVE records used as the cvelistV5 404 fallback and for the MITRE-side description / references backfill.
  • CISA Known Exploited Vulnerabilities — CISA KEV catalog — actively-exploited CVEs with required mitigation deadlines. Ingested as Threats.
  • NIST NVD — Recent CVE feed with CVSS scoring and CPE matches. Ingested as Threats.
  • AlienVault OTX — OTX pulses — community-curated threat reports with linked IOCs.
  • VirusTotal — Per-IOC reputation, vendor verdicts, comments, relationships (files/domains/IPs/URLs).
  • MalwareBazaar (abuse.ch) — Malware samples queried by hash or signature — persisted as Threats with linked file hashes.
  • ThreatFox (abuse.ch) — Open IOC marketplace (IPs / domains / URLs / hashes) with malware family tagging.
  • URLhaus (abuse.ch) — Malicious-URL feed — actively-served payload URLs.
  • Emerging Threats Community — Discussion-driven threat intel and Suricata rules.
  • Palo Alto Unit 42 — Threat-research blog posts mined for CVE IDs and adversary references.
  • ThreatMiner — Open-source threat-intel aggregator queried for per-IOC enrichment.
  • KEVin — JSON API mirror of CISA KEV with extra metadata.
  • TAXII / STIX feeds — Configurable STIX 2.x feeds (e.g. AT&T, Anomali, MITRE ATT&CK) pulled via TAXII discovery + collections.
  • ipinfo.io — Per-IP geolocation, ASN, AS-name, country code — caches results for the Dashboard global map and the IOC geo modal.
  • DuckDuckGo HTML — Anonymous web search powering the per-Threat / per-CVE 'Find references' and 'Search the web for remediations' buttons, and the Assistant's web_search tool.
  • Anthropic Claude API — AI Forensic Analysis on Threats / CVEs / IOCs and the conversational APEX HUB Assistant.
  • DNS (system resolver) — A-record resolution of domain / URL IOCs into IPv4 addresses, persisted via IndicatorResolution and plotted on the Dashboard map.