I Built a Self-Hosted Threat Intelligence Platform to Stop Tab-Hopping Forever

A few months ago I was triaging a suspicious IP and caught myself with VirusTotal, AbuseIPDB, Shodan, and OTX all open at once, reconciling results by hand. I’d done that same thing probably a hundred times. So I stopped and built something instead.

What Threatweave Actually Does

Threatweave is a self-hosted threat intelligence platform that aggregates results from 12+ providers into a single query. You drop in an IP, domain, file hash, or URL, and it fans out to VirusTotal, AbuseIPDB, AlienVault OTX, Shodan, URLhaus, MalwareBazaar, ThreatFox, Mnemonic PDNS, Google Safe Browsing, Triage, URLScan, and more. Results come back normalized with a unified risk score, so you’re comparing apples to apples instead of squinting at six different rating systems.

The batch mode handles up to 50 indicators at once with real-time streaming results. If you’re working an incident with a pile of IOCs to triage, you stop queuing them one by one and just send them all.

The Architecture

I wanted this to be something I could actually run in my home lab without it becoming a maintenance burden.

• Backend: Go 1.24 with the Chi router. Single binary, fast startup, no runtime surprises.
• Frontend: Svelte, with 115+ components spread across a main dashboard, admin panel, and an embeddable widget.
• Storage: PostgreSQL 16 for persistence, Redis 7 for caching and session management.
• Deployment: Docker Compose with Caddy handling automatic HTTPS via Let’s Encrypt.

Repeated lookups are instant because provider responses are cached with configurable TTLs. Per-provider rate limiting means I’m not burning through API quotas on duplicate queries or hammering upstream services.

What Actually Gets Used

The correlation engine is the feature I use most that I didn’t expect to rely on. You pivot across indicators by shared threat actors, malware families, ASNs, or passive DNS data, and it turns up connections that just aren’t visible when you’re bouncing between separate tools. Context that would have taken 20 minutes to piece together manually shows up in one view.

The watchlist and change detection has become part of my daily routine. It tracks field-level changes between lookups, so if a risk score shifts, new ports open, or WHOIS data gets modified, I see it. I’ve caught a couple of indicators moving from suspicious to confirmed malicious this way before they showed up in any feed.

Threat intelligence feeds pull automatically from 16+ sources, including Hacker News, Bleeping Computer, CISA KEV, NIST NVD, Krebs on Security, and Cisco Talos. Extracted IOCs get enriched in the background, so by the time something shows up in a morning briefing, there’s already data behind it.

The platform exposes 50+ REST endpoints, so wiring it into a SOAR platform or custom tooling doesn’t take long.

What’s Next

I’m working on improving the correlation graph visualization and adding more pivot paths through the data. Detection coverage across providers is something I’m tracking more carefully now, and I want it front and center in the UI.

The embeddable widget (/widget) is next on my list. Running quick lookups from a browser extension or internal tool without touching the full dashboard is what I actually want day-to-day.

Resources to Get You Started

Threat Intelligence Platforms: A Practitioner’s Guide (SANS Reading Room). Useful for understanding where TIPs fit in a SOC workflow and what to actually look for when evaluating them.

Building a Home Lab for Threat Intelligence (Bleeping Computer). Walks through standing up self-hosted security tooling without enterprise infrastructure.

MITRE ATT&CK for Threat Intelligence (MITRE ATT&CK, updated 2024). Worth reading if you want to connect IOC enrichment to adversary behavior, which is where Threatweave’s ATT&CK integration is headed.