TFII — I Built a Threat Intelligence Platform, Kinda?

A small threat intelligence portal trying to mix and merge OpenCTI and OpenCVE, but with a pinch of salt.

Look, I'm going to be upfront about a few things before you read further.

One — most of the code was written by Claude. I had the ideas, I tested everything, I found the bugs that mattered, I decided what to build next. But I'm not going to sit here and pretend I hand-typed 5000 lines of Python and React from scratch at 2am. That would be a lie.

Two — this is a personal project built in whatever free time I had. It's not competing with OpenCTI. It's not trying to be OpenCVE. Those are proper platforms built by proper teams over years. This is just something I made because I wanted a single place to check IOCs, monitor CVEs against my actual software stack, and generate detection queries without switching between 10 browser tabs. It scratches a personal itch. Whether it scratches yours — genuinely no idea, which is partly why I'm putting it out here.

Three — the server is small. Oracle Cloud free tier. Don't expect miracles.

So what is it actually?

TFII (ThreatFeed Intelligence Platform — yes I know, the acronym doesn't quite work) is a self-hosted threat intel portal. Think of it as a rough mix of OpenCTI's IOC management and OpenCVE's vulnerability tracking, with some detection engineering tooling thrown in, all running on free infrastructure.

Here's what's in it:

Bulk IOC Lookup — paste a blob of indicators, or upload a file. IPs, domains, URLs, hashes, emails, filenames. Fanged, defanged, mixed — it figures it out. Each one gets checked against VirusTotal, AbuseIPDB, and URLhaus, and you get back a verdict plus the owner org, ASN, country, and cloud provider if it's AWS/Azure/GCP/Cloudflare/etc. You can bulk-add results to a feed or download everything as CSV.

CVE Monitoring — add the software you actually run. It polls NVD every 6 hours and tells you what new CVEs affect your stack. Cross-references CISA's KEV catalog, shows EPSS exploitation probability.

CVE Lookup — one query hits NVD, CVE.org, OSV, CVE Trends, EPSS, and CISA KEV at the same time. Shows the full CVSS breakdown per metric, not just the number. Searches for PoCs across GitHub, Metasploit, Vulhub, and ExploitDB.

KQL/SPL Query Builder — you describe what you want to detect, it generates three variants (high fidelity, balanced, hunting). There's also an explainer mode where you paste any existing query and it breaks it down line by line and tells you what it misses.

Intel and CVE Wall — RSS from CISA, SANS, BleepingComputer, Krebs, Red Hat, Ubuntu, ZDI, and a few others. Split into general news and CVE-specific advisories.

There's also a personal daily notification that sends me CVE highlights every morning.

What broke along the way (the interesting bits)

NVD returns CVEs oldest-first. Query for a product and you get page 1 from 2008. Fix: hit the API once with resultsPerPage=1 to get the total, then fetch the last two pages directly. Obvious once you know; invisible until it bites you.

Sequential awaits silently eating results. Had a pattern where three enrichment APIs were called sequentially, then isinstance(result, Exception) was checked — except that check only means something if you used asyncio.gather(return_exceptions=True). With plain sequential awaits, one failure aborts the whole block. The symptom looked like "AbuseIPDB isn't being checked" when really an exception upstream was killing everything quietly. Annoying to track down.

abuse.ch made auth mandatory. URLhaus required no key for years. Then in June 2025 they flipped a switch and every unauthenticated request gets a 401. The free key takes two minutes to get, but every existing integration broke overnight. Build graceful degradation in from day one.

A chunk file appeared. Webpack decided to split the JS bundle during one build. The old index.html still referenced the old single bundle. The page went blank. Fifteen minutes of debugging before rm -rf build && npm run build fixed it. Sometimes it's that simple.

The infrastructure

Oracle Cloud free tier (4 OCPU, 24GB RAM ARM VM, permanent free). Docker Compose for the easy path, manual systemd+Nginx if you want more control. Every data source is a free API or public feed. Monthly cost is genuinely zero.

How to try it / run it

github.com/sherifrahim/TFII

You can also sign up on my instance at threatintel.mooo.com — you'll get demo/explorer access immediately (CVE lookup, query builder, OSINT, bulk IOC lookup all work). The personal IOC feed and CVE monitor are invite-only for now since the server is small, but there's a "request access" button if you want in and I'll review it.

If you self-host, it should take about an hour to get running with the Docker path. The README covers it.

I don't know if this will be useful to anyone outside my own workflow. That's genuinely the reason I'm posting — to find out. If you try it and find something broken or missing, open an issue. Also, my favorite part, if any highly interesting features that you think might add value to the tool, open a PR or issue in github and lets connect.!