Building a Threat Intelligence Platform for Philippine companies
February 2026
February 2026
I’ve been working on this for a while now — quietly, on the side, late nights, and the occasional rabbit hole that turned into a two-day deep dive. The first real, deployable version is ready, and I think it’s time to talk about what it is, why I built it, and where it’s going. This is the story of a open-source threat intelligence platform designed for the Philippine cybersecurity landscape and probably the broader Southeast Asian region.
The Problem
If you work in cybersecurity in the Philippines, you already know the gap and the story. Government talks a lot, but does nothing to protect the businesses that struggle. The major commercial threat intelligence platforms — your Recorded Futures, your Mandiant Advantages — they are all built for enterprise budgets and often focus on western threat contexts, with only patchwork added to make them relevant for local business. Customization costs you an arm and a leg in the best case, or the whole head if you chose the wrong one (You know who you are!)/ They’re absolutely good products, in many cases, but they weren’t built with ph-gov-domain or ph-finance as a priority keyword. Southeast Asian threat actors, regional ransomware campaigns, and Filipino data leak markets on the dark web are an afterthought at best. But hey, we all know, its a huge market, and there are uncounted leaks to be found specifically of PH PII.
Meanwhile, the threats are very real. The Philippines ranks consistently among the most targeted nations in Asia for ransomware, credential theft, and data broker activity. Government agencies, financial institutions, and telecoms are hit regularly. And many if not most local security teams in local comapnies that lack the global backup of large teams are operating without the visibility they need.
I wanted to build something that actually worked for this region, for this country that I chose as my home, and in which I have lived in for 15 years now. Something that can be tuned to local targets, local threat actors, local language, and local infrastructure realities. Something that a solo analyst or a small team could deploy and actually use, in a matter of hours, not in weeks or months.
So I built it.
And I made the core platform available as open source on Github.
What It Is
It is is a self-hosted, open-source threat intelligence platform with a dark web scanner at its core. It runs over Tor, crawls .onion networks continuously, and alerts on configurable keywords — things like Philippine government domains, financial institution names, executive names, brand terms, or any indicator you care about.
But the scanner was just the beginning. Over the past months I’ve come to realize more and more features that I want to have, so, I started adding and adding, to the point where its time to make it public so that others can contribute, others who are more professional in their coding skills. It ended up including an intelligence dashboard, IP investigation tooling, DNS reconnaissance, ransomware tracking, threat actor profiling, and a curated daily email digest — all pulling from both proprietary scan data and open-source feeds. All these items can be customzied, to your needs. If anybody is interested to give the actually up and running version a try, contact me and I have a discussion with you, and provide you access to the pilot deployment which is fully functional.|
The entire stack is Dockerized. You can have it running on a VPS in about ten minutes, and while I have tested this multiple times, over and over, do not expect perfection :D
— -
The Stack
The platform is mainly built in Python, running behind a Flask dashboard with SQLite (could be PostgreSQL for larger deployments). Tor proxying is handled via aiohttp-socks through a dedicated Tor container. Nginx sits in front with automatic Let’s Encrypt SSL. The whole thing orchestrates cleanly with Docker Compose. I was surprised that I could get this to work. If I can, you can.
For intelligence feeds, this is where the most area for improvement is, the core that i have published now is basically pulling from AlienVault OTX, CISA’s Known Exploited Vulnerabilities catalog, URLhaus and Feodo Tracker from abuse.ch, and a curated set of cybersecurity RSS feeds.
Email delivery goes through Mailgun. PDF reports are generated with ReportLab.
Authentication is taken seriously — bcrypt passwords, TOTP two-factor, optional Google and GitHub OAuth (though i have not yet pushed those integration, they are a little shakey so I am doing some mroe testing), and role-based access control baked in from the start.
Feature Walkthrough
The Dark Web Scanner
The heart of the platform, more or less because this was what i actually wantd to build at first, and nothing more. At startup, it initializes a Tor circuit, loads your keyword rules, and begins crawling .onion networks from a configurable seed list. Obviously, the better your seed list, the better your outcome.
Every page it visits gets parsed for keyword hits. Matches are stored with full context — the surrounding text, the URL, the depth, the crawl session — so you can reconstruct exactly what was found and where. Telegram and webhook alerts fire in real time when high-priority keywords hit.
Keyword rules are organized by category and priority. You configure them in a simple YAML file — brand names in one category, executive names in another, credential patterns in a third. The crawler respects rate limits and rotates Tor circuits automatically to avoid fingerprinting. This took me a while to get right but it seems to work just fine in this initial release now.
The Intelligence Dashboard
Everything surfaces in a clean, dark-themed web dashboard accessible over HTTPS. Live stats, recent hits, crawl history, and quick-access tools for the entire investigative workflow.
Of coures, lets get this out of the way, yes, there is a light mode as well if that is what you prefer :D
Dark Mode:
Light Mode:
The hits feed shows each match in context — enough immediate information to understand what was found without having to go back to the source. Each hit links out to the original .onion URL if you need to investigate further. Of course, always maintain your OPSEC before visiting dark web sites, but then again, I don’t think I need to tell you that.
IP Investigation
When a suspicious IP turns up — in a hit, in a log, in an alert — you can feed it directly into the investigation module. I am kinda happy with how this turned out, of course, there are endless options on enrichment, for this iteration, I used VT and AbuseIPDB but if you have other preferred modules you can easily modify the code and add that. How this is now implemented is that it runs parallel lookups against AbuseIPDB and VirusTotal, pulls geolocation and ASN data, checks for known malicious indicators, and stores the result for your records.
All investigations are saved with history, so you can track IPs you’ve looked at before and spot patterns across incidents.
DNS Reconnaissance
The latest addition, that i just finished yesterday, is a full passive and active DNS recon module, similar in concept to dnsdumpster but integrated directly into the platform.
For any domain you want to investigate, it will:
Query all DNS record types (A, AAAA, MX, NS, TXT, CNAME, SOA, CAA)
- Attempt zone transfers against all nameservers — a critical misconfiguration that still appears more than it should
- Pull subdomains from crt.sh certificate transparency logs
- Resolve and geolocate every discovered subdomain in parallel
- Analyse SPF, DMARC, and DKIM email security records
- Flag issues and misconfigurations clearly
Results export to a full PDF report — branded if you want, ready to be shared to your boss.
Ransomware Tracker
A live tracker of active ransomware groups, with a regional focus on Southeast Asian victims. This has a lot of room for customization depending on what you want to look for, i populated the repos with some predefinded ones so it wont be empty, but read the documentation, it is very easy to customize.
Each group card shows the gang’s profile, known TTPs, primary targets, active status, and recent victim data. The tracker right now covers the major groups active in the Philippine and ASEAN threat landscape — LockBit, ALPHV/BlackCat, Play, RansomHub, Akira, and more. Future plans for this include ad hoc scanning of their respective blog pages for latest victims and some other cool features.
Threat Actor Profiles
Structured intelligence profiles for the APT groups and cybercriminal organizations most relevant to Southeast Asia. China-nexus groups like APT41 and Mustang Panda, North Korean operators, criminal groups targeting regional finance.
Each profile includes attribution confidence, target sectors, known malware and tooling, recent activity summary, and links to public reporting. I built this as a reference you can actually use during an investigation without leaving the platform. As with everything in this project, its easily customizable.
Daily Threat Intelligence Digest
This is still under active improvement but works in general. I am planning to add a section in the user settings where you can fully customize this to your needs so you get a custom digest instead of a generic one.
Every morning at 08:00 PHT, subscribers receive a threat intelligence email with the day’s most relevant intelligence. Out of the box, this may not be relevant to everybody, but feel free to contribute to the code for this.
The digest currently pulls from:
- CISA KEV — every newly added Known Exploited Vulnerability, with patch deadlines
- AlienVault OTX — threat pulses, prioritized for SEA-relevant content
- URLhaus & Feodo Tracker — active malicious URLs and botnet C2 IPs, filtered for regional relevance
- Curated RSS — Bleeping Computer, The Hacker News, Krebs, Recorded Future, CISA advisories
It also generates a full PDF version of the digest, attached to every email — formatted, branded, archivable.
Why Open Source — And What Comes Next
I think this part of the post matters a lot.
It is my strong believe that the Philippine and Southeast Asian security community is sort of neglected by commercial tooling. The big platforms are priced for enterprise budgets in New York and London, not necessarily for a SME in Cebu, Davao, or Cagayan de Oro, Not even for a small regional SOC in Manila or a small consultancy in Jakarta. I’ve spent many years operating in this space and the gap is real.
Making the core platform open source isn’t just a nice gesture. I believe it’s the right model for this kind of tool. Threat intelligence is most valuable when the community around it is strong. More deployments mean more diverse keyword lists, more regional context, and more people finding and fixing issues. A closed-source scanner that only I run helps no one except my own clients.
So the full core engine, that being crawler, dashboard, DNS recon, digest, IP investigations, everything you’ve read about above is AGPL v3 licensed and available to anyone. Self-host it, modify it, build on it. Contribute. I encourage you. It will be appreciated by everybody. AGPL v3 is the license commonly used by open source cyber projects, a good example is Metasploit Community Edition. I may change this later on but for now, this is what i went for.
That said, there is a commercial layer coming.
I’m building a hosted, subscription-based version of this tool, managed infrastructure, no Docker knowledge required, pre-configured with regional keyword lists, curated seed URLs, and enhanced threat feeds that go beyond what’s in the open-source version.
Crucially: it will be hosted on infrastructure outside the usual paths, outside the large US tech bro’s turf. Not AWS. Not Azure. Not Oracle Cloud. Not any massive hyperscaler. For organizations operating in Southeast Asia where data sovereignty and jurisdictional independence matter, and they increasingly do, that’s a deliberate choice, not an afterthought.
The open-source version will always exist and always be free. The hosted product adds operational ease, managed feeds, and sovereignty guarantees for those who need or want them.
More on that when it’s ready. In the meantime — the repo is live, pull requests are open, and I’d really really love to collaborate with other Philippine and SEA security researchers on expanding the regional intelligence coverage.
Open Source
The full platform is open source and available on GitHub:
I first pushed it on Friday (February 20) night.
The public repository includes the complete scanner engine, dashboard, all intelligence modules, Docker configuration, and a one-command deployment script. Everything you need to run your own instance is documented.
What’s not in the public repo: my keyword lists, seed URLs, subscriber data, and operational configuration. But the guide is clear on how to add those, and reach out to me if you need help, I will try to respond to every request for help.
What does it take? The magic is simple:
Have a vanilla installation of Linux (this was developed and tested on Ubuntu 24.04 but I see no reason why it would not run in the same way on other flavors or versions):
sudo bash <(curl -fsSL https://raw.githubusercontent.com/osintph/darkweb-scanner/main/deploy.sh)That’s it. The script handles Docker installation, SSL, Tor setup, and gets you to a running dashboard. Then you configure your keywords and seeds and start scanning.
Contributions, issue reports, and feature requests are welcome. There’s a contributing guide in the repo. If you’re a Philippine or Southeast Asian security researcher and want to collaborate on keyword lists, threat actor data, or regional intelligence, please do reach out.
What’s Next
A short caviat here: I am not a developer, I do not even like coding, but, i figured, I might as well give this a try. Do not expect this platform to be 100 percent perfect, its far from it, hence, you are all invited to take the code, deploy it, better it, and contribute to the project.
The platform is functional and running in production, but there’s a lot more on the roadmap:
- Breach data search — HIBP integration is already scaffolded. Full breach lookup for domains and email addresses is next.
- Certificate monitoring — alerting when new TLS certificates are issued for your watched domains, using CT log streaming. An early warning system for phishing infrastructure.
- Mobile access — a proper mobile interface for checking alerts and investigations on the go.
- Shodan-style port scanning — banner grabbing and service fingerprinting for investigated IPs, integrated into the IP investigation workflow. This is next in line but tricky as its needed some consideration to avoid getting blocked by the hosting provider :D
- Expanded SEA regional coverage — more Philippine and ASEAN-specific threat actor profiles, regional news sources, and Tagalog/Filipino-language keyword capabilities.
Final Note
This started as a personal tool — something I needed and couldn’t find off the shelf at a price point that made sense for independent work in this region.
It’s grown into something I’m really proud of, don’t forget, I am not a programmer, I didnt know what the hell I am doing when I started this and probably I still dont but I think there’s real value in making it available to the broader Philippine and Southeast Asian security community.
If you’re running a SOC, doing threat intelligence work, or just trying to keep better tabs on the Philippine threat landscape — give it a try. It’s free, it’s self-hosted, and it’s built specifically for this context.
The dark web doesn’t stop crawling. Neither should your intelligence platform.
Questions, feedback, or collaboration inquiries:
