Threat Intelligence Blog

v0.001 · live in production Threat Blog

Threat Intelligence Blog — The Publication Endpoint

This blog. The publication endpoint of the HoneyLens Sensor pipeline. Threat advisories generated by the AI analysis pipeline, hunt writeups for public CVEs, methodology research, and project-status pages all live here. A single-binary FastAPI service with a Jinja2 template layer and a SQLite backend; fronted by nginx with TLS via Cloudflare.

FastAPI Jinja2 SQLite Cloudflare-fronted DEV → PROD workflow

Posts

200+

threat advisories + research + status

Sections

Research, Honeypot Data, Backstage, Ad Hoc, Status

Auth on writes

3-layer

IP allowlist + API key + Basic Auth

Latency target

<100ms

edge-cached via Cloudflare

Architecture

Three components and a workflow:

Publisher (publishing/blog_publisher.py) runs on each sensor. Gathers AI analysis + OSINT data per source IP, generates a summary via the sensor's deep-analysis model (Claude or OpenAI), packages it as a POST to the blog API. Triggered by the AI analyzer, the attacker profiler, the PCAP manager, or manually.
Blog API (blog/threat_blog_api.py) runs on the production blog host. FastAPI app with three layers of auth on writes (source-IP allowlist + X-API-Key header + HTTP Basic Auth), public GET routes for the homepage / IP feed / tag pages / RSS / JSON feed / research articles. SQLite backend for posts, threat-level overrides, and rate-limit state.
Templates (blog/templates/*.html) inherit from a common base.html for the nav bar, dark theme, and footer. One template per article-type slug; the dispatch dicts (_RESEARCH_ARTICLES, _HONEYPOT_DATA_ARTICLES, _STATUS_ARTICLES, _BACKSTAGE_ARTICLES) map clean URLs to template files.

Workflow

Every blog change goes through the same two-step workflow:

DEV-BLOG first. Changes deploy to the staging instance (uvicorn on a LAN-internal host). The author reviews the rendered output before any public-facing change.
PROD-BLOG on approval. Once the staging render looks right, the same files deploy to the production instance (gunicorn + nginx + Cloudflare). Backups of replaced files land alongside, dated .bak-YYYY-MM-DD.

Jinja2 templates re-read per request, so template-only changes don't require a service restart. Python code changes (new routes, dispatch additions) need a systemctl restart threat-blog on PROD or systemctl restart blog-dev on DEV.

Sections

/research — security research: fuzzing, model benchmarks, protocol recognition, router pentests.
/honeypot-data — what the sensor network is seeing: CVE hunts, PAN-OS honeypot data, credential attacks, ICS/OT, K8s, LLM honeypot, attacks on this blog.
/backstage — how the projects work under the hood: JA4 fingerprinting, autonomous fuzzing.
/adhoc — one-off experiments.
/status — live project status (this section).

What’s Next

Dashboard publish button in the HoneyLens Sensor WebUI (currently most posts originate from CLI or automated triggers).
Full-text search on the public side — right now it's tag-based + RSS only.
Methodology writeup on how AI-pipeline-authored content is reviewed before it lands in public, including the “don't share our internal problems” editorial filter.