---
title: ShadowWatch v2
emoji: 🛡️
colorFrom: green
colorTo: gray
sdk: gradio
app_file: app.py
pinned: true
license: apache-2.0
tags:
- mcp
- security
- threat-intelligence
- osint
- mcp-server
short_description: Open Source Threat Intelligence - No API Keys
sdk_version: 6.4.0
---

# 🛡️ SHADOWWATCH v2

**Open Source Threat Intelligence Platform | Cogensec ARGUS**

100% free threat intelligence using public feeds. No API keys required.

## ✨ Features

| Tool | Description |
|------|-------------|
| **Indicator Scanner** | Check IPs, domains, URLs against 7+ threat feeds |
| **IOC Extractor** | Extract & analyze IOCs from text, logs, reports |
| **Threat Feeds** | View loaded intelligence from all sources |

## 📡 Data Sources (All Free)

| Feed | Data Type | Provider |
|------|-----------|----------|
| **URLhaus** | Malicious URLs | abuse.ch |
| **ThreatFox** | IOCs (IPs, domains, hashes) | abuse.ch |
| **FeodoTracker** | Botnet C2 servers | abuse.ch |
| **MalwareBazaar** | Malware hashes | abuse.ch |
| **Spamhaus DROP** | Bad IP ranges | Spamhaus |
| **Emerging Threats** | Compromised IPs | ProofPoint |
| **OpenPhish** | Phishing URLs | OpenPhish |
| **HIBP Breaches** | Breach metadata | HIBP (public) |

## 🔗 MCP Integration

Connect to Claude, Cursor, or any MCP client:

```json
{
  "mcpServers": {
    "shadowwatch": {
      "url": "https://crypticallyrequie-shadowwatchv2.hf.space/gradio_api/mcp/sse"
    }
  }
}
```

## 🛠️ MCP Tools

```python
# Scan an indicator
scan_indicator("8.8.8.8", "ip")
scan_indicator("evil-domain.com", "domain")
scan_indicator("https://phishing.site/login", "url")

# Extract IOCs from text
extract_and_analyze_iocs("Found suspicious IP 192.168.1.1 connecting to malware.com...")

# Get feed statistics
get_threat_feed_stats()
```

## 📊 Capabilities

- **Visual Dashboards** - Risk gauges, threat source charts, IOC distributions
- **Real Threat Data** - Live feeds from major threat intel providers
- **IOC Extraction** - Extract IPs, domains, URLs, hashes, emails, CVEs, Bitcoin addresses
- **Automatic Refresh** - Feeds update hourly
- **No Setup Required** - Works immediately, no API keys needed

## 🔒 How It Works

1. **Threat Feed Manager** downloads and caches public threat feeds
2. **Indicators are checked** against all loaded feeds
3. **Risk scores calculated** based on detections across sources
4. **Visual reports** generated with Plotly charts

---

*Built by [Cogensec](https://cogensec.com) | AI Security Platform*