cyberbrief

Experimental

AI cyber threat-intel research and reporting.

GitHub repo → self-hosted · run from source

app

web app, not an MCP server

research tiers

MIT

open source

WHAT IT DOES

CyberBRIEF transforms raw threat data into executive-grade BLUF (Bottom-Line-Up-Front) reports with MITRE ATT&CK mapping, IOC extraction, and academic citations. Three research tiers span free open-source intelligence to deep AI-powered research, so an analyst can do a quick lookup or a comprehensive multi-source workup from the same tool. The frontend is React 18 + TypeScript + Vite with Zustand state; the backend is a FastAPI service on Python 3.10+ with SQLite for report persistence.

Status: experimental. CyberBRIEF is a self-hosted web app, not an MCP server, so there is no AI-client config block. It is not published to a package registry; you clone and run it from source, and AI / search features need their own API keys.

WHAT IT PRODUCES

Three research tiers

Free (Brave + Gemini Flash), Standard (Perplexity Sonar), and Deep (Perplexity Deep Research).

Flexible source input

Feed URLs, raw text, or PDFs directly into synthesis.

BLUF summaries

Bottom-Line-Up-Front executive summaries that lead with the conclusion.

MITRE ATT&CK mapping

Automatic technique identification with Navigator layer export.

IOC extraction

IPs, domains, file hashes, CVEs, and URLs parsed automatically.

Academic citations

Chicago Notes-Bibliography format on every source.

Threat-actor profiling

Rich actor profiles with confidence assessments.

Export options

Markdown and HTML report export.

TLP banners

Traffic Light Protocol classification on every report.

RUNNING IT

Prerequisites: Python 3.10+ for the FastAPI backend and Node.js with npm for the React frontend. Clone the repo, install both halves, then run the dev servers.

$ git clone https://github.com/solomonneas/cyberbrief.git

$ cd cyberbrief

# backend

$ pip install -r backend/requirements.txt

# frontend

$ cd frontend && npm install && npm run dev

The Vite dev server proxies API calls to the backend. Frontend on http://localhost:5188, backend on http://localhost:8000.

Configure API keys (Brave Search, Gemini, Perplexity) and ports per docs/CONFIGURATION.md. Deployment configs ship for Railway (railway.json), Fly.io (fly.toml), and Docker (Dockerfile).