Behind the Reports
How the Intelligence Is Produced
From finding threats on adversary infrastructure to publishing finished intelligence — the systems, the design decisions, and why they were built.
The Pipeline
Every report published on this site follows the same path: something malicious is found on adversary infrastructure, analyzed in depth, and turned into a finished threat intelligence report with detection rules and machine-readable indicators ready for defenders to use.
That pipeline has two distinct parts. A collection platform that continuously discovers threats on known-malicious hosting infrastructure, and a production workflow that takes raw malware analysis and turns it into publication-ready intelligence. Both were built from scratch for the constraints of solo research, and both are documented here.
The Two Systems
How Threats Are Found →
A self-hosted collection platform that scans adversary infrastructure every night, discovers malware on open directories, and surfaces what's worth investigating through a triage dashboard.
How Reports Are Made →
A multi-agent AI workflow that takes raw malware analysis and produces structured, evidence-based threat intelligence — with skill frameworks, automated quality gates, and human checkpoints at every stage.
How They Connect
The collection platform runs continuously. Every night it scans the IP space of 65 known bulletproof hosting providers — the infrastructure where malware is staged, served, and managed — across 28 ports. When it finds an open directory hosting suspicious files, it indexes everything, enriches files through VirusTotal, and surfaces the results in a triage dashboard sorted by threat signal.
That's where my judgment takes over. I review what the platform found, select the samples worth investigating, and run them through hands-on analysis — sandbox execution, static analysis, behavioral observation, network capture. The raw output of that analysis becomes the input to the AI agent workflow, which handles the structured parts of intelligence production: organizing findings, researching context, writing detection rules, producing the report, and scoring it against publication-quality standards.
The collection platform finds what's out there. The analysis and workflow turn it into something defenders can act on.
That's where my judgment takes over. I review what the platform found, select the samples worth investigating, and run them through hands-on analysis — sandbox execution, static analysis, behavioral observation, network capture. The raw output of that analysis becomes the input to the AI agent workflow, which handles the structured parts of intelligence production: organizing findings, researching context, writing detection rules, producing the report, and scoring it against publication-quality standards.
The collection platform finds what's out there. The analysis and workflow turn it into something defenders can act on.