Overview#
Intel Hub is a real-time intelligence aggregation platform that pulls cybersecurity, geopolitical, OSINT, dark web, social media, and Telegram chat-feed data into a single dashboard. It runs across 7 channels and 170+ feeds, with severity classification, 4-tier source credibility scoring, political bias tagging, and a webhook ingest API. No API keys are required to get started.
It’s built for security professionals who need situational awareness across multiple domains without manually checking dozens of sources throughout the day.
View on GitHubThe Problem#
Security teams and analysts juggle too many sources. RSS feeds from threat intel providers, vendor advisories, CVE databases, Reddit threads, Telegram channels, news outlets, and social media all contain valuable signal, but it’s scattered across platforms and formats. Most teams either:
- Miss critical alerts because they can’t monitor everything manually
- Waste time checking the same sources repeatedly throughout the day
- Lack context on severity and credibility when something does surface
- Don’t have budget for enterprise threat intelligence platforms
How It Works#
Intel Hub runs as a self-hosted web application with a React frontend and Node.js backend connected via WebSocket for real-time updates. The application bundles frontend and backend in a single process and auto-launches a browser on start.
- The backend continuously polls 170+ configured sources on defined intervals
- Articles are deduplicated and classified by severity
- Sources are scored across a 4-tier credibility system and 7-category political bias classification
- Promotional and affiliate spam patterns are filtered out automatically
- Articles are routed to one of seven intelligence channels
- Tiered memory compaction with automatic eviction keeps the system running indefinitely
- The frontend displays a live dashboard with filtering, search, and drill-down
- High-severity items can trigger email alerts via configurable SMTP
Seven Intelligence Channels#
| Channel | Feeds | Focus Areas |
|---|---|---|
| Cybersecurity | 45+ | Threat research, advisories, supply chain, PCI compliance, IoC feeds |
| World News | 40+ | Wire services, politics, think tanks, independent journalism |
| Geopolitics & Defense | 20 | Foreign policy, defense publications, conflict monitoring |
| OSINT | 24+ | GDELT, Bellingcat, vendor intel, government advisories |
| Dark Web | 20+ | Ransomware tracking, breach journalism, malware analysis |
| Social Media | 16+ | Reddit, Mastodon, GitHub Advisories, NVD, optional X/Twitter |
| Chat Feeds | 11+ | Telegram channels with automated freshness verification |
Source Integration#
Intel Hub pulls from a wide range of source types, with zero required API keys for the core feeds:
RSS Feeds from established cybersecurity outlets, wire services, government advisories (CISA, NCSC), think tanks, and research blogs.
OSINT and Geopolitical:
- GDELT for global event tracking
- Bellingcat and other open-source investigation outlets
- Vendor threat intelligence reports
- Government advisories and conflict monitoring
Vulnerability and Threat Data:
- GitHub Security Advisories for open-source dependency vulnerabilities
- NVD (National Vulnerability Database) for CVE data
- IoC feeds and ransomware tracking sources
Social Platforms:
- Reddit security-related subreddits
- Mastodon security community
- Optional X/Twitter integration
Chat Feeds (Telegram):
- Curated Telegram channels for threat actor communications, leak announcements, and real-time incident chatter
- Automated freshness verification within a 7-day window
- Auto-rotation when channels become inactive
Universal Ingest API#
Intel Hub exposes a webhook endpoint that accepts messages from external sources. This lets you pipe data into the dashboard from automation tools without writing custom integrations:
- Tasker (Android automation)
- iOS Shortcuts
- Discord bots
- signal-cli (Signal messenger CLI)
- Any custom script that can POST JSON
This makes it straightforward to forward intelligence from private channels, automated workflows, or personal alerts into the same severity-classified feed as everything else.
Severity Classification#
Every article is automatically assigned a severity level based on content analysis:
| Level | Meaning |
|---|---|
| BREACH | Confirmed data breach or active exploitation |
| CRITICAL | Zero-day, widespread campaign, or critical infrastructure impact |
| HIGH | Significant vulnerability or threat with broad applicability |
| MEDIUM | Notable advisory or emerging threat worth tracking |
| INFO | General awareness, research, or background context |
Credibility Scoring & Bias Tagging#
Sources are evaluated across:
- 4-tier credibility scoring based on track record, editorial standards, and verification practices
- 7-category political bias classification for geopolitical and news content
- Misinformation flagging on sources with known accuracy concerns
This helps analysts quickly distinguish between confirmed reporting and unverified claims, especially important when monitoring social media, Telegram, and OSINT channels where signal-to-noise varies significantly.
Additional Features#
- Webhook ingest API for Tasker, iOS Shortcuts, Discord bots, signal-cli, and custom integrations
- Promotional and affiliate spam filtering out of the box
- Email alerts via SMTP for configurable severity thresholds
- 90-day data retention with automatic deduplication
- Tiered memory compaction with automatic eviction for indefinite operation
- WebSocket real-time updates so the dashboard stays current without refreshing
- Single-process architecture that bundles frontend and backend, with auto-launching browser on start
- No API keys required to run the core platform
Tech Stack#
| Component | Technology |
|---|---|
| Frontend | React + Vite |
| Backend | Node.js 18+ with Express |
| Real-time | WebSocket |
| Process Management | PM2 |
| Containerization | Docker + docker-compose |
| Notifications | SMTP (email) |
Deployment#
Three deployment paths are supported:
Docker (Recommended)#
Persists articles in named volumes across restarts. Upgrade with a single command:
git pull && docker compose up -d --buildNative Node.js#
Requires Node 18+. Uses PM2 for production process management with commands for logs, status, and restart.
Development#
Hot-reload environment with the backend on port 3001 and the Vite dev server on port 3000.
Quick Start#
# Clone the repository
git clone https://github.com/juancarlosmunera/intel-hub.git
cd intel-hub
# Optional: customize environment variables
cp .env.example .env
# Recommended: run with Docker
docker compose up -d --buildRefer to the README for detailed configuration, including Telegram channel setup, webhook configuration, and SMTP for alerting.
Contributing#
Contributions are welcome, especially for:
- Additional feed sources and integrations
- Improved classification, severity, and bias-tagging algorithms
- UI/UX enhancements
- Documentation improvements
See CONTRIBUTING.md for guidelines.
Report Issues#
Found a bug? Open an issue on GitHub.
Submit Pull Requests#
- Fork the repository
- Create a feature branch
- Commit your changes
- Open a Pull Request
License#
This project is licensed under the MIT License. See the LICENSE file for details.
Support#
- Email: jcmunera@cybersecpro.me
- LinkedIn: Connect with me
- Issues: GitHub Issues
Built for security professionals who need real-time situational awareness without the enterprise price tag.
