HyveHeim Cyber

Threat overview · last 24 h

Recent ransomware claims

When	Actor	Victim	Sector	Country

Newest CISA KEV

Added	CVE	Vendor / Product	Vulnerability

Live attacks · last 1 h

Target countries —

Source countries —

Botnet C2 —

Honeypot hits —

DDoS L3 flows —

DDoS L7 flows —

— events · refreshes 30 s

Live event ticker

pause

Cyber incidents

When	Kind	Severity	Actor	Victim	Source

CISA Known Exploited Vulnerabilities

Enriched with NIST NVD: CPE classification, CWE refs, CVSS scores.

Platform

Vendor

Weakness (CWE)

CVSS band

Added	CVE	CVSS	Platform	Vendor / Product	Vulnerability	CWE

Indicators of Compromise

Atomic threat-intel data points (IPs, hashes, domains, URLs, CIDRs, ASNs) collected from feeds and enrichers. Use Network + File panels for triage, Stats for source/family overview, or Threat actors to roll up by campaign.

Network IoCs ip · cidr · asn · domain · url

Last seen	Type	Value	Tags / Family	Source

File hashes sha256 · sha1 · md5

Last seen	Type	Hash	Family	Source

Critical Alerts

Time-critical alerts curated from authoritative sources: KEV catalog additions, CISA Emergency Directives, critical-severity vendor advisories (CVSS ≥ 9), and incidents reported by national CERTs (CISA, NCSC-UK, CERT-FR, BSI, ENISA, JPCERT, CCCS, MS-ISAC, …). Treat as must act if applicable.

Industry News

Curated cyber-security press: Krebs on Security, BleepingComputer, The Hacker News, Dark Reading, SecurityWeek, The Register, Wired, Schneier, Mandiant, CrowdStrike, ESET, Kaspersky and more. Distinct from atomic incidents and CVE advisories.

IoC Watchlist

Get notified when a new threat-intel indicator matches your watch (IP, CIDR, domain, URL, file hash, or malware family). Matches are scanned every 5 minutes against fresh indicators. Sign in to manage watches.

HyveGuard Operations

What am I looking at?

HyveGuard is the security sidecar that sits on each server in our fleet. Each card below is one server reporting its live defensive state.

Honey-port hits — connections to decoy listeners that no legitimate service talks to. Any hit is potentially hostile reconnaissance.
Honey-service hits — protocol-level interactive sessions on decoy services (a step beyond scanning).
Canary trips — filesystem or DNS canaries touched. High-signal post-compromise indicator.
REALITY probes — attempts to handshake the anti-correlation transport layer; signals targeted recon.
Quarantine events — automatic isolation triggered by accumulated bad signals.

This is the same software we deploy on a customer's box as the Sentinel agent. Every customer sees only their own servers; the fleet view is operator-only.

Brain · LLM Advisories

What am I looking at?

The Brain is the LLM that sits between sensors (HyveGuard, CTI feeds, IoC matches) and a human reviewer.

Every 5 min, the Brain scans the last window of fleet events (honey hits, canary trips, IoC matches, traffic anomalies).
If something's interesting, it calls the LLM (Phi-4 today) with a structured prompt and gets back a scored advisory: severity, confidence, reasoning, suggested action, relevant IoCs.
The advisory lands here for an operator to accept (confirm + carry out), override (write a corrected version), or ignore (mark as noise).
Every operator click is a labelled training example — that's the feedback loop that fine-tunes the model over time. Today: Phi-4 base. Soon: Frankenstein, a domain-specialised fork trained on this very corpus.

The advisory is decisional, not autonomous. The Brain never acts on its own — every action goes through a human.

Export & SIEM Integration

Pull IoCs into your SOC tooling: CSV/JSON for spreadsheets, STIX 2.1 over TAXII 2.1 for SIEM/SOAR (Splunk, Sentinel, Elastic Security, Anomali, OpenCTI, MISP).

CSV / JSON download

Append ?format=csv to any list endpoint, or use the buttons below.

↓ indicators.csv (5K rows) ↓ incidents.csv ↓ advisories.csv

TAXII 2.1 / STIX 2.1 feed

Server discovery: GET https://hyveheim.com/taxii2/
Collection: /taxii2/api/collections/ce1d1810-7411-4f96-8b2d-3e2ace150c01/objects/
Optional auth: Authorization: Bearer <TAXII_BEARER>

Open discovery List collections Sample 50 STIX objects

Connect from your SOC

OpenCTI / MISP: add a TAXII connector pointing to https://hyveheim.com/taxii2/, select collection HyveHeim IoCs.
Splunk ES (Threat Intel framework): use the TAXII2 modular input.
Microsoft Sentinel: use the Threat Intelligence — TAXII data connector.
Elastic Security: use the Threat Intel TAXII fleet integration.
Anomali ThreatStream: add HyveHeim as a TAXII 2.1 feed source.

MITRE ATT&CK matrix · last 30 days

Heatmap of tactics observed across cyber incidents. Phi-4 tags each new incident with ATT&CK tactics + top-level techniques. Empty cells = no incidents seen in this window. Click a tactic to filter the Incidents tab.

Top techniques

Technique	Count

Search & Investigate

One box. Paste anything — keyword, threat-actor name, CVE, domain, IP, file hash, email, username, .onion link, or crypto wallet. We auto-route to the right tools: structured entities go through our pivot engine (DNS, WHOIS, cert transparency, enrichment fan-out, blockchain explorers…), and we always cross-reference our IoC/incident database, our 219k-page crawler (clearnet + Tor + I2P), plus an external web search. Not a breach lookup — for credential dumps, use haveibeenpwned.com.

Crawled web (clearnet + Tor) Our database (incidents / advisories / IoCs) External web (SearXNG)

database Our database — ▾

language Crawled web (news + Tor + I2P) — ▾

travel_explore External web (SearXNG meta-search) — ▾

security Cyber