Where CyberGrind's data comes from, how it's used, and what its limitations are. No black boxes.
Intellectual honesty is a core principle of this site. Every data source is documented here with its origin, update frequency, and known limitations. If something is uncertain, we say so. If a source has caveats, we surface them. CyberGrind does not fabricate data, manufacture threat scores, or present third-party feeds as proprietary intelligence.
The authoritative catalog of vulnerabilities confirmed to have been actively exploited in the wild, maintained by the Cybersecurity and Infrastructure Security Agency. Federal agencies are mandated to remediate KEV entries within defined timelines under Binding Operational Directive 22-01. CyberGrind fetches this feed to power the CISA KEV Checker tool and the Blue Team Resources page.
A community-driven database of IP addresses reported for malicious activity including brute force attacks, port scanning, spam, and DDoS participation. Each IP carries a confidence-of-abuse score (0–100) based on report volume, recency, and reporter reputation. CyberGrind uses the AbuseIPDB API for the IP Reputation Check tool and as one of two data layers in the Global Threat Map.
An open source daily-updated blocklist aggregating malicious IPs from multiple threat intelligence sources. IPsum assigns a threat level (1–10) based on how many independent sources have flagged an IP. CyberGrind uses IPsum as one component of the OSINT Feeds layer in the Global Threat Map.
Proofpoint's open source threat intelligence feed providing IDS/IPS rules and IP blocklists for known malicious infrastructure. The compromised IPs feed covers hosts confirmed to be participating in attack campaigns. CyberGrind uses the open Emerging Threats blocklist as a component of the OSINT Feeds threat map layer.
Abuse.ch's tracker for botnet command-and-control infrastructure associated with banking trojans and ransomware families including Emotet, TrickBot, QakBot, and Dridex. Feodo Tracker provides a blocklist of active C2 IPs with malware family attribution. CyberGrind uses this feed as the third component of the OSINT Feeds threat map layer.
A MAC address OUI (Organizationally Unique Identifier) lookup service maintained by maclookup.app. OUI prefixes are registered with the IEEE and identify the hardware manufacturer associated with the first three octets of a MAC address. CyberGrind proxies lookup requests through a Cloudflare Worker to protect the API key and keep the key server-side. Results include vendor name, address, and block type (MA-L, MA-M, MA-S).
A data-driven probability model maintained by FIRST (Forum of Incident Response and Security Teams) that estimates the likelihood a given CVE will be exploited in the wild within the next 30 days. EPSS scores range from 0.0 to 1.0 and are updated daily based on threat intelligence and exploitation telemetry. CyberGrind uses EPSS scores in the CVE Research tool and the dedicated EPSS Scanner to help practitioners prioritize remediation beyond CVSS severity alone.
The U.S. government repository of standards-based vulnerability management data. NVD enriches CVE records published by MITRE with CVSS scores, CWE classifications, CPE applicability statements, and remediation references. CyberGrind queries the NVD CVE API v2.0 through the EPSS Worker to provide full CVE detail in the CVE Research tool.
The globally recognized knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. CyberGrind loads both the Enterprise and ICS ATT&CK matrices from local STIX 2.1 JSON snapshots to power the ATT&CK Browser tool. Snapshots are refreshed manually using scripts/fetch_attck.py when MITRE publishes a new version; GitHub Actions automation is planned to handle this on build.
Update Freq.
Manual (on MITRE release)
Format
STIX 2.1 JSON (local snapshot)
Files
static/data/attck-enterprise.json, attck-ics.json
Used In
ATT&CK Browser
3 — CTI Pipeline (api.cybergrind.org)
About the pipeline: CyberGrind runs a self-hosted threat intelligence backend at api.cybergrind.org. Collectors are Python scripts running on a scheduled basis inside Docker, storing results in a local SQLite database served via FastAPI. The pipeline is exposed through a Cloudflare Tunnel. Current status is always available at /api/health.
A dedicated collector pulls the full CISA KEV catalog into the pipeline database on a 24-hour cycle, independently of the Cloudflare Worker used by the KEV Checker tool. This copy powers the Live CVEs tool, which provides filterable table views with overdue remediation highlighting.
URLhaus tracks malware distribution URLs reported by the security community. The collector fetches abuse.ch's public CSV export every hour and loads new IOC records into the pipeline database. Deduplication is applied before insert; inactive URLs are retained for historical reference.
Collector
app/collectors/abusech.py
Schedule
Every 1 hour
Endpoint
/api/iocs
Used In
Threat Intel Feeds (IOCs tab)
RSS Security News Feeds
LivePublic
A news collector aggregates RSS/Atom feeds from five security-focused publications every two hours: Krebs on Security, Bleeping Computer, The Hacker News, CISA Advisories, and SANS Internet Storm Center. Article bodies are not stored — only the title, link, source, publication date, and feed-provided summary excerpt. Deduplication is performed by URL hash.
MalwareBazaar is abuse.ch's repository of malware samples contributed by the security community. The collector fetches recent sample metadata every six hours — SHA256, MD5, SHA1, filename, file type, tags, malware family signature, first seen date, and reporter. Binary files are not downloaded or stored; metadata only.
VirusTotal file reports are proxied on-demand through the pipeline API to protect the API key and enforce free-tier quota. When a user submits a hash in the VT Lookup tool, the request is forwarded to VirusTotal's v3 file report endpoint and the result is returned directly — no caching is currently applied, so each lookup consumes quota.
A self-hosted MISP instance running in Docker on a local Ubuntu environment, subscribed to four community threat intelligence feeds: CIRCL OSINT Feed, Botvrij.eu, abuse.ch URLhaus, and Feodo Tracker. The pipeline collector queries MISP every six hours for actionable indicators (to_ids=True), pulling attributes including IP addresses, domains, URLs, and file hashes. IOCs are stored in the pipeline database with a source column to distinguish MISP-sourced indicators from abuse.ch direct feeds. On startup, a 30-day historical backfill is performed.
Primary source publications from the National Institute of Standards and Technology used as the factual foundation for Orange Book educational content. This includes NIST Cybersecurity Framework 2.0 (NIST CSWP 29), Special Publication 800-53 Rev. 5, FIPS 197 (AES), and supporting documents. NIST publications are in the public domain. All Orange Book articles derived from NIST sources include full reference lists with direct links to the primary documents.
A news aggregation API used to fetch cybersecurity headlines for the daily news posts published in the News section. Headlines are pulled from a curated set of security-focused publications and processed locally using Ollama (Llama 3.2) to generate practitioner commentary. The AI commentary is clearly identified and is generated from the provided headlines only — the model is explicitly instructed not to reference events outside the provided input to reduce hallucination risk.
Update Freq.
Daily (11am CT, automated)
Commentary
Llama 3.2 (local, Ollama)
Format
REST API (JSON)
Used In
Daily News posts
5 — Methodology
No Proprietary Scoring
CyberGrind does not invent threat scores. All scoring displayed on the site — EPSS, AbuseIPDB confidence, CVSS — comes directly from the originating source and is presented as-is with full attribution.
Cloudflare Caching
Live feeds are proxied through Cloudflare Workers with defined cache TTLs to reduce API load and improve performance. Cached data may lag behind the source by up to the stated TTL window.
Primary Sources First
Orange Book educational content is built from primary sources — NIST PDFs, RFCs, and original research — not summaries of summaries. Secondary sources are used only to corroborate and are cited explicitly.
AI Use Disclosure
AI-generated content (daily news commentary) is produced locally using Llama 3.2 and constrained to provided headlines. AI is a writing aid, not a research source. Factual claims in Orange Book articles are human-verified.
Uncertainty Acknowledged
Where source data is incomplete, contested, or ambiguous, that uncertainty is surfaced explicitly rather than papered over. A confident-sounding wrong answer is worse than an honest acknowledgment of what we don't know.
Feed Aggregation
The OSINT Feeds threat map combines IPsum, Emerging Threats, and Feodo Tracker into a single enriched view. IPs appearing across multiple feeds are not deduplicated in the visual — each source contributes independently.
Pipeline Transparency
The self-hosted CTI pipeline at api.cybergrind.org stores collected data in a local SQLite database. No personally identifiable information is collected or stored. All collector schedules, endpoints, and source attributions are documented here and in the public GitHub repository.
Self-Hosted Intelligence
MISP IOC data is sourced from a self-hosted instance subscribed to public community feeds. Indicators are filtered to actionable attributes only (to_ids=True) and are attributed to their originating feed. No private or commercial threat intel feeds are used.
6 — Known Limitations
CyberGrind is not a commercial threat intelligence platform. Data depth and breadth are limited by free and public API tiers.
IP geolocation data is approximate. Country-level attribution is reliable; city-level is not. IPs can be misattributed due to VPNs, proxies, and Tor exit nodes.
AbuseIPDB scores reflect community reports and may include false positives. A high confidence score indicates reported abuse, not confirmed malicious activity. The AbuseIPDB tab on the Threat Map shows N/A when the daily quota is exhausted (resets midnight UTC).
EPSS scores are probabilistic estimates, not certainties. A low EPSS score does not mean a vulnerability is safe to deprioritize.
NVD CVE enrichment (CVSS scoring) can lag publication by days to weeks. NIST experienced a significant enrichment backlog in 2024; some older CVEs may still show incomplete scoring data.
The MITRE ATT&CK browser is driven by a static snapshot and may lag behind MITRE's latest release between manual refreshes.
Daily news commentary is AI-generated and has not been independently fact-checked beyond the provided headlines. Treat it as a starting point, not a final word.
Feed caching means displayed data may be up to several hours behind the source. For time-critical decisions, always verify directly with the originating source.
The CTI pipeline backend runs on a personal workstation. Brief outages may occur during maintenance windows or unexpected downtime. Current collector status is available at /api/health.
MISP IOC data reflects the quality and coverage of the subscribed community feeds. Indicators are not independently verified beyond what the originating feed provides. False positives are possible.
MAC address OUI lookup identifies the registered hardware manufacturer only. It does not identify the specific device, owner, or current user of a MAC address. OUI assignments can be spoofed.
CyberGrind content is informational only and does not constitute legal, compliance, or professional security advice.
This page was last reviewed April 2026. Sources and methodology are updated as the site evolves. If you identify an inaccuracy or have questions about data sourcing, the GitHub repository is publicly available.
7 — Licensing & Attribution
CISA KEV / NVD (NIST) — U.S. government public domain. No restrictions on use.
MITRE ATT&CK® — Used under the ATT&CK Terms of Use. ATT&CK® is a registered trademark of The MITRE Corporation.
abuse.ch (URLhaus, MalwareBazaar, Feodo Tracker) — Free for non-commercial use with attribution. See abuse.ch for full terms.
AbuseIPDB — Community-contributed data used under the AbuseIPDB Terms of Service. Attribution provided in tool UI.
VirusTotal — Accessed under the VirusTotal Terms of Service. Data is not stored, redistributed, or commercialized.
Emerging Threats — Open ruleset maintained by Proofpoint. Free for non-commercial use.
FIRST EPSS — Free to use with attribution. See first.org/epss.
NewsAPI — Used under the NewsAPI Terms for development use.
MISP — Open source platform under the AGPL-3.0 License. Community feeds used under their respective terms (CIRCL, Botvrij.eu, abuse.ch, Feodo Tracker).
maclookup.app — Used under the maclookup.app API Terms. OUI data sourced from the IEEE public registry.
CyberGrind is a non-commercial personal portfolio and educational resource. No data collected through these sources is sold, redistributed, or used for purposes outside of site functionality and security education.