Collective security intelligence for industries. Give data, get smarter.
Your industry should be smarter together than any single company is alone.
Every hospital buys security tools based on vendor marketing. Every bank figures out their detection gaps by getting hacked. Every energy company fights the same APT without knowing three other utilities already beat it.
nur fixes this. Two questions, one platform:
- What's compromising us? β IOCs, attack patterns, campaigns hitting your sector
- What actually works? β which tools catch what, real practitioner scores from real incidents
β Everything is anonymized on your machine. Nothing leaves without your approval. Math, not promises.
π’ Try it live: nur.saramena.us β 25+ contributions loaded, 37 data sources, API docs at /docs
Three assumptions the security industry is built on β and why they're wrong:
| Assumption | Reality |
|---|---|
| "Sharing is altruistic" | Nobody shares out of goodness. nur makes it selfish: no contribution = no report. Give to get. |
| "Threat intel = IOCs" | IOCs are one piece. Practitioners need: what tools catch this? What scores are others giving their EDR? What techniques are being missed sector-wide? |
| "You need a dashboard" | You need a CLI that works in SOAR pipelines, that AI agents can call, that scripts automate. nur report β one command, JSON output, done. |
git clone https://github.com/manizzle/nur.git
cd nur
pip install -e ".[all,dev]"
nur up --vertical healthcareThat starts the platform, scrapes 19 real data sources, and you're ready.
nur report your_incident_data.jsonTwo commands. Full loop. No config files.
nur report incident_iocs.json Campaign Match: Yes β 4 other healthcare orgs
Shared IOCs: 12
Threat Actor: LockBit
Actions:
[CRITICAL] Block C2 domains at firewall
[CRITICAL] Deploy T1490 detection β your tools miss it
[HIGH] Hunt for RDP lateral movement
You gave IOCs. You got campaign correlation, detection gaps, and a prioritized to-do list.
nur market edr # who leads?
nur search vendor crowdstrike # real scores
nur search compare crowdstrike sentinelone # side-by-side
nur threat-map "ransomware" --tools crowdstrike # coverage gaps Market Map: edr
ββββββββββββββββββββββββββββββββββββββββββ
LEADERS:
CrowdStrike Falcon score=9.2 confidence=high
SentinelOne Singularity score=8.8 confidence=high
CONTENDERS:
Microsoft Defender score=7.5 confidence=medium
Real data from 19 sources. Not vendor marketing. Not analyst reports funded by vendors.
2:17 AM β Ohio Children's Hospital. LockBit. EHR encrypted. NICU monitors offline.
nur report lockbit_iocs.json # Campaign Match: Yes. 12 shared IOCs.
nur report lockbit_attack_map.json # 7 detection gaps. T1490 critical.
nur report our_crowdstrike.json # 9.2 avg. 5 known gaps. Supplement.4:30 AM β West Virginia gets the same ransom note. Their report is better β because Ohio contributed.
Next week β Ohio's CISO needs data for the board:
nur market edr
nur search compare crowdstrike sentinelone
nur threat-map "ransomware" --tools crowdstrikeReal data. Not vendor slides.
nur isn't an empty platform waiting for users. It scrapes real intelligence from public feeds, independent labs, review platforms, and community discussions. Day one, you have 658,000+ data points.
nur scrape --list # see all sources
nur admin sources # see all 45 with tier/status| Source | Data | License |
|---|---|---|
| ThreatFox | Domains, IPs, hashes with malware tags | CC0 |
| Feodo Tracker | C2 server IPs (Emotet, QakBot, Pikabot) | CC0 |
| MalwareBazaar | Malware SHA-256 hashes | CC0 |
| URLhaus | Malicious URLs (malware distribution) | CC0 |
| SSL Blacklist | Malicious SSL certificate fingerprints | CC0 |
| CISA KEV | Actively exploited CVEs (ransomware-tagged) | Public Domain |
| NVD | CVE database with CVSS scores | Public Domain |
| FireHOL | High-confidence malicious IPs (30+ feeds aggregated) | Open Source |
| IPsum | Multi-blacklist scored IPs | Open Source |
| OpenPhish | Phishing URLs | Free |
| Emerging Threats | Compromised IPs | Free |
| Dataplane | SSH brute force attacker IPs | Free |
| Spamhaus DROP | Hijacked IP ranges | Free |
| DigitalSide | Malware-related IPs (STIX/MISP) | MIT |
| CINS Score | Poorly-rated suspicious IPs | Free |
| BruteForceBlocker | SSH brute force IPs | Free |
| AbuseIPDB | Reported malicious IPs (API key) | Free |
| AlienVault OTX | Community threat pulses (API key) | Free |
| Pulsedive | Community threat intel (API key) | Free |
| GreyNoise | Internet scanner classification (API key) | Free |
| Source | Data | Weight |
|---|---|---|
| MITRE ATT&CK Evals | EDR detection rates (8 vendors) | 3.0 |
| AV-TEST | Independent lab scores (8 vendors) | 2.5 |
| SE Labs | UK lab endpoint protection (10 vendors) | 2.5 |
| AV-Comparatives | Real-world protection test (8 vendors) | 2.5 |
| CISA KEV x Vendors | Security tools with exploited CVEs | 2.0 |
| Practitioner discussions (30 vendors) | 1.0 | |
| Hacker News | Security tool discussions (27 vendors) | 1.0 |
| Stack Exchange | Security Q&A (30 vendors) | 1.0 |
| G2 | Peer review scores (10 vendors) | 0.8 |
| Gartner Peer Insights | Enterprise practitioner reviews | 0.8 |
| PeerSpot | Verified enterprise reviews | 0.8 |
| Capterra | SMB/mid-market ratings | 0.8 |
| TrustRadius | Verified business reviews | 0.8 |
| GitHub | Open-source tool popularity signals | 0.5 |
| Vendor Metadata | Pricing, certs, insurance (36 vendors) | 0.3 |
Raw data snapshots available in data/feeds/ (658,000+ records, CDLA-Permissive-2.0).
Run a threat intel feed? Get listed on this page. Got access to a premium feed (Shodan, VirusTotal, Recorded Future)? See what we need.
nur is a stack. Deploy it for hospitals. Deploy it for banks. Build a company on it.
nur up --vertical healthcare # LockBit, HIPAA, hospital playbooks
nur up --vertical financial # APT28/Lazarus, PCI DSS, SWIFT isolation
nur up --vertical energy # Sandworm, NERC CIP, ICS/OT focus
nur up --vertical government # APT29, FISMA, supply chainDocker (production):
cp .env.example .env
docker compose --profile production up -d| Variable | Default | What it does |
|---|---|---|
NUR_API_KEY |
β | API key for write endpoints |
NUR_MIN_K |
3 |
Min contributors before showing aggregates |
NUR_AUTO_INGEST |
0 |
1 = hourly feed scraping |
NUR_PORT |
8000 |
Port to expose |
Your users:
pip install nur && nur init && nur report incident.jsonPython:
from nur import load_file, anonymize, submit
data = load_file("incident.json") # JSON, STIX, MISP, CSV, PDF
clean = [anonymize(d) for d in data] # anonymize locally
[submit(c, api_url="http://nur:8000") for c in clean]CLI + JSON (AI agents, SOAR, scripts):
nur report incident.json --json | jq '.intelligence.actions'
nur market edr --json | jq '.tiers.leaders'
nur search vendor crowdstrike --jsonAPI:
| Endpoint | Mode | What it does |
|---|---|---|
POST /analyze |
Attack | Give data, get intelligence report |
POST /contribute/* |
Attack | Submit IOCs, attack maps, evals |
GET /intelligence/market/{cat} |
Defense | Market map (leaders/contenders) |
POST /intelligence/threat-map |
Defense | MITRE coverage gap analysis |
GET /intelligence/danger-radar |
Defense | Hidden vendor risk signals |
GET /search/vendor/{name} |
Defense | Weighted vendor scores |
GET /search/category/{name} |
Defense | Category ranking |
GET /search/compare?a=X&b=Y |
Defense | Side-by-side comparison |
GET /query/techniques |
Both | Top MITRE techniques |
GET /docs |
Both | OpenAPI documentation |
Everything anonymized on your machine before anything touches the network.
| What you share | What leaves | How |
|---|---|---|
| Raw IOCs | Keyed fingerprints | HMAC-SHA256 with org secret β can't be reversed |
| Attack notes | Scrubbed text | 4-pass regex β no IPs, names, hostnames |
| Org context | Bucketed | healthcare, 1000-5000 β never your name |
| Tool scores | Noised values | Differential privacy (Laplace) |
| All of the above | Attested | ADTC cryptographic proof chain |
Server returns aggregates only. Never individual contributions. Min-k enforcement (3+ contributors). Full analysis -> THREAT_MODEL.md
nur admin status # server health + feed freshness
nur admin sources # all 45 data sources by tier
nur admin db-stats # detailed database breakdown
nur admin export # dump all aggregated data as JSON
nur admin rotate-key # generate new API keypytest # 281 tests across 12 files
pytest -v # verbose| Component | License |
|---|---|
| Code | Apache 2.0 |
| Threat intel data | LGPL 3.0 β open data |
| abuse.ch feeds | CC0 1.0 (public domain) |
| CISA KEV | US Government public domain |
| MITRE ATT&CK | Apache 2.0 |
