pip install red-specter-raven
Most threat intelligence tooling aggregates structured API feeds and presents them as a dashboard. That's not intelligence — that's collection. Real intelligence requires reaching into the dark web, correlating across sources, understanding context, and answering questions a human actually asks. RAVEN is a conversational engine built around that model.
By the time an IOC appears in a surface-web feed it's already been weaponised. The dark web had it first. Paste sites had it first. RAVEN reaches into those sources directly — not hours later through a normalised feed.
Breach databases, combo lists, credential markets — they don't submit to OSINT APIs. They live on Tor hidden services, dark forums, and paste sites that standard tooling never touches. RAVEN's DARK subsystem does.
Dark web forums, ransomware leak sites, and marketplace chatter are where adversaries operate. Organisations are named, targeted, and discussed long before any public disclosure. WHISPER watches continuously.
Every threat intel platform forces you into their schema. RAVEN's PARSER subsystem accepts natural language — ask about a domain, an IP, a threat actor, a breach, or an infrastructure cluster in plain English.
Surface feeds and dark web sources speak different languages. RAVEN's ORCHESTRATOR merges them — deduplication, confidence scoring, context enrichment — producing a unified picture from disparate sources.
Intelligence that stays in a dashboard generates no action. RAVEN's EXPORT subsystem feeds directly into ORION, IDRIS, NEMESIS, and enterprise SIEM via structured JSON and STIX/TAXII — intelligence becomes response.
RAVEN doesn't just aggregate feeds. It understands natural language queries, fuses intelligence from 8 API sources and 6 dark web sources, deduplicates and enriches context, and delivers results through a conversational terminal interface. Ask it anything. It knows where to look.
| # | Subsystem | Function | What It Does |
|---|---|---|---|
| 01 | PARSER | Natural Language Query | Interprets operator questions in natural language. 10 query intents — from breach lookups and IOC enrichment to threat actor profiling and dark web monitoring. No rigid syntax. Just ask. |
| 02 | INTEL | 8 API Sources | Shodan, Censys, VirusTotal, OTX, GreyNoise, AbuseIPDB, URLhaus, and Pulsedive. Structured threat intelligence from the surface web's best feeds, queried in parallel and correlated automatically. |
| 03 | DARK | 6 Dark Web Sources | Tor hidden services, paste sites, breach databases, dark web forums, ransomware leak sites, and marketplace monitoring. UNLEASHED-gated. Passive, dry run, or live Tor scraping. |
| 04 | ORCHESTRATOR | Fusion & Deduplication | Merges results from INTEL and DARK subsystems. Deduplicates findings, enriches context, scores confidence, and builds a unified intelligence picture from disparate sources. |
| 05 | TUI | Conversational Terminal | Rich terminal interface for interactive threat intelligence sessions. Conversational flow — ask follow-up questions, drill into results, pivot across indicators. History and session persistence. |
| 06 | EXPORT | ORION / IDRIS / NEMESIS / SIEM | Feeds intelligence directly into ORION for reconnaissance, IDRIS for governance discovery, NEMESIS for reasoning validation, or any SIEM via structured JSON and STIX/TAXII export. |
| 07 | WHISPER | Continuous Monitoring | Background watchdog. 6 alert types — new breaches, credential leaks, dark web mentions, IOC changes, threat actor activity, and infrastructure shifts. Runs silently until something matters. |
Cryptographic override. Private key controlled. One operator. Founder's machine only. The DARK subsystem — live Tor routing to 6 hidden sources — is gated behind Ed25519. Passive API queries run without a key. Dark web access requires it.
Passive API queries only. Surface web intelligence from 8 structured sources. No dark web access. No Tor traffic. No detection risk. Full PARSER + INTEL + ORCHESTRATOR + TUI.
Simulates dark web collection. Shows what sources would be queried, what data would be retrieved — down to estimated breach counts and forum mention likelihood. Ed25519 required. No Tor connections made.
Active dark web intelligence. Tor-routed scraping across all 6 dark web sources. Real connections to hidden services. WHISPER monitoring engaged. Full DARK subsystem operational.
THIS TOOL IS FOR AUTHORISED SECURITY TESTING ONLY. EVERY EXECUTION IS SIGNED AND LOGGED.
Red Specter RAVEN is intended for authorised security testing and threat intelligence operations only. Dark web collection features require UNLEASHED activation and must only be used against infrastructure you own or have explicit written permission to assess. Unauthorised use may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. Apache License 2.0.