RAVEN is a conversational threat intelligence engine. It accepts natural language queries, fans out across 8 structured API sources and 6 dark web sources, fuses the results, and delivers intelligence through an interactive terminal interface.
Traditional threat intel platforms require rigid query syntax, manual pivoting, and separate tools for surface and dark web. RAVEN unifies everything into a single conversation. Ask a question. Get an answer. Drill deeper. Export to ORION, IDRIS, NEMESIS, or your SIEM.
RAVEN listens to the dark. It returns what matters.
pip install red-specter-raven raven --help
| # | Subsystem | Function |
|---|---|---|
| 1 | PARSER | Natural language query engine — interprets operator questions, classifies into 10 intents, extracts indicators and context |
| 2 | INTEL | Surface web intelligence — queries 8 structured API sources in parallel, normalises and correlates results |
| 3 | DARK | Dark web intelligence — 6 dark web sources including Tor hidden services, paste sites, breach databases, forums, ransomware leak sites, and marketplaces. UNLEASHED-gated |
| 4 | ORCHESTRATOR | Fusion engine — merges INTEL and DARK results, deduplicates findings, enriches context, scores confidence |
| 5 | TUI | Conversational terminal — rich interactive interface with session persistence, follow-up questions, and indicator pivoting |
| 6 | EXPORT | Output pipeline — feeds intelligence to ORION, IDRIS, NEMESIS, or any SIEM via JSON, STIX/TAXII, and CSV export |
| 7 | WHISPER | Continuous monitoring — background watchdog with 6 alert types, runs silently until something matters |
| # | Source | Intelligence |
|---|---|---|
| 1 | Shodan | Internet-wide scan data, exposed services, banners, vulnerabilities, device metadata |
| 2 | Censys | Certificate transparency, host enumeration, protocol analysis, cloud asset discovery |
| 3 | VirusTotal | File/domain/IP reputation, malware associations, passive DNS, detection ratios |
| 4 | OTX (AlienVault) | Open threat exchange pulses, IOC feeds, community threat intelligence |
| 5 | GreyNoise | Internet noise vs. targeted activity, mass scanner identification, benign traffic filtering |
| 6 | AbuseIPDB | IP abuse reports, confidence scores, attack categories, ISP and geolocation data |
| 7 | URLhaus | Malware distribution URLs, payload tracking, campaign association, takedown status |
| 8 | Pulsedive | IOC enrichment, threat feeds, risk scoring, indicator relationships and pivoting |
| # | Source | Intelligence | UNLEASHED |
|---|---|---|---|
| 1 | Tor Hidden Services | Onion site monitoring, content indexing, service availability tracking | Live |
| 2 | Paste Sites | Credential dumps, data leaks, threat actor communications, code samples | Live |
| 3 | Breach Databases | Compromised credentials, email/password pairs, breach metadata and timelines | Live |
| 4 | Dark Web Forums | Threat actor discussions, exploit trading, target planning, vulnerability disclosure | Live |
| 5 | Ransomware Leak Sites | Victim listings, stolen data previews, negotiation timelines, gang attribution | Live |
| 6 | Marketplace Monitoring | Credential sales, access brokering, malware-as-a-service listings, pricing intelligence | Live |
| # | Intent | Example Query |
|---|---|---|
| 1 | Breach Lookup | "Has example.com been breached?" |
| 2 | IOC Enrichment | "What do we know about 185.220.101.1?" |
| 3 | Threat Actor Profile | "Tell me about LockBit 3.0" |
| 4 | Domain Intelligence | "What's the threat posture for evil-corp.com?" |
| 5 | Credential Exposure | "Are any @company.com credentials on the dark web?" |
| 6 | Malware Analysis | "What campaigns use this SHA256 hash?" |
| 7 | Infrastructure Mapping | "What infrastructure does this C2 IP connect to?" |
| 8 | Vulnerability Intel | "What's being actively exploited this week?" |
| 9 | Dark Web Monitoring | "Is our company name mentioned on any leak sites?" |
| 10 | Reputation Check | "Is this URL safe to visit?" |
| # | Alert Type | Trigger |
|---|---|---|
| 1 | New Breach | Monitored domain appears in new breach database entry |
| 2 | Credential Leak | Monitored email patterns appear on paste sites or dark web forums |
| 3 | Dark Web Mention | Organisation name, domain, or keywords appear in dark web sources |
| 4 | IOC Change | Tracked indicator changes risk score, gains new associations, or appears in new campaigns |
| 5 | Threat Actor Activity | Monitored threat actor posts new victims, tools, or communications |
| 6 | Infrastructure Shift | Tracked C2 infrastructure changes IP, domain, or hosting provider |
| Mode | Flags | What It Does |
|---|---|---|
| Standard | (none) | Passive API queries only. 8 surface web intel sources. No dark web access. No Tor traffic. |
| Dry Run | --override | Simulates dark web collection. Shows what would be retrieved from 6 dark web sources. Ed25519 required. No Tor connections. |
| Live | --override --confirm-active | Active dark web intelligence. Tor-routed scraping across all 6 dark web sources. Real connections to hidden services. |
| Command | Description |
|---|---|
raven ask "<query>" | Natural language query — PARSER classifies intent and routes to appropriate sources |
raven watch <domain> | Start WHISPER continuous monitoring for a domain or organisation |
raven breach <domain> | Direct breach lookup — checks all breach databases and dark web sources |
raven sources | List all configured intel sources with API key status and health |
raven ask "<query>" --override --confirm-active | UNLEASHED live query — includes dark web sources via Tor |
raven watch <domain> --alerts email | WHISPER monitoring with email alert delivery |
raven ask "<query>" --export json | Query with structured JSON export |
raven ask "<query>" --export stix | Query with STIX/TAXII export for SIEM integration |
raven tui | Launch interactive conversational terminal session |
raven ask "<query>" --feed orion | Query and pipe results directly to ORION for reconnaissance |
RAVEN feeds threat intelligence to ORION to enrich reconnaissance. When RAVEN identifies a threat actor's infrastructure, ORION can immediately scan and map the attack surface. Use --feed orion to pipe results directly.
RAVEN's breach and credential exposure data feeds into IDRIS for governance and compliance assessment. Discovered credential leaks trigger IDRIS identity governance workflows.
RAVEN intelligence provides real-world context for NEMESIS reasoning chains. Threat actor TTPs from RAVEN inform NEMESIS attack simulations and validation scenarios.
RAVEN exports to any SIEM via structured JSON and STIX/TAXII. IOCs, threat actor profiles, breach data, and dark web intelligence flow directly into your security operations platform.
Tool 26 in the Red Specter offensive pipeline. RAVEN is the conversational threat intelligence layer — it gathers, fuses, and delivers intelligence from both the surface and dark web through natural language interaction.
RAVEN listens to the dark. It returns what matters.