Open-source security tools for analysts, researchers, and defenders.

Go Python Django React License

The Toolkit

Four Tools. One Security Toolkit.

Minos guards the network, Carapace renders the web safely, and the Vault1337 duo dissects what gets through. Self-hosted, privacy-respecting tools built on a shared design system for analysts, researchers, and defenders.

Minos

DNS Sinkhole · Pi-hole Alternative

A modern, user-friendly DNS sinkhole written in Go — a single static binary with an embedded web UI, light enough for a Raspberry Pi. Every DNS query is judged against your blocklists and sentenced; allowed queries are forwarded upstream over encrypted DoH or DoT.

  • Blocklist filtering (hosts, plain, AdBlock) with one-click pardons from the live log
  • Family controls — per-device groups, blocked services, schedules, Safe Search enforcement
  • Response cache, serve-stale (RFC 8767), and automatic upstream failover
  • Client-facing DoT/DoH with automatic ACME certificates — no telemetry, ever

Carapace

Visual Renderer for Insight

Optional sidecar service that renders each scanned URL using Chromium headless with JavaScript fully enabled but all network requests intercepted and blocked. This lets dynamic overlays — ClickFix, SocGholish, ClearFake, drainers — execute and render visibly in the screenshot, revealing the actual attack UI rather than a blank page. A verdict badge is composited onto every screenshot.

  • Safe Chromium render — JS enabled, network intercepted and blocked, dynamic overlays captured
  • Detects drive-by downloads, eval() chains, clipboard hijacks, and exfiltration at render time
  • Risk score (0–100) and structured threat flags fed directly into Insight findings
  • Browser-grade technology detection and mobile screenshot (375×844 iPhone viewport) support

Vault1337 Private

Malware Analysis Platform

Self-hosted platform for storing and statically analysing malware samples. Upload by file, URL, or SHA256 hash — Vault1337 pulls from VirusTotal or MalwareBazaar and runs 20+ analysis tools against the sample, with full JWT-secured API access.

  • 20+ static analysis tools — Strings, Hex, YARA, LIEF, Capstone, OleTools, dnfile, and more
  • IOC extraction, MITRE ATT&CK mapping, STIX 2.1 export, PDF report generation
  • IP & domain intelligence via VirusTotal, AbuseIPDB, Spur, and Shodan
  • Runs on a Raspberry Pi 5 — single Docker command deployment
Source temporarily private. The repository has been made private until further notice. Documentation and the Docker Hub image remain available — any interest in source access should be made directly.

Insight Private

Web Threat Scanner

Passive web threat scanner for analysing URLs for malicious behaviour. Entirely content-based — no reputation databases — so it detects zero-day campaigns, freshly registered phishing domains, and newly injected skimmers that reputation feeds haven't yet indexed.

  • 59 JavaScript threat checks — skimmers, keyloggers, ClickFix, wallet drainers, drainer configs, blockchain C2, JSFuck/JJEncode/XOR obfuscation
  • 33+ HTML checks — phishing forms, OTP relay, hidden iframes, fake CAPTCHA, tampered GTM, drainer injection
  • Domain intelligence — typosquats, homographs, DGA, newly registered domains
  • Context collapse engine — correlates signals into CRITICAL synthetic findings
Source temporarily private. The repository has been made private until further notice. The live scanner and documentation remain available — any interest in source access should be made directly.

Minos — DNS Sinkhole

Every Query Gets Judged.

Named for the judge of the underworld, Minos is a modern Pi-hole alternative written in Go — a single static binary with an embedded web UI, light enough for a Raspberry Pi Zero. Every DNS query that arrives is judged against your blocklists and sentenced; no exceptions, no appeals (well, except pardons).

Blocklist Filtering

Judges every query on :53 (UDP + TCP) against compiled hosts, plain, and AdBlock blocklists. Blocked queries show which list and rule condemned them — with a one-click pardon from the live log.

Family Controls

Per-device groups with extra rules, full bypass, or no DNS at all. One-click blocked services (TikTok, YouTube, Discord…) with schedules, plus provider-enforced Safe Search that can't be switched off.

Fast Resolver Core

Built-in response cache with request coalescing, serve-stale answers (RFC 8767), and automatic upstream failover — one dead resolver never slows the whole network.

Encrypted DNS

Forwards upstream over DoH or DoT, and serves encrypted DNS to clients — DoT for Android Private DNS, DoH at /dns-query. Bring a certificate or let Minos fetch and renew one automatically via ACME.

Network Features

Local DNS records for your LAN, conditional forwarding, and private reverse zones answered locally (RFC 6303) — internal lookups never leak to public resolvers.

Dashboard & API

Query charts, top blocked domains, and a live log over WebSocket. Prometheus /metrics with a Grafana dashboard, a documented REST API, Home Assistant recipes, and one-command Pi-hole/AdGuard import. No telemetry, ever.

Vault1337 — Malware Analysis Platform Private

Static Analysis, Your Way

Source temporarily private. The Vault1337 repository has been made private until further notice — the documentation below and the Docker Hub image stay available, and any interest in source access should be made directly.
Flexible Ingestion

Upload by file or URL, or pull directly from VirusTotal or MalwareBazaar by SHA256 hash. Stored by hash — original filenames never written to disk.

20+ Analysis Tools

Strings, Hex, IOC extractor, YARA, ExifTool, LIEF (PE+ELF), Capstone disassembler, Mach-O, APK, .NET, PDF parser, OLE tools, Email parser, Zip extractor, and more.

IOC Tracking

Extract and manage 13+ indicator types. Every IOC links back to its source sample and auto-enriches against VirusTotal and AbuseIPDB. STIX 2.1 export ready.

MITRE ATT&CK Mapping

Automatically maps analysis results and IOC types to ATT&CK techniques — 27 techniques across 10 tactics. Tactic-coloured badges with links to official technique pages.

IP & Domain Intelligence

Structured report cards for IPs and domains via VirusTotal, AbuseIPDB, Spur, and Shodan. Verdict banners derived from all sources combined.

Docker Ready

Single-command Docker run or a full Compose stack with PostgreSQL and persistent volumes. Runs comfortably on a Raspberry Pi 5 in production.

Insight — Web Threat Scanner Private

Content-Based Detection. No APIs Required.

Source temporarily private. The Insight repository has been made private until further notice. The live scanner and the documentation below stay available — any interest in source access should be made directly.
JavaScript Threat Engine

58 checks — Magecart skimmers, keyloggers, ClickFix payloads, wallet drainers, blockchain C2 loaders, JSFuck/JJEncode/XOR obfuscation, ChaCha20 payloads, NDSW injection, AppleScript infostealers, and more.

HTML Structural Analysis

33+ checks — phishing forms, OTP relay (AiTM), tampered GTM snippets, copyright impersonation, wallet extension injection, ClickFix CAPTCHA pages, WebDAV infrastructure, and more.

Domain Intelligence

Typosquats and homographs of 30+ brands, DGA probability scoring, high-risk TLD detection, newly registered domain age checks, and abuse-platform hosting detection.

Context Collapse Engine

7 correlation rules that combine individual MEDIUM signals into HIGH/CRITICAL synthetic findings when combinations indicate coordinated attack infrastructure.

Why content-based detection?

Zero-day coverage — detects freshly deployed phishing pages and newly injected skimmers before any reputation database knows they exist

Campaign recognition — names the attack: ClickFix, SocGholish, Magecart, wallet drainer. Analysts can cross-reference threat intel reports directly

Evidence-first findings — every finding includes the actual payload, decoded string, or header value so analysts can make their own judgment

No API dependencies — fully self-contained, no rate limits, no external calls during analysis

The Analyst Workflow

Better Together

Insight and Vault1337 are designed as a pipeline. A suspicious URL leads to a sample. A sample leads to IOCs. IOCs lead back to URLs. The tools close the loop.

Step 1

Scan the URL

A suspicious link arrives — in email, a chat message, or a threat report. Submit it to Insight.

  • Identifies ClickFix, phishing forms, skimmers
  • Flags typosquats of known brands
  • Detects malicious downloads referenced on the page
  • Verdict: MALICIOUS / SUSPICIOUS / CLEAN

Step 2

Analyse the Sample

Insight surfaces a malicious download. Pull it into Vault1337 by URL or SHA256.

  • Run PE/ELF/Mach-O/APK/document analysis
  • Extract IOCs — IPs, domains, persistence paths
  • Map to MITRE ATT&CK techniques
  • Auto-enrich IOCs via VirusTotal & AbuseIPDB

Step 3

Export & Act

With full context in hand, export findings in analyst and platform-ready formats.

  • STIX 2.1 bundle for threat intel platforms
  • PDF report for incident documentation
  • Feed domain IOCs back into Insight for pivot scanning
  • All data stays on your infrastructure

About

About the Projects

These tools started as hands-on learning exercises and grew into full-stack applications used in practice. Minos guards the home network as a DNS sinkhole on a Raspberry Pi, and Carapace renders suspicious pages safely — both open-source and on GitHub. Vault1337 runs on a Raspberry Pi 5 for personal malware research, and Insight is live at insight.vault1337.com for quick URL triage before visiting suspicious links.

Note: the Vault1337 and Insight repositories have been made Private until further notice. Their documentation, the live Insight scanner, and the Vault1337 Docker image remain available — any interest in source access should be made directly. Minos (Go, GPLv3) and Carapace (Rust) stay fully open-source.