CERT-FR Alertes
ransomware.live
BleepingComputer
Red Flag Domains
Microsoft Security
Krebs on Security
Google TAG
Cisco Talos
SANS ISC Diary
Dark Reading
Recorded Future
Palo Alto Unit 42
CERT-FR Alertes
ransomware.live
BleepingComputer
Red Flag Domains
Microsoft Security
Krebs on Security
Google TAG
Cisco Talos
SANS ISC Diary
Dark Reading
Recorded Future
Palo Alto Unit 42
Cyber Threat Intelligence · Open Source

Introducing Cassandra // Modular CTI Aggregator

She warned of the danger. Nobody listened.

CassandraCTI collects threat intelligence from 30+ sources and makes sure your team actually receives it — on Teams, Discord, or wherever they work.

→ Get Started View Source
LIVE INTEL FEED
32 SOURCES 0 DUPES EVENTS
DEDUP: ON · SQLITE
30+
Feeds pre-configured
3
Source types
SHA1
Event fingerprinting
0
Duplicate alerts sent
Architecture

Four steps.
Zero noise.

Every run fetches, deduplicates, routes, and delivers. No dashboard to check — events come to your team.

01 / FETCH
📡
Sources
RSS / Atom feeds
ransomware.live API
Red Flag Domains
02 / FILTER
🔇
Deduplicate
Regex deny / allow
Max items / source
SQLite event store
03 / ROUTE
🗺
Router
Source prefix
Tag match
Regex (title / source)
04 / SEND
📤
Transports
Teams MessageCard
Discord Embed
Retry + throttle
Sources

Three threat intel
sources, ready to go.

Add your own with a single command. 30+ feeds pre-configured.

📰
RSS / Atom Feeds
source_id → rss:{name}

Polls any RSS or Atom feed with custom User-Agent. HTML stripped via BeautifulSoup, dates normalized to UTC. Fine-grained routing per feed via rss:{name} identifiers.

CERT-FR AlertesCERT-FR Avis Microsoft SecurityMicrosoft SentinelMSRC Cisco TalosTrend MicroProofpoint Checkpoint ResearchSentinelOneRedCanary Palo Alto Unit 42Kaspersky Securelist Recorded FutureGoogle TAGATT LevelBlue Krebs on SecurityBleepingComputer Dark ReadingHacker NewsThreatpost SANS ISC DiarySchneier on Security Graham CluleyVirusBulletin InfoSecurity MagazineCyber-News.fr Adam Chester (XPN)ModexpJames Forshaw + custom feeds
🏴‍☠️
Ransomware Live
source_id → ransomware.live

Tracks ransomware group attacks from ransomware.live. Country flag emoji auto-detected from victim domain. Configurable lookback window.

group_name country 🇫🇷🇬🇧🇺🇸 activity post_url description lookback_days
🚩
Red Flag Domains
source_id → red.flag.domains

Downloads the daily malicious domain list. One event per run with a 50-domain preview and a direct link to the full list.

daily .txt file domain count 50 preview full list link
Transports

Reach your team
where they work.

Batching, throttling, emoji mapping, retry with backoff. Each transport is independently configurable.

TYPE: TEAMS
Microsoft Teams
💬
webhook_urlIncoming webhook · env var
theme_colorHex border color, e.g. 0078D7
throttle_msMin 1000ms between cards
emojisAuto emoji per source
batching.max_itemsGroup N events per card
retry3× · 2s fixed · 429-aware
TYPE: DISCORD
Discord
🎮
webhook_urlDiscord webhook · env var
usernameBot display name override
avatar_urlBot avatar image URL
throttle_msDefault 500ms
batching.max_itemsGroup N events per embed
retry5× · exponential · 60s max
connectors.yaml 
# No secrets in files — use environment variables
connectors:
  - id: "teams-cert"
    type: "teams"
    params:
      webhook_url: ${MSTEAMS_WEBHOOK_CERT}
      theme_color: "0078D7"
      emojis: true
      batching: { enabled: true, max_items: 5 }

  - id: "discord-alert"
    type: "discord"
    params:
      webhook_url: ${DISCORD_WEBHOOK_URL}
      username: "CassandraCTI"
      throttle_ms: 500
CLI Reference

One tool to rule
the full lifecycle.

Init, run, debug, repair — everything from a single cassandra command.

cassandra init
Create default config in ~/.config/cassandra-cti/. First step on any new machine.
cassandra run
Execute the aggregation cycle. --loop for daemon mode, --dry-run to test without sending.
cassandra add-source
Add an RSS feed or enable ransomware_live / redflag with one command.
cassandra import-feeds
Bulk import RSS feeds from CSV. Format: Name,URL,Tags.
cassandra add-connector
Register a Teams connector: webhook, color, batching, emoji config.
cassandra routes-add
Add or update a routing rule (source, tag, or regex) → transport(s).
cassandra doctor
Validate YAML schema or fire a test message through any connector.
cassandra list
Print all configured sources, routes, and connector IDs.
cassandra backfill
Replay historical events to a transport — recover from downtime.
cassandra db-reset
Delete the SQLite database. Clears all dedup history. Requires --force.
cassandra seen-clear
Surgically clear dedup history by source prefix, date range, or both.
Get Started

From zero to alerts
in five minutes.

01
Install

Clone and install. The cassandra CLI entry point is available globally after install.

$ git clone https://github.com/franckferman/CassandraCTI.git
$ cd CassandraCTI && pip install .
02
Initialize

Create default config files. Edit them — or use CLI commands to populate them.

$ cassandra init
# → ~/.config/cassandra-cti/config.yaml
# → ~/.config/cassandra-cti/connectors.yaml
03
Add connector & sources

Register your webhook. Add feeds. Enable trackers.

$ cassandra add-connector \
    --id "teams-soc" \
    --webhook-url "https://..."

$ cassandra add-source rss \
    --name "CERT-FR" \
    --url "https://cert.ssi.gouv.fr/alerte/feed/" \
    --tags "cert,fr"

$ cassandra add-source ransomware_live
04
Validate & run
$ cassandra doctor config
$ cassandra doctor connector --id teams-soc
$ cassandra run --dry-run --verbose

# Go live — loop every 5 minutes
$ cassandra run --loop --interval 300
config.yaml — minimal example 
schema_version: 1

sources:
  rss:
    enabled: true
    feeds:
      - name: "CERT-FR Alertes"
        url: "https://cert.ssi.gouv.fr/alerte/feed/"
        tags: ["cert", "fr"]
  ransomware_live:
    enabled: true
    lookback_days: 30

transports:
  use: ["teams-soc"]

routes:
  - name: "cert-alerts"
    include_tags: ["cert"]
    transports: ["teams-soc"]

  - name: "ransomware"
    include_sources: ["ransomware.live"]
    transports: ["teams-soc"]
    template: "templates/ransomware_card.j2"

store:
  sqlite_path: ".cassandra_cti.db"
  seen_ttl_days: 90
Docker Compose 
services:
  cassandra-cti:
    build: .
    volumes:
      - ./config:/config
    environment:
      - MSTEAMS_WEBHOOK_SOC=${MSTEAMS_WEBHOOK_SOC}
      - DISCORD_WEBHOOK_URL=${DISCORD_WEBHOOK_URL}
    command: >
      cassandra run
        --config /config/config.yaml
        --loop --interval 300
    restart: unless-stopped

The oracle warned you.
Will you listen this time?

CassandraCTI is free, open-source, AGPL-3.0.

GitHub → Documentation