Cyber Risk Assessment & Threat Intelligence Platform (CRATIP)

Introduction

The Cyber Risk Assessment & Threat Intelligence Platform (CRATIP) is a cybersecurity solution developed using Python to help organizations identify and manage potential cyber threats in their networks. With the increasing number of cyberattacks worldwide, organizations require tools that not only detect vulnerabilities but also help them understand and prioritize risks effectively.

Traditional security tools often provide fragmented results from different scanners and threat intelligence platforms. These outputs are highly technical and difficult to correlate, which forces security teams to spend significant time analyzing data manually. As a result, organizations often remain in a reactive security posture rather than proactively preventing cyber threats.

To address this issue, our platform integrates multiple cybersecurity technologies into a single system that performs network scanning, threat intelligence enrichment, risk scoring, and visualization.

System Architecture

The platform is designed as a multi-layer architecture consisting of four major components:

Vulnerability Scanning Engine

Threat Intelligence Engine

Risk Scoring and AI Summarization Engine

Dashboard and Visualization Layer

Each layer performs a specific function while communicating through REST APIs.

1. Vulnerability Scanning Engine

The first layer of the system is the Vulnerability Scanning Engine, which is responsible for identifying potential security weaknesses within a network.

This engine uses Nmap (Network Mapper) to scan:

IP addresses

Domains

CIDR network ranges

The scanning process identifies:

Live hosts in the network

Open ports

Running services

Service versions

Detecting the version of services is important because many vulnerabilities are linked to specific software versions.

All scan results are stored in JSON format, which allows easy processing by other modules of the platform.

2. Threat Intelligence Engine

Raw scan results alone are not sufficient to understand the real security risk. Therefore, the second layer of the system enriches scan data with threat intelligence information.

The platform implements a three-tier threat intelligence model:

1. Exposure Intelligence

This component uses Shodan to identify assets that are publicly exposed on the internet. It helps organizations understand which systems are visible to attackers.

2. Malware Intelligence

This module uses VirusTotal to analyze the reputation of IP addresses, domains, or files. It checks whether the asset has been previously associated with malware or suspicious activities.

3. Vulnerability Intelligence

This component gathers vulnerability information from trusted sources such as:

NVD (National Vulnerability Database)

Vulners Database

CISA Known Exploited Vulnerabilities (KEV)

These databases provide detailed information about CVE (Common Vulnerabilities and Exposures) and whether those vulnerabilities are actively exploited.

3. Risk Scoring and AI Summarization Engine

The third layer acts as the core intelligence unit of the platform.

Traditional security tools usually rely on CVSS (Common Vulnerability Scoring System) scores to measure vulnerability severity. However, CVSS only represents theoretical severity.

To improve risk assessment, the platform also integrates the EPSS (Exploit Prediction Scoring System), which predicts the likelihood that a vulnerability will be exploited in the real world.

By combining:

CVSS severity

EPSS exploit probability

Threat intelligence context

the platform generates a prioritized list of vulnerabilities.

Additionally, this layer includes an AI-driven summarization module that converts complex technical findings into simple natural language explanations. This allows both technical and non-technical users to understand the risk.

Users can also interact with the system using a Natural Language Query Interface, which allows them to ask questions about vulnerabilities and threats.

4. Dashboard and Visualization Layer

The final layer is the Dashboard Engine, which provides the user interface for interacting with the system.

The dashboard is built using:

Streamlit for the frontend interface

Pandas for data processing

Plotly for interactive graphs and visualizations

FastAPI for backend REST API communication

The dashboard displays:

Scan results

Risk levels of vulnerabilities

Asset exposure information

Global distribution of detected assets

Users can submit a scan target (IP address, domain, or file), and the request is processed through the backend system. The results are then visualized in the dashboard.

Workflow of the Platform

User enters a scan target (IP, domain, or file).

The request is sent to the backend through a REST API.

The scanning engine performs network scanning using Nmap.

The threat intelligence engine enriches the scan results using multiple intelligence sources.

The risk scoring engine evaluates vulnerabilities using CVSS and EPSS.

AI generates simplified summaries and risk insights.

The results are displayed on the interactive dashboard.

Future Scope

The future development of this platform includes:

Personalized risk profiling for individual organizations

Real-time monitoring and alert systems

Automated threat detection and response

Integration with Security Information and Event Management (SIEM) systems

Machine learning models for improved threat prediction

These improvements will enhance the platform’s ability to provide proactive cybersecurity defense.