Skip to main content
CyberThreat AI is an open-source Astro application that you can self-host. This guide covers everything you need to get a working instance running locally or on a server.

Prerequisites

  • Node.js >= 22.12.0
  • pnpm (recommended; npm also works)
  • API keys for the services you want to support (see Using your API keys)

Setup

1

Clone the repository

git clone https://github.com/marcvspt/cyberthreat-ai.git
cd cyberthreat-ai
2

Install dependencies

pnpm install
3

Create a .env file

Create a .env file at the root of the project. All variables are optional, but at minimum you should set OPENROUTER_API_KEY if your users will not be supplying their own OpenRouter key.
VIRUSTOTAL_API_KEY=your-virustotal-key
ABUSEIPDB_API_KEY=your-abuseipdb-key
POLYSWARM_API_KEY=your-polyswarm-key
OPENROUTER_API_KEY=your-openrouter-key
RATE_LIMIT_POINTS=5
RATE_LIMIT_DURATION=60
See the environment variable reference below for details on each variable.
4

Start the server

pnpm run dev
The development server starts at http://localhost:4321. It includes hot module replacement and detailed error output.

Environment variables

These keys are used as server-side fallbacks. When a user does not supply their own key via request headers or the UI settings modal, CyberThreat AI falls back to these values. If a key is absent from both the user’s request and the environment, that source is skipped or queried without authentication.
VariableServiceRequired
VIRUSTOTAL_API_KEYVirusTotal — IP, domain, and hash lookupsNo
ABUSEIPDB_API_KEYAbuseIPDB — IP reputationNo
POLYSWARM_API_KEYPolySwarm — hash analysisNo
Robtex does not require an API key and has no corresponding environment variable.
VariableDescriptionRequired
OPENROUTER_API_KEYServer-side fallback key for OpenRouter. Used when a user has not set their own OpenRouter key.Required if users won’t supply their own
If OPENROUTER_API_KEY is not set and users do not provide their own OpenRouter key, all analysis requests will fail at the AI stage.
CyberThreat AI enforces a per-IP rate limit on the /api/ctai endpoint. These variables control the window size and request allowance.
VariableDescriptionDefault
RATE_LIMIT_POINTSMaximum number of requests allowed per IP within the duration window5
RATE_LIMIT_DURATIONDuration of the rate limit window, in seconds60
With the defaults, each IP address can submit up to 5 analysis requests per 60-second window. Requests beyond this limit receive a 429 Too Many Requests response with a retryAfterSeconds field.

Docker and Dokploy

The application builds to a standalone Node.js server (dist/server/entry.mjs), which makes it straightforward to containerize. You can wrap it in a standard Node.js Docker image, expose port 4321, and pass your environment variables at runtime. If you use Dokploy for deployment, point it at the repository and configure your environment variables in the Dokploy dashboard. The standalone Astro output requires no additional server configuration beyond a Node.js runtime.

Build docs developers (and LLMs) love

Get started for freeTalk to us