Vera5

Vera5

Local-first IOC enrichment for analysts.

Vera5 brings indicator context directly into analyst workflows without requiring a Vera5 cloud service. Detect indicators on the page you are already on. Enrich them with the sources you choose. Keep the investigation in one place.

In active development

View GitHub Read Product Vision

The friction

Investigations lose flow when context is scattered.

Analysts copy indicators between tabs, paste them into enrichment portals, switch back to the alert, re-orient, then repeat. Each lookup is small. The cumulative cost is not.

Context fragments across tools. Pivots interrupt focus. The original page — the alert, the report, the ticket — becomes one of many windows competing for attention.

What Vera5 does

Context where the analyst already works.

Detect indicators on webpages

Indicators of compromise — IPs, domains, URLs, hashes, CVEs — surfaced where they appear in alerts, tickets, dashboards, and reports.

Show contextual enrichment

Aggregate context from analyst-configured threat intelligence sources into a compact hover card. No tab-switching, no manual lookup loop.

Preserve source attribution

Every enrichment field shows the source that produced it. Disagreement between sources stays visible — never collapsed into a single opaque score.

Support local-first workflows

Enrichment runs from the browser using your own API keys. No required Vera5 backend, no maintainer-operated proxy, no shared quota pool.

Keep analysts in control

Toggle sources, IOC types, and automatic scanning. Manual-only mode is supported. Cache behavior is visible and clearable.

Trust model

Privacy is a product requirement, not a setting.

  • Bring your own keys

    API credentials for enrichment sources stay in browser local storage. Vera5 does not proxy or pool them.

  • No required Vera5 cloud

    The extension operates locally. There is no Vera5-managed account, no shared backend, and no required hosted service to run enrichment.

  • No default telemetry

    Vera5 does not collect usage metrics, error reports, browsing history, or analyst identity by default.

  • No silent page uploads

    Full page content is never transmitted. Only indicators an analyst chooses to enrich leave the machine.

  • Indicators only, by choice

    External APIs receive only the specific indicators selected for enrichment — nothing else from the page or session.

Built for

Analyst workflows, not demo environments.

SOC triage
Faster context on alerts inside SIEM, EDR, and ticketing dashboards.
CTI research
Inline pivots while reading threat reports, OSINT, and infrastructure write-ups.
DFIR review
Enrichment for indicators in timelines, logs, CSV exports, and HTML reports.
Malware analysis
Pivot extracted strings and infrastructure references without leaving the report.
Threat hunting
Lightweight context layer for investigative browsing and pivot work.

Current status

In active development.

The current focus is the browser extension scaffold, indicator detection, and the first enrichment connectors. CLI support and an optional local backend are planned for later releases.

Initial integration targets — AbuseIPDB, AlienVault OTX, URLScan, GreyNoise Community, and RDAP — are in development. Additional sources, an optional self-hosted backend, and an opt-in local LLM summary layer are part of the longer-term direction outlined in the product vision.

Public documentation and source code are being prepared alongside the extension.

Design principles

Decisions that shape every part of the tool.

  1. Precision over spectacle.

    Readability and speed before visual gimmicks.

  2. Analyst control over automation.

    Decisions about what gets queried, cached, and shown stay with the operator.

  3. Attribution over black-box scoring.

    Sources are always visible. Disagreement is surfaced, not averaged away.

  4. Local-first over forced cloud.

    Cloud dependency is opt-in, never required.

  5. Open-source over hidden behavior.

    The code is auditable. The trust model is documented, not assumed.