everything you need to know to use nur
Install the CLI, register with your work email, start contributing.
# install pip install nur # initialize (saves server URL, generates keypair) nur init # register with your work email (gmail/yahoo blocked) nur register you@yourorg.com # check your email, click the magic link, get your API key # then start reporting nur report incident.json
That's it. Your data is anonymized locally before it leaves your machine. You get back collective intelligence from everyone who contributed.
You're under attack. Upload IOCs, get campaign matches, detection gaps, remediation actions.
nur report incident_iocs.json # Response: Campaign Match: Yes — 4 other healthcare orgs Shared IOCs: 32 · Threat Actor: LockBit Actions: [CRITICAL] Block C2 domains at firewall [CRITICAL] Deploy T1490 detection — your tools miss it [HIGH] Hunt for RDP lateral movement What worked at other orgs: - Isolated RDP across all subnets (stopped_attack) - Deployed Sigma rule for vssadmin delete (stopped_attack)
nur report attack_map.json # detection gap analysis
nur report eval.json # benchmark your tools
nur report incident.json --json | jq '.intelligence.actions'
Build defenses. Market maps, vendor comparisons, threat modeling, attack simulations.
nur market edr # vendor rankings by category nur search vendor crowdstrike # real scores, not Gartner nur search compare crowdstrike sentinelone # side-by-side comparison
nur threat-model --stack crowdstrike,splunk,okta --vertical healthcare # Response: Coverage: 75% (6/8 priority techniques) Gaps: T1566 Spearphishing → add email security T1048 Exfiltration → add NDR or DLP Compliance: HIPAA ✓ · NIST CSF ✓ · HITECH ✗ # Export as HCL (threatcl-compatible) nur threat-model --stack crowdstrike,splunk --hcl --output model.hcl
nur patterns healthcare # attack methodology patterns for a vertical nur patterns financial # what APT groups target finance
nur simulate --stack crowdstrike,splunk,okta --vertical healthcare # Simulates the most common attack chain against your stack # Shows exactly where your defenses break, step by step
Plug nur into your existing security stack. 10 integration points.
nur integrate splunk # forward alerts from Splunk nur integrate sentinel # forward incidents from Microsoft Sentinel nur integrate crowdstrike # forward detections from CrowdStrike
nur integrate syslog --port 1514 # listen for CEF/syslog events # or POST to /ingest/webhook with any supported format
nur import navigator layer.json # import MITRE ATT&CK Navigator layers nur import stack inventory.csv # import your tool inventory nur import compliance soc2.json # import compliance framework mappings nur import rfp responses.json # import vendor RFP responses
nur export stix # export intelligence as STIX 2.1 nur export misp # export as MISP events
from nur import load_file, anonymize, submit
data = load_file("incident.json")
clean = [anonymize(d) for d in data]
[submit(c, api_url="https://nur.saramena.us") for c in clean]
All endpoints. Full API documentation with examples.
| Method | Path | Description |
|---|---|---|
| POST | /analyze | Give data, get intelligence report |
| POST | /contribute/submit | Submit tool evaluation |
| POST | /contribute/attack-map | Submit attack map with techniques |
| POST | /contribute/ioc-bundle | Submit IOC bundle |
| POST | /ingest/webhook | Universal webhook (Splunk, Sentinel, CrowdStrike, CEF, generic) |
| POST | /register | Register with work email + public key |
| POST | /threat-model | Generate MITRE-mapped threat model for your stack |
| GET | /intelligence/market/{category} | Vendor market map by category |
| POST | /intelligence/threat-map | Map threat to MITRE techniques, show coverage gaps |
| GET | /intelligence/danger-radar | Vendors with hidden risk signals |
| GET | /intelligence/patterns/{vertical} | Attack methodology patterns for an industry |
| POST | /intelligence/simulate | Simulate attack chain against your stack |
| GET | /search/vendor/{name} | Vendor scores and details |
| GET | /search/compare?a=X&b=Y | Side-by-side vendor comparison |
| GET | /dashboard | Visual dashboard with charts |
| GET | /guide | This documentation page |
| GET | /health | Liveness check |
| GET | /stats | Contribution counts (anonymized) |
curl -X POST https://nur.saramena.us/analyze -H "Content-Type: application/json" -H "X-API-Key: nur_yourkey" -d '{"iocs": [{"ioc_type": "ip", "value": "203.0.113.42"}]}'
curl -X POST https://nur.saramena.us/threat-model -H "Content-Type: application/json" -H "X-API-Key: nur_yourkey" -d '{"stack": ["crowdstrike", "splunk"], "vertical": "healthcare"}'
curl -X POST https://nur.saramena.us/intelligence/simulate -H "Content-Type: application/json" -d '{"stack": ["crowdstrike", "splunk", "okta"], "vertical": "healthcare"}'
Everything is anonymized on your machine before submission. Three privacy levels:
All IOC values SHA-256 hashed. IPs truncated to /24. Domains hashed. No org name, no analyst name, no raw indicators leave your machine.
Only MITRE technique IDs, detection/miss booleans, and category scores submitted. Zero IOCs, zero raw data. Just structure.
Laplace noise added to all numeric values. Secure aggregation ensures the server only sees aggregate totals, never individual contributions. Minimum-k enforcement: no aggregates with fewer than 3 contributors.
Run your own nur instance for your industry or organization.
nur up --vertical healthcare # LockBit, HIPAA focus nur up --vertical financial # APT28, PCI DSS focus nur up --vertical energy # Sandworm, NERC CIP focus nur up --vertical government # APT29, FISMA focus
git clone https://github.com/manizzle/nur.git && cd nur docker compose up -d # or with the install script curl -sSL https://raw.githubusercontent.com/manizzle/nur/main/install.sh | bash
# .env file NUR_DB_URL=postgresql+asyncpg://user:pass@db:5432/nur NUR_API_KEY=your_master_api_key NUR_AUTO_INGEST=1 # auto-scrape public feeds every hour NUR_DOMAIN=nur.yourorg.com # for magic link emails NUR_SMTP_HOST=smtp.yourorg.com # email verification NUR_SMTP_PORT=587 NUR_SMTP_USER=nur@yourorg.com NUR_SMTP_PASS=your_smtp_password
pip install nur && nur init && nur register you@org.com