Global Threat Intercept — Real-Time Geospatial Intelligence Platform
ShadowBroker is a decentralized intelligence platform that aggregates real-time, multi-domain OSINT telemetry from 60+ live intelligence feeds into a single dark-ops map interface. Aircraft, ships, satellites, conflict zones, CCTV networks, GPS jamming, internet-connected devices, police scanners, mesh radio nodes, and breaking geopolitical events — all updating in real time on one screen as well as an obfuscated communications protocol and information exchange infrastructure.
Built with Next.js, MapLibre GL, FastAPI, and Python. 40+ toggleable data layers, including SAR ground-change detection, Telegram OSINT (public channel previews geoparsed onto the map), a server-side recon toolkit (DNS, WHOIS, sanctions, BGP, IP sweep, and more), supply-chain risk overlays, and malware/C2 + CISA KEV cyber threat feeds. Multiple visual modes (DEFAULT / SATELLITE / FLIR / NVG / CRT). Right-click any point on Earth for a country dossier, head-of-state lookup, entity-graph expansion, and the latest Sentinel-2 satellite photo. ShadowBroker has no accounts, product telemetry, or analytics; the dashboard talks to your self-hosted backend. Sensitive recon and Shodan queries never hit third-party APIs from the browser — they are proxied through the backend with SSRF guards and local-operator auth. The OpenClaw / agent command channel exposes the same recon backends plus full telemetry search — no separate API integration required.
Designed for analysts, researchers, radio operators, and anyone who wants to see what the world looks like when every public signal is on the same map.
A surprising amount of global telemetry is already public — aircraft ADS-B broadcasts, maritime AIS signals, satellite orbital data, earthquake sensors, mesh radio networks, police scanner feeds, environmental monitoring stations, internet infrastructure telemetry, and more. This data is scattered across dozens of tools and APIs. ShadowBroker combines all of it into a single interface.
The project does not introduce new surveillance capabilities — it aggregates and visualizes existing public datasets. It is fully open-source so anyone can audit exactly what data is accessed and how. ShadowBroker does not include product telemetry, analytics, or accounts. Operator-supplied keys stay in your local deployment, but live OSINT features necessarily make outbound requests to the public data providers you enable or query.
ShadowBroker includes an optional Shodan connector for operator-supplied API access (SHODAN_API_KEY) and a Recon Toolkit panel for keyless OSINT lookups. Both run server-side only: the browser calls your self-hosted /api/osint/* and /api/tools/shodan/* routes; outbound requests are made by the backend after SSRF validation. Recon requires local-operator access (same trust model as layer toggles and admin routes). Shodan results render as a separate map overlay and remain subject to Shodan’s terms of service.
Not included: embedded live-news YouTube grids or a built-in Gemini AI analyst panel — use the OpenClaw / agent channel for AI-assisted analysis instead.
search_telemetry, search_news), the full recon toolkit (osint_lookup for IP/DNS/WHOIS/sanctions/CVE/etc.), entity-graph expansion, pin placement, map control, SAR ground-change, mesh networking, and alert delivery. It sees everything the operator sees and can take actions on the map in real time.t.me/s war/conflict feeds (OSINTdefender, NEXTA, etc.) scraped hourly, risk-scored, geoparsed to metro anchors, and plotted as clickable map pins with inline mediagit clone https://github.com/bigbodycobain/Shadowbroker.git
cd Shadowbroker
docker compose pull
docker compose up -d
git clone https://gitlab.com/bigbodycobain/Shadowbroker.git
cd Shadowbroker
docker compose -f docker-compose.yml -f docker-compose.gitlab.yml pull
docker compose -f docker-compose.yml -f docker-compose.gitlab.yml up -d
Both paths produce identical containers — same source, same CI, same images byte-for-byte. Pick whichever ecosystem you already use.
Open http://localhost:3000 to view the dashboard! (Requires Docker Desktop or Docker Engine)
Join the private InfoNet swarm (sb-testnet-0): Click NODE in the dashboard, or run
./meshnode.shfor a headless participant. No manual peer list — fleet defaults discover the seed and pull the signed manifest automatically. SetMESH_INFONET_FLEET_JOIN=falsein.envfor a private solo node.Backend port already in use? The browser only needs port
3000, but the backend API is also published on host port8000for local diagnostics. If another app already uses8000, create or edit.envnext todocker-compose.ymland setBACKEND_PORT=8001, then rundocker compose up -d.Blank news/UAP/bases/wastewater after several minutes? Check for backend OOM restarts with
docker events --since 30m --filter container=shadowbroker-backend --filter event=oom. The default compose file gives the backend 4GB; if your host has less memory, reduce enabled feeds or setBACKEND_MEMORY_LIMIT=3Gand expect slower/heavier layers to warm more gradually.Podman users: Podman works, but
podman composeis a wrapper and still needs a Compose provider installed. On Windows/WSL, if you seelooking up compose provider failed, installpodman-composeand runpodman-compose pullfollowed bypodman-compose up -dfrom inside the clonedShadowbrokerfolder. On Linux/macOS/WSL shells you can also use./compose.sh --engine podman pulland./compose.sh --engine podman up -d.
ShadowBroker uses pre-built Docker images — no local building required. Updating takes seconds:
docker compose pull
docker compose up -d
That's it. pull grabs the latest images, up -d restarts the containers.
Coming from an older version? Pull the latest repo code first, then pull images:
bash git pull origin main docker compose down docker compose pull docker compose up -dPodman users should run the equivalent provider command, for example
podman-compose pullandpodman-compose up -d, or use./compose.sh --engine podman pulland./compose.sh --engine podman up -dfrom a bash-compatible shell.
Docker updates are delivered through signed container registries. The legacy ZIP self-updater verifies release archives through this chain, in order:
MESH_UPDATE_SHA256 when an operator pins a digest explicitly.backend/data/release_digests.json for bundled release pins.SHA256SUMS.txt asset on GitHub when a bundled pin is not present.Release maintainers should run python backend/scripts/release_helper.py hash <ShadowBroker_vX.Y.Z.zip> before publishing, then publish SHA256SUMS.txt and update backend/data/release_digests.json when shipping a ZIP updater target. The updater keeps the operator override path intact instead of failing closed on missing bundled digests, so existing installs do not get stranded by a release-process mistake.
The production frontend ships with a hydration-compatible CSP and a strict nonce-only CSP in Content-Security-Policy-Report-Only. Set SHADOWBROKER_STRICT_CSP=1 only after verifying the exact build hydrates correctly in your deployment. Runtime Google Fonts are not required; the bundled Next font pipeline serves the dashboard font from the app build.
If git pull fails or docker compose up keeps building from source instead of pulling images, your clone predates a March 2026 repository migration that rewrote commit history. A normal git pull cannot fix this. Run:
# Back up any local config you want to keep (.env, etc.)
cd ..
rm -rf Shadowbroker
git clone https://github.com/bigbodycobain/Shadowbroker.git
cd Shadowbroker
docker compose pull
docker compose up -d
How to tell if you're affected: If docker compose up shows RUN apt-get, RUN npm ci, or RUN pip install — it's building from source instead of pulling pre-built images. You need a fresh clone.
Other troubleshooting:
docker compose pull --no-cachedocker image prune -fdocker compose logs -f backendFor high-availability deployments or home-lab clusters, ShadowBroker supports deployment via Helm. This chart is based on the bjw-s-labs template and provides a robust, modular setup for both the backend and frontend.
1. Add the Repository:
helm repo add bjw-s-labs https://bjw-s-labs.github.io/helm-charts/
helm repo update
2. Install the Chart:
# Default — pulls images from GHCR
helm install shadowbroker ./helm/chart --create-namespace --namespace shadowbroker
# GitLab registry variant
helm install shadowbroker ./helm/chart --create-namespace --namespace shadowbroker \
-f helm/chart/values.yaml \
-f helm/chart/values-gitlab.yaml
3. Key Features: * Modular Architecture: Individually scale the intelligence backend and the HUD frontend. * Security Context: Runs with restricted UIDs (1001) for container hardening. * Ingress Ready: Compatible with Traefik, Cert-Manager, and Gateway API for secure, external access to your intelligence node.
Special thanks to @chr0n1x for contributing the initial Kubernetes architecture.
Shad
$ claude mcp add Shadowbroker \
-- python -m otcore.mcp_server <graph>