Taranis AI: Open-Source AI-Powered OSINT Platform for Threat Intelligence Teams
We’ve covered the raw OSINT layer before — tools like Shadowbroker and Crucix that pull geospatial, maritime, and economic signals into real-time dashboards. Those tools are excellent at showing you what’s happening right now.
But raw signals aren’t intelligence. Intelligence is what happens after you collect, enrich, analyze, and report. That’s the gap Taranis AI fills.
What Taranis AI Does
Taranis AI is an open-source OSINT platform that automates the full intelligence cycle: collection → enrichment → analysis → reporting → publishing.
It scours data sources — websites, RSS feeds, email inboxes, Slack channels, and more — for unstructured articles and signals. Then it uses Natural Language Processing and AI to enhance and enrich that content automatically. Analysts refine the AI-augmented articles into structured reports, which get published as PDFs or shared via MISP for collaborative threat intelligence.
The key distinction: Taranis AI isn’t a dashboard that shows you blinking dots on a map. It’s a workflow platform that turns noise into structured, publishable intelligence products.
The Architecture
Taranis AI runs as a set of Docker services:
| Service | Technology | Role |
|---|---|---|
| Ingress | Nginx | Reverse proxy and entrypoint |
| Frontend | Flask + HTMX + Tailwind | Web interface |
| Core | Python REST API | Central backend, database, API endpoints |
| Worker | RQ workers | Collectors, bots, presenters, publishers |
| Database | PostgreSQL (primary) or SQLite | Data storage |
| Redis | Message broker | Job queue for workers |
| SSE Broker | Custom | Server-sent events for real-time updates |
The architecture is clean — a standard microservices pattern that separates collection (workers), processing (core), and presentation (frontend). Each component scales independently.
Hardware requirements:
- With NLP: 16 GB RAM, 4 CPU cores, 50 GB storage
- Without NLP: 2 GB RAM, 2 CPU cores, 20 GB storage
The NLP features are what set Taranis apart from simpler RSS aggregators, so the 16 GB requirement is the realistic baseline for production use.
The Intelligence Workflow
1. Collection
Workers crawl configured data sources on schedule — websites, RSS feeds, email, Slack, and custom connectors. They pull in raw, unstructured content: news articles, advisories, social media posts, mailing list messages.
This is the firehose. Hundreds or thousands of items per day depending on how many sources you configure.
2. AI Enrichment
Here’s where Taranis earns the “AI” in its name. NLP models process the raw articles to:
- Extract entities (organizations, people, locations, IOCs)
- Classify content by topic, threat type, and relevance
- Summarize long articles into actionable briefs
- Identify relationships between entities across articles
- Score content quality and relevance
The AI doesn’t replace analysts — it pre-processes the firehose so analysts see enriched, classified content instead of raw HTML scraped from news sites.
3. Analyst Review
Analysts work with AI-augmented articles in the web interface. They can:
- Accept, reject, or modify AI classifications
- Group related articles into stories
- Add analyst notes and assessments
- Convert articles into structured report items
This human-in-the-loop step is critical. AI enrichment gets you 80% of the way; analyst judgment handles the nuance, context, and “so what?” that machines still miss.
4. Report Generation
Structured report items feed into report templates. Taranis generates formatted outputs — PDF reports, structured data exports, or whatever template you configure. These are the actual intelligence products: daily briefs, weekly summaries, incident reports, threat assessments.
5. Publishing & Sharing
Finished products publish through configured channels. The most interesting integration is MISP — the open-source Malware Information Sharing Platform. Taranis can share threat intelligence at the story level between Taranis instances or between Taranis and MISP, enabling collaborative threat intel across organizations.
This is experimental but significant. It means a network of Taranis instances can function as a distributed threat intelligence community — each contributing and consuming enriched intelligence.
How It Compares to What We’ve Covered
| Tool | Focus | Output |
|---|---|---|
| Shadowbroker | Geospatial OSINT (ADS-B, AIS, satellites) | Real-time map dashboard |
| Crucix | Multi-source signal aggregation (27 feeds) | Live signal terminal |
| ThinkCreate Intel | AI-scored threat classification | Scored alerts + trade signals |
| Taranis AI | Full intelligence cycle (collect → report) | Structured reports + PDFs |
These tools aren’t competitors — they’re different layers of the same stack:
- Shadowbroker/Crucix = raw signal collection
- ThinkCreate Intel = AI classification and scoring
- Taranis AI = analyst workflow and report production
A mature OSINT operation would use signals from tools like Shadowbroker and Crucix as inputs to a platform like Taranis, where analysts turn those signals into structured intelligence products.
Who This Is Built For
Threat intelligence teams at organizations that need structured reporting on cyber threats, geopolitical risk, or industry-specific developments.
OSINT researchers who need to move beyond ad-hoc browsing and build repeatable collection-analysis-reporting workflows.
Government and military analysts (the project’s lineage traces back to CERT/CSIRT use cases) who need to produce formatted intelligence products on schedule.
Security Operations Centers (SOCs) that want automated collection of open-source threat data feeding into their analysis pipeline.
NGOs and journalists monitoring conflict zones, human rights situations, or environmental events who need to produce regular situation reports.
Getting Started
# Clone the repository
git clone https://github.com/taranis-ai/taranis-ai.git
cd taranis-ai
# Deploy with Docker Compose
docker compose up -dThe deployment guide covers production configuration, including setting up collectors, NLP models, and MISP integration.
The project includes an OpenAPI spec for the REST API, making it straightforward to integrate with existing tooling or build custom frontends.
The Open-Source OSINT Stack Is Maturing
A year ago, open-source OSINT meant manually checking RSS feeds and Twitter lists. Today, you can build a complete intelligence pipeline — from automated collection through AI enrichment to formatted report publishing — using entirely free, self-hosted tools.
Taranis AI represents the most mature piece of that puzzle: the analyst workbench where raw signals become actionable intelligence. Combined with the collection layers we’ve covered previously, the full stack now rivals what commercial platforms like Recorded Future or Flashpoint offer — at zero licensing cost.
The tradeoff is setup complexity and self-hosting responsibility. But for organizations with the technical capability, the gap between open-source and commercial OSINT platforms has never been smaller.
Links:
- GitHub: github.com/taranis-ai/taranis-ai
- Documentation: taranis.ai/docs
- MISP integration: misp-project.org
- Previous coverage: The Open-Source Intelligence Stack