One input. 15 sources. One structured report. Zero infrastructure costs.
The Problem
Every security engineer knows the workflow. You get an IP, a domain, or an ASN you need to investigate. You open Shodan in one tab, BGPView in another, crt.sh in a third. You paste the same value into VirusTotal, then into a passive DNS provider, then into two or three threat feeds. Twenty minutes later you have seven browser tabs, a notes file full of copy-pasted snippets, and you're manually trying to reconcile whether the cert history matches the passive DNS timeline.
It's not a hard problem. It's just a tedious one that nobody had solved cleanly for the open-source side of the house.
So I built SeekYou.
What SeekYou Does
SeekYou takes any IP, domain, or ASN as input and returns a single structured intelligence report by querying 15 sources in parallel:
- Open ports and service banners
- Known CVEs mapped to running services
- BGP and routing data
- RDAP / WHOIS enrichment
- Certificate history via crt.sh
- Passive DNS records
- 5 threat feed lookups — malicious classification, abuse scoring, blocklist status
- Exposed cloud buckets
- Wayback Machine snapshots — useful for infrastructure history and phishing page archaeology
The key word is parallel. All 15 sources are queried simultaneously, so your total response time is roughly equal to the slowest single source — not the sum of all 15.
Architecture: Why Cloudflare Workers
I had a few hard requirements going in:
- No self-hosted infrastructure — I wanted this to run for free and be instantly deployable by anyone
- True parallel execution across 15 external sources
- Caching granular enough to be actually useful
- Rate limiting and circuit breaking without an external service
Cloudflare Workers satisfied all four cleanly.
The V8 Isolate Advantage
On traditional serverless platforms, cold starts can add hundreds of milliseconds per invocation. When you're fanning out to 15 sources simultaneously, that compounds fast. Workers' V8 isolate model eliminates that problem — isolates start in microseconds, making the fan-out pattern genuinely viable.
4-Layer Parallel Execution Model
Layer 1 — Input parsing and normalization
Layer 2 — Source fan-out (all 15 queries fire simultaneously)
Layer 3 — Per-source response parsing and normalization
Layer 4 — Report assembly and diff comparison
Each layer is non-blocking. Layers 3 and 4 begin processing as soon as individual sources return — you're not waiting for all 15 to complete before starting assembly.
Per-Source KV Caching
Each source response is cached independently with a TTL tuned to that source's data freshness:
const SOURCE_TTLS = {
ports: 3600,
certs: 86400,
threatFeeds: 1800,
bgp: 43200,
passiveDns: 7200,
};
Partial cache hits work. If 12 of 15 sources are cached, only 3 cold fetches happen. Per-source caching gives proportional speedups on repeat queries — critical for monitoring workflows.
Circuit Breakers
Each source is wrapped in a circuit breaker implemented directly in the Worker:
async function fetchWithCircuitBreaker(source, fetcher) {
const state = await kv.get(`circuit:${source}`);
if (state === 'open') {
return { source, status: 'circuit_open', data: null };
}
try {
const result = await fetcher();
await kv.put(`circuit:${source}`, 'closed');
return { source, status: 'ok', data: result };
} catch (err) {
await incrementFailureCount(source);
return { source, status: 'error', data: null };
}
}
A source failing doesn't kill the report — it returns a graceful null and the rest assembles normally.
Per-IP Rate Limiting
Rate limiting is handled natively in the Worker using KV as the backing store. No external Redis, no rate limiting service. Each client IP gets a sliding window counter, and requests over the threshold get a clean 429 before touching any upstream source.
The Diff Engine
SeekYou can monitor a host over time and alert you when its observable state changes. The diff engine is typed — it tells you specifically what category of change occurred:
- A port opened or closed
- A new CVE appeared against a running service
- A certificate rotated or is approaching expiry
- The host appeared on a new threat feed
- A new subdomain appeared in passive DNS
{
host: "example.com",
timestamp: "2026-05-19T10:00:00Z",
changes: [
{ type: "port_opened", detail: { port: 8443, service: "HTTPS" } },
{ type: "cve_added", detail: { id: "CVE-2024-XXXX", severity: "HIGH" } },
{ type: "cert_expiry_warning", detail: { daysRemaining: 14 } }
]
}
This turns SeekYou from a one-off lookup tool into something you can build alerting workflows around.
Free Tier Math
| Resource | Free Limit | Usage at 5k lookups/day |
|---|---|---|
| Worker requests | 100,000/day | ~80,000 (orchestration + source fetches) |
| KV reads | 100,000/day | Proportional to cache hit rate |
| KV writes | 1,000/day | One write per cache miss per source |
| CPU time | 10ms/request | Well within limit |
At 5k full lookups per day you're comfortably within the free tier on every dimension.
Deployment
git clone https://github.com/Teycir/SeekYou
cd SeekYou
npm install
wrangler deploy
Cloudflare account and Wrangler CLI required. No paid plan needed.
What I'd Build Next
- Webhook support for the diff engine — push changes to Slack, Discord, or a SIEM
- Bulk input — accept a list of IOCs via Workers Cron Triggers
- STIX export format for formal TI workflows
- Additional sources — Censys, Fofa, and more threat feeds
Wrapping Up
The core insight behind SeekYou is simple: the data is publicly available, the sources all have free tiers, and the only missing piece was an orchestration layer that queries them simultaneously and returns one coherent report. Cloudflare Workers was the right substrate — the isolate model, KV, and native rate limiting covered everything without adding infrastructure complexity.
Top comments (0)