Open-source self-hosted malware analysis platform for security researchers, educators, and enthusiasts.
Open-source self-hosted malware analysis platform for security researchers, educators, and enthusiasts.
About the project
Vault1337 is a self-hosted malware analysis platform built for security researchers and analysts. It provides a secure repository for storing malware samples along with a suite of static analysis tools, all accessible through a modern React-based web interface backed by a Django REST API.
The project started as a hands-on learning exercise and has grown into a full-stack application with JWT authentication, a documented REST API, and a full container deployment stack. It runs comfortably on a Raspberry Pi 5 in production.
All sample files are stored by SHA256 hash — original filenames are never written to disk. Analysis tools run in isolated temporary contexts so file paths are never exposed to users.
What you get
Upload by file or URL, or pull directly from VirusTotal or MalwareBazaar by SHA256 hash.
Strings, LIEF PE parser, Hex viewer, PDF parser, OLE tools, ExifTool, IOC extractor, YARA, Email parser, Zip extractor, QR decode.
Create, edit, and run YARA rules against samples using the built-in web editor.
Extract and manage indicators of compromise. Every IOC is linked back to its source sample.
Query AbuseIPDB, Spur, and Shodan from a single interface. Private/reserved IPs are rejected.
JWT-secured API with staff/user role separation. Full OpenAPI docs at /api/v1/docs/.
Tag samples with freeform labels. Full-text search across the vault with pagination.
Add titled notes to any sample for team collaboration or personal analysis records.
Single-command Docker run or a full Compose stack with PostgreSQL, persistent volumes, and Gunicorn.
Under the hood
| Layer | Technology |
|---|---|
| Backend | Python 3.12 / Django 5.2 / Django REST Framework |
| Authentication | JWT — djangorestframework-simplejwt |
| API docs | drf-spectacular (Swagger UI at /api/v1/docs/) |
| Frontend | React 19 / TypeScript / Vite 6 / Tailwind CSS 4 |
| Database | PostgreSQL (production) / SQLite (development) |
| Production | Gunicorn + NGINX + WhiteNoise (Raspberry Pi 5) |
| Container | Docker — vault1337/vault1337:latest |
Up and running in seconds
Pull and run the Docker image. Uses SQLite by default — data is not persisted when the container stops. For persistent storage with PostgreSQL see the Docker Compose guide.
docker run -p 8000:8000 \ -e SECRET_KEY=change-me-to-a-long-random-string \ -e DEBUG=True \ vault1337/vault1337:latest
Open http://localhost:8000 and log in with
admin / changeme123. Change the password immediately via the Django admin at /admin/.
Built on the shoulders of giants
Vault1337 is made possible by a number of outstanding open-source projects and APIs.
Backend & Analysis
Frontend
Intelligence APIs
Infrastructure