Docker (Quick Start)
The fastest way to run Vault1337. Uses SQLite — data is not persisted after the container stops.
Pull the image
docker pull vault1337/vault1337:latest
Run the container
docker run -p 8000:8000 \ -e SECRET_KEY=change-me-to-a-long-random-string \ -e DEBUG=True \ vault1337/vault1337:latest
Log in
Open http://localhost:8000 and log in with the default credentials:
Username: admin Password: changeme123
http://localhost:8000/admin/Add API keys (optional)
Navigate to Admin → API Keys to add keys for the intelligence integrations. See the API Keys section below.
Docker Compose
Recommended for persistent deployments. Spins up Vault1337 with a PostgreSQL database and named volumes for samples and YARA rules.
Clone the repository
git clone https://github.com/DanDreadless/Vault1337.git cd Vault1337/Docker
Configure the environment
All settings live in Docker/.env. Open it and set at minimum:
| Variable | Description |
|---|---|
SECRET_KEY | Long random string — generate with openssl rand -hex 50 |
POSTGRES_PASSWORD | Password for the PostgreSQL database |
DJANGO_SUPERUSER_PASSWORD | Initial admin account password |
ALLOWED_HOSTS | Comma-separated hostnames or IPs, e.g. localhost,192.168.1.10 |
Start the stack
docker compose up -d
This builds the image (if not already built), starts PostgreSQL, waits for a health check, then starts Gunicorn. Migrations and superuser creation happen automatically on first run.
Open Vault1337
Navigate to http://localhost:8000 (or your configured HOST_PORT) and log in.
# View logs docker compose logs -f # Stop the stack (data preserved) docker compose down # Stop and wipe all data docker compose down -v
Local Development
Requires Python 3.12+, Node.js 22+, and (optionally) PostgreSQL.
Clone and set up a Python virtual environment
git clone https://github.com/DanDreadless/Vault1337.git cd Vault1337 python3 -m venv env source env/bin/activate # Windows: env\Scripts\activate pip install -r requirements.txt
Install system dependencies
# Ubuntu / Debian sudo apt install -y libimage-exiftool-perl libmpc-dev libgl1 libglib2.0-0
Configure the environment
Copy the Docker env template and edit it for local use:
cp Docker/.env .env # Edit .env — set SECRET_KEY and DEBUG=True # Leave DATABASE_URL empty to use SQLite
Run migrations and create a superuser
python manage.py migrate python manage.py createsuperuser
Start the Django API
python manage.py runserver
Start the React frontend (second terminal)
cd frontend npm install npm run dev
Open http://localhost:5173. The Vite dev server proxies /api/ requests to Django on port 8000.
Environment Variables
All configuration is handled via environment variables loaded from a .env file (or passed directly to the container).
| Variable | Default | Description |
|---|---|---|
SECRET_KEY | required | Django secret key — use a long random string |
DEBUG | False | Set True for local development only |
ALLOWED_HOSTS | 127.0.0.1 | Comma-separated list of allowed hostnames/IPs |
DATABASE_URL | SQLite | PostgreSQL connection string, e.g. postgres://user:pass@host:5432/db |
CORS_ALLOWED_ORIGINS | http://localhost:5173 | Comma-separated origins allowed for CORS requests |
MAX_UPLOAD_SIZE_MB | 200 | Maximum file upload size in megabytes |
POSTGRES_DB | vault1337 | PostgreSQL database name (Compose only) |
POSTGRES_USER | vault | PostgreSQL username (Compose only) |
POSTGRES_PASSWORD | required | PostgreSQL password (Compose only) |
DJANGO_SUPERUSER_USERNAME | admin | Superuser created on first container startup |
DJANGO_SUPERUSER_EMAIL | admin@localhost | Superuser email |
DJANGO_SUPERUSER_PASSWORD | changeme123 | Superuser initial password — change this |
HOST_PORT | 8000 | Host port mapped to container port 8000 |
API Keys
Third-party intelligence features require API keys. Add them via the web UI at Admin → API Keys (staff account required), or set them in your .env file before starting the container.
| Key | Service | Used for |
|---|---|---|
VT_KEY | VirusTotal | Download samples by SHA256 hash |
MALWARE_BAZAAR_KEY | MalwareBazaar | Download samples by SHA256 hash |
ABUSEIPDB_KEY | AbuseIPDB | IP reputation lookups |
SPUR_KEY | Spur | VPN / proxy / residential IP context |
SHODAN_KEY | Shodan | Open ports and banner data for an IP |
Uploading Samples
Navigate to Upload in the navigation bar. Four ingestion methods are available:
| Method | Description |
|---|---|
| Upload File | Direct file upload (max 200 MB). Optionally extract a ZIP or 7z archive with a password. |
| Fetch URL | Download a sample from an external URL. Private/internal IP ranges are blocked (SSRF protection). |
| VirusTotal | Download a sample by SHA256 hash using your VT API key. |
| MalwareBazaar | Download a sample by SHA256 hash using your MB API key. |
All samples are stored by SHA256 hash. Original filenames are preserved in the database but never used as file paths on disk. Add comma-separated tags during upload for easier organisation.
Analysis Tools
Open a sample from the vault and select a tool from the Analysis tab. Results are displayed inline and cached for the session.
| Tool | Sub-options | Description |
|---|---|---|
| Strings | UTF-8 Latin-1 UTF-16 UTF-32 ASCII |
Extracts printable strings from a sample across multiple encodings. |
| LIEF Parser | DOS Header Rich Header PE Header Entrypoint Sections Imports Signature Entropy |
PE binary analysis via the LIEF project. Shows headers, imported functions, section entropy, and signature validity. |
| Hex Viewer | — | Renders a hex dump of the sample with ASCII sidebar. |
| PDF Parser | — | Extracts metadata, embedded URLs, and text content from PDFs using PyMuPDF. |
| OLE Tools | OLEID OLEMETA OLEDUMP OLEVBA RTFOBJ OLEOBJ |
Analyses Microsoft OLE2 compound files (Office documents, RTF) via Oletools. Detects macros, embedded objects, and suspicious indicators. |
| ExifTool | — | Reads all metadata tags from a file using ExifTool by Phil Harvey. |
| IOC Extractor | — | Parses the sample for indicators of compromise (IPs, domains, URLs, hashes, emails) and stores them in the IOC database linked to this sample. |
| YARA | — | Runs all saved YARA rules against the sample and reports any matches. Rules are managed from the YARA page. |
| Email Parser | Headers Body Attachments |
Parses .eml files. Downloads email attachments directly into the vault for further analysis. |
| Zip Extractor | With password Without password |
Extracts .zip and .7z archives. All extracted files are added to the vault as individual samples. |
| QR Decode | — | Decodes QR codes from image samples using OpenCV. Returns the decoded payload as text. |
YARA Rules
Navigate to YARA in the navigation bar to manage rules.
- Create new rules using the built-in editor — paste or write YARA syntax directly.
- Edit existing rules at any time.
- Run all rules against a specific sample from the sample detail page using the YARA tool.
- Rules are stored as
.yarfiles invault/yara-rules/on the server.
IOC Management
Navigate to IOCs to view all extracted indicators of compromise across all samples.
- Run the IOC Extractor tool on a sample to populate its IOCs.
- Each IOC is linked back to the sample it came from.
- Mark IOCs as true positive or false positive using the toggle on the IOC page.
- Filter the list by classification (true / false / unreviewed) and search by value.
IP Intelligence
Navigate to IP Check to query an IP address against multiple threat intelligence sources simultaneously.
- Aggregates results from AbuseIPDB, Spur, and Shodan in a single request.
- Private, loopback, and reserved IP ranges are rejected before any external query is made.
- Requires at least one API key to be configured for results to be returned.
Tags & Search
- Add comma-separated tags when uploading a sample.
- Add or remove tags from any sample on the sample detail page.
- All tags are stored in lowercase automatically.
- Use the search bar on the Vault page to filter samples by filename, hash, or tag.
- Results are paginated — use the page controls at the bottom of the vault list.
Tech Stack
| Layer | Technology |
|---|---|
| Backend | Python 3.12 / Django 5.2 / Django REST Framework |
| Authentication | JWT — djangorestframework-simplejwt with token blacklisting |
| API docs | drf-spectacular — Swagger UI at /api/v1/docs/ |
| Frontend | React 19 / TypeScript / Vite 6 / Tailwind CSS 4 |
| Database | PostgreSQL (production) / SQLite (development) |
| Static files | WhiteNoise (serves React SPA + Django admin assets) |
| Production server | Gunicorn (4 workers) + NGINX |
| Container | Docker — vault1337/vault1337:latest |
REST API
All endpoints are under /api/v1/. JWT Bearer token authentication is required on all endpoints except registration and token endpoints.
| Endpoint | Description |
|---|---|
POST /api/v1/auth/register/ | Register a new user account |
POST /api/v1/auth/token/ | Obtain JWT access + refresh token |
POST /api/v1/auth/token/refresh/ | Refresh an access token |
POST /api/v1/auth/logout/ | Blacklist a refresh token |
GET/PATCH /api/v1/auth/user/ | Current user profile |
GET/POST /api/v1/files/ | List vault / upload a sample |
GET/DELETE /api/v1/files/{id}/ | Sample detail / delete |
GET /api/v1/files/{id}/download/ | Download sample file |
POST /api/v1/files/{id}/run_tool/ | Run an analysis tool |
POST /api/v1/files/{id}/add_tag/ | Add a tag to a sample |
POST /api/v1/files/{id}/remove_tag/ | Remove a tag from a sample |
GET/POST /api/v1/files/{id}/comments/ | List / add comments on a sample |
POST /api/v1/files/fetch_url/ | Fetch a sample from a URL |
POST /api/v1/files/vt-download/ | Download from VirusTotal by SHA256 |
POST /api/v1/files/mb-download/ | Download from MalwareBazaar by SHA256 |
GET/PATCH /api/v1/iocs/ | List and update IOCs |
GET/POST/PUT/DELETE /api/v1/yara/ | YARA rule management |
POST /api/v1/intel/ip/ | IP intelligence lookup |
GET/POST /api/v1/admin/keys/ | API key management (staff only) |
POST /api/v1/tools/qr-decode/ | Stateless QR code decode |
Interactive API documentation (Swagger UI) is available at /api/v1/docs/ on any running instance.