Architecture

Nethound is built around a simple, automated pipeline:

1. Raw notes are dropped into raw/ as Markdown files.
2. A file watcher (watch.sh) detects new files and triggers the pipeline.
3. nethound (Go) sends each note to Claude via OpenRouter, which transforms it into structured CTI documentation with MITRE ATT&CK mappings, proper frontmatter, and defanged IOCs.
4. Quartz builds the static site from the processed content, including a knowledge graph of connections between every note.
5. The site is served from a machine that is completely invisible to the internet.

The Dark Server

The server hosting this site has no open ports and its IP address is never exposed. The full implementation is documented in the Sovereign Dark Server guide.

Rather than binding to a public port and waiting for inbound connections, the server initiates an outbound connection to Cloudflare using a Cloudflare Tunnel. All traffic flows in one direction from the server’s perspective: the server calls out to Cloudflare, and Cloudflare routes visitor requests back through that persistent tunnel to localhost.

Visitor → Cloudflare Edge → Tunnel (outbound-only) → localhost:8080

The consequences of this design:

• No origin network attack surface. The host has no listening ports to probe, no banners to fingerprint, and no IP address that resolves from DNS. An attacker cannot reach the machine directly regardless of what vulnerabilities exist at the OS or service layer.
• IP anonymity. The server’s real IP address is unknown to visitors. Even a full port scan of the Cloudflare-owned IP reveals nothing about the origin.
• No firewall rules required. Because the server never accepts inbound connections, there are no ingress rules to misconfigure and no risk of a firewall gap exposing the host.
• Resilience. The tunnel reconnects automatically if dropped. There is no daemon listening that can be crashed by malformed packets directed at the origin.

What this does not protect

The web application is still reachable through Cloudflare and remains a valid attack surface. An attacker can interact with anything Cloudflare forwards to the tunnel — in practice, whatever the HTTP server is serving.

Nethound’s exposure here is narrow because Quartz produces a fully static site: pre-rendered HTML, CSS, and JavaScript with no server-side execution, no database, and no authenticated endpoints. There is no code path that accepts user input and acts on it server-side. The realistic web application risks are limited to client-side issues in the browser (XSS via injected content, malicious wikilinks) rather than server compromise.

The Dark Server pattern eliminates the infrastructure attack surface — the host OS, open ports, and network identity. It does not eliminate the application attack surface. For Nethound those are acceptably small by design, but they are not zero.

This architecture is particularly appropriate for a CTI platform. A server that tracks threat actors should not itself be trivially discoverable or targetable. The tunnel ensures that even a determined adversary who identifies the site cannot pivot from the public URL to the origin machine.

Contact

Email	[email protected]
GitHub	github.com/nethoundsh