MARD-HAT // Hybrid Activity Telemetry by MOwlSINT
MARD-HAT is a public, lightweight OSINT telemetry layer for cyber/exploit, IOC, botnet/C2 and FIMI-lite pressure. It is designed as contextual side input for maritime and hybrid-activity assessment, especially for downstream use in Magic Paws / MARD-Eu.
MARD-HAT does not attribute activity to a state actor. It does not prove sabotage, disinformation, or hybrid activity by itself. A high score should be treated as a prompt for further analysis, not as a conclusion.
Positioning
MARD-HAT does not compete with professional influence-operation platforms, government counter-FIMI units, large commercial narrative-intelligence systems, or full cyber threat-intelligence platforms. Their data breadth, platform access, analyst teams and commercial tooling are much larger.
The specific value of MARD-HAT is different:
- small and transparent,
- public and community-readable,
- cost-neutral or low-cost by design,
- maritime-focus capable,
- machine-readable,
- compatible with Magic Paws / MARD-Eu,
- able to combine cyber/IOC pressure, botnet/C2 indicators and FIMI-lite signals as contextual telemetry.
Most existing systems focus primarily on either:
Disinformation / narratives / influence networks
or:
Cyber threat intelligence / botnet / IOC telemetry
MARD-HAT is intended to connect both layers in a cautious way:
Cyber / botnet pressure
+ Narrative / disinformation signals
+ Maritime and critical-infrastructure context
+ Conservative hybrid-activity side indicator
Current scope
The current MARD-HAT build uses open and low-cost sources to estimate public cyber and botnet-related pressure.
Enabled or prepared in the current line:
- **CISA Known Exploited Vulnerabilities (KEV)** for recently added, publicly known exploited vulnerabilities.
- **FIRST EPSS** for exploitation-probability enrichment and global exploit-pressure context.
- **ThreatFox / abuse.ch** for IOC and botnet/C2-like telemetry when `ABUSECH_AUTH_KEY` is configured as a GitHub Actions secret.
- Static public JSON outputs for downstream ingestion.
- Static HTML dashboard under `public/index.html`.
The current bot-state model adds lightweight operational labels:
- **BIL — Bots in Lurking Position**: no clear elevated bot/IOC state.
- **BWB — Bots were busy**: elevated activity is visible or suspected in the recent trailing window.
- **BAB — Bots are busy**: elevated activity appears current.
The Disinformation Alert Level is currently a proxy indicator derived from bot/IOC telemetry. It is not yet a direct narrative or disinformation measurement.
Roadmap
v0.1.x — Cyber / IOC / botnet telemetry
The current line focuses on:
- exploit-pressure telemetry,
- IOC pressure,
- botnet/C2-like indicators,
- short-window bot-state labels,
- conservative confidence and claim limits,
- historical approximation where possible.
v0.1.4 — FIMI-lite
The active FIMI-lite layer uses:
GDELT = fast narrative and media-spike sensor
EUvsDisinfo = curated and validated disinformation case source
DISARM = structured FIMI taxonomy and tagging model
This makes the Disinformation Alert Level more meaningful, but it remains a contextual early-warning indicator. GDELT measures narrative/media volume; EUvsDisinfo provides curated case exposure; DISARM-aligned tags structure observations. None of these alone prove coordination or attribution.
Later phases
Later candidates include additional social-media or web intelligence sources, such as Open Measures or comparable platforms, depending on access, cost, legality, licensing and operational usefulness.
Outputs
Primary downstream file:
public/hat_latest.json
Additional public outputs:
public/hat_history.json
public/hat_source_health.json
public/evidence_cards/*.json
Internal / repository history:
data/history/hat_history.jsonl
data/raw/*.json
Suggested downstream use
Recommended initial use in Magic Paws / MARD-Eu:
Magic Paws Dashboard: show as Cyber / IOC / Botnet Pressure side indicator
Morning Summary: one cautious context paragraph
Hybrid Index: no automatic weighting until a sufficient baseline exists
After a baseline period, MARD-HAT may be mixed into a broader Hybrid Index only with low weighting and only when corroborated by maritime, FIMI, RF, AIS, ADS-B, KRITIS or incident evidence.
Claim limit
Use this language in downstream products:
MARD-HAT is a contextual digital-pressure indicator. It is not attribution-grade and is not sufficient to prove sabotage, state activity, disinformation or a hybrid operation on its own.
Operational notes
Secrets should never be committed to the repository. For ThreatFox, store the abuse.ch key as a GitHub Actions repository secret:
ABUSECH_AUTH_KEY
If Cloudflare Pages automatic deployment is unreliable, use a Cloudflare Pages Deploy Hook stored as:
CLOUDFLARE_DEPLOY_HOOK
The static site should be served from:
public/
For Cloudflare Pages, the recommended static mirror setup is:
Build command: empty
Build output dir: public
Root directory: empty
Production branch: main