Rinjani Analytics
GitHubSign in
Roadmap

What's planned, and when

Six phases distilled from the source-of-truth ROADMAP.md. Status: aspirational, not contractual — dates are targets, and phases re-order when real-world usage tells us what matters.

  1. 1
    Shipped2026-06 → 2026-07

    Enrichment & Detection-as-Code

    Closed 2026-06-09 — 10 of 10 items shipped. PhishTank dropped because registrations have been paused indefinitely upstream since 2024; OpenPhish + URLhaus + urlscan.io already cover the same surface. CVSS v4 moved to the non-goal list — v3 + EPSS + KEV is the strict-superset prioritisation signal today.

    • IOC enrichers shipped: urlscan.io, GreyNoise Community, AbuseIPDB, Shodan InternetDB, VirusTotal v3
    • Confirmed-phishing coverage via OpenPhish (free feed, no API key needed) + URLhaus + urlscan.io verdict cross-check
    • Vulnerability scoring shipped: EPSS (exploit-prediction score) + inKev surfaced on every vuln panel
    • Sigma rule library shipped — ingester + MITRE ATT&CK tag mapping with dotted-key technique queries
    • YARA rule storage + binary scan-sample upload endpoint (multipart, ≤ 25 MiB) shipped
  2. 2
    Shipped2026-08 → 2026-09

    STIX 2.1 first-class & Federation

    Closed 2026-06-08 — all 5 items shipped. We now speak STIX 2.1 fluently on both legs (pull + push) and Rinjani instances federate cleanly with MISP / OpenCTI / vendor stacks.

    • STIX 2.1 entity coverage shipped: campaigns, courses_of_action, infrastructure tables alongside the existing intrusion-set/malware/tool/attack-pattern/vulnerability/indicator coverage
    • Typed relationships + Neo4j auto-hydration on INSERT, with relationship_type constrained to the STIX 2.1 vocab
    • JSON bundle import/export round-trip with full ref-resolution (the .tar packaging is a small follow-on, not a federation blocker)
    • Outbound TAXII 2.1 push to remote api_roots with per-target filters and HMAC-signed feeds
    • Confidence + TLP marking propagation: every exported indicator/threat-actor/vulnerability carries created_by_ref, object_marking_refs, and a custom provenance extension
  3. 3
    In flight2026-10 → 2026-11

    LLM analyst features

    3 of 5 shipped (2026-06-08). The remaining two — full report ingestion and hypothesis tracking — are larger pushes scheduled into the autumn window.

    • Actor activity auto-summarisation shipped — `GET /v1/threat-actors/:id/summary` with a RAG block of recent relationships, IOCs, campaigns, and a strict no-hallucination prompt
    • Embedding similarity shipped (backend) — k-NN vector search via OpenSearch knn_vector + similar-docs endpoint; dashboard sidebar UI follows
    • Natural-language → Cypher shipped — `POST /v1/graph/nl-query` with a three-layer safety guard (system prompt + word-boundary regex blocklist + Neo4j READ mode)
    • Report ingestion: paste a URL/PDF → extract IOCs + TTPs + actors into STIX entities for analyst review
    • Hypothesis tracking: LLM grades evidence as it accumulates from feeds
  4. 4
    In flight2026-12 → 2027-02

    Outbound integrations

    5 of 6 shipped (2026-06-08). Only ticketing — JIRA + GitHub Issues two-way sync — remains for this phase to close.

    • Notification routing shipped: Slack + Email + generic webhook joined by Teams (MessageCard), Discord (embed), and PagerDuty (Events API v2 with dedup_key), all gated by a small rule DSL
    • SIEM exporters shipped: CEF, LEEF, and ECS NDJSON codecs alongside the existing JSON / CSV / MISP / STIX / Suricata-Snort exports
    • SOAR-style playbook DSL shipped: condition operators ($and / $or / $gte / $regex / dotted-key traversal) and per-step guards (if, continueOnError, label)
    • Blocklist exports shipped: Fortinet / Palo Alto / Cisco text feeds at stable URLs with ETag + 5-min Cache-Control + HMAC-signed bodies
    • Sandbox triggers shipped: ANY.RUN, Joe Sandbox, and Hybrid Analysis vendor clients + scheduled BullMQ poller; new sandbox_trigger playbook action auto-detonates on rule match
    • Ticketing: JIRA + GitHub Issues two-way sync for investigation tracking
  5. 5
    Considering2027-03 → 2027-05

    Surface monitoring

    Where we stop being a feed aggregator and start being a sensor network. Ethics and scope matter — each item is framed deliberately narrow.

    • Brand / typo-squat monitoring via CertStream + Levenshtein / DNS-twist
    • Leaked credentials via HIBP, scoped to monitored domains
    • Paste-site monitoring: public Telegram channels, GitHub Gist firehose, pastebin replacements
    • Dark web: Ahmia indexed search only — no direct .onion crawling
    • Threat-actor TTP changelog: diff MITRE updates per group, alert when a tracked actor adopts a new technique
  6. 6
    Considering2027-06+

    Platform & multi-tenancy

    Deferred deliberately. We add this when a second tenant asks — not before — otherwise it's over-engineering for a phantom requirement.

    • Hard tenant isolation: Postgres RLS + per-tenant OpenSearch index pattern + Neo4j label namespacing
    • Granular RBAC: per-source, per-TLP, per-actor visibility
    • SCIM provisioning + Keycloak federation
    • Audit-log streaming to S3 / ClickHouse
    • API-key scoping (per-resource scope on top of existing admin/analyst roles)
    • Per-tenant data-residency hooks
Deliberate non-goals

What we won't build

Saying "no" early is how an independent project stays shippable. These six are the questions we get asked most, and the answer for each is: this is what we're not building, and what we'd recommend instead.

Built-in SIEM
Excellent ones exist; we integrate, not compete
Generic OSINT web crawler
A year of work to compete with theHarvester / Maltego; we narrow to cert streams + paste sites instead
Visual workflow editor on top of Workbench
Workbench's existing UI is good enough; the DSL approach in Phase 4 is leaner
Native mobile app
Dashboard is responsive; a separate React Native app is a tar pit for an independent dev
Built-in case management
JIRA / GitHub two-way sync covers 95% of this for 5% of the effort
Authoritative malware analysis
Sandbox triggers yes (Phase 4); building a sandbox no
CVSS v4 alongside v3
v3 + EPSS + KEV is the strict-superset prioritisation signal today; v4 adoption among publishers remains sparse, so schema + UI churn doesn't repay itself. Will reconsider when ≥ 20% of newly-published CVEs carry a v4 vector.
PhishTank integration
Registrations paused indefinitely upstream since 2024 with no reopening signal. OpenPhish + URLhaus + urlscan.io already cover what the free feed surfaced.
Doubling down

What we have that vendor stacks don't

Four properties where the roadmap above is investing deliberately. Each is a structural advantage of the architecture choices already in main, not a wishlist.

Graph-native attribution

Neo4j as a first-class store, not a bolt-on. Most indie CTI tools fake graph queries with SQL self-joins; we model the graph as the graph.

Embedded pipeline visibility

Vendored Workbench fork at /admin/workbench lets analysts debug ingestion themselves, in the same tab they log in to. Rare even in vendor products.

LLM as analyst, not as chatbot

Narrow surfaces (summarisation, IOC extraction, similarity) with golden-output evals — never a generic chat-with-your-data widget.

Vector search ready

OpenSearch already configured with vector support. Phase 3 ships the wiring; we're 80% there infrastructurally.

The full roadmap lives in the repo

This page is the visitor view. The line-by-line source of truth — including the cross-cutting always-on items, the contribution path, and the per-item status — is the ROADMAP.md in the backend repo.

Read ROADMAP.md on GitHub