# ThreatHunter

ThreatHunter is a **SIEM‑lite security visibility tool** built for small and mid‑sized businesses.

It focuses on one simple question:

> *“What suspicious outbound connections are my computers making?”*

Without:
- Heavy agents
- Constant data streaming
- Enterprise SIEM complexity

---

## What ThreatHunter Does

- Collects Windows Firewall / WFP connection events
- Detects connections to known‑bad IPs using reputation data
- Processes data **locally on the endpoint**
- Uploads only confirmed security hits
- Automatically creates **Security alerts in Syncro**
- Provides a clean web UI for technicians and customers

---

## Why It Exists

Most SMBs:
- Have no visibility into outbound traffic
- Can’t justify a full SIEM or EDR
- Still want to *see the crazy stuff* touching their machines

ThreatHunter is designed to be:
- Free or low‑cost
- Easy to deploy via Syncro
- Useful as both a security tool and an educational aid

---

## Architecture Overview

**Endpoint**
- PowerShell script
- Runs on a schedule via Syncro
- Buffers and correlates locally
- Hashes executables only on suspicious hits

**Server**
- VPS‑hosted API + database
- Receives hit data
- Creates Syncro Security tickets
- Hosts ThreatHunter web portal

---

## Status

🚧 Early development / v1 build phase

See `project.md` for full technical and architectural details.

---

## Disclaimer

ThreatHunter is **not** a replacement for:
- EDR
- Full SIEM
- IDS/IPS

It is a **visibility and awareness tool** designed to surface suspicious behavior early and guide next steps.