SCYTHE vs. World Monitor: Two Visions of Intelligence, One Uncomfortable Question

*Posted March 23, 2026 · ~3,500 words · Tags: OSINT, RF Intelligence, Hypergraph, Open Source, Threat Detection*

—

There are two ways to watch the world.

The first is to stand back—aggregate public signals, synthesize them with an LLM, render them on a 3D globe, and let the patterns speak to you. It’s elegant, scalable, and deeply useful.

The second is to get closer. Capture the raw traffic. Analyze the RF spectrum. Build a living graph of what’s *actually* happening on the wire and in the air—not what sources are reporting *about* it. It’s noisier, harder to deploy, and fundamentally different in kind.

[World Monitor](https://worldmonitor.app) does the first brilliantly. RF SCYTHE does the second.

This post is an honest technical comparison of both, written by someone who has spent months building one of them and studying the other.

—

## Meet the Contenders

### World Monitor: The Global Dashboard

World Monitor is a real-time global intelligence dashboard built by Elie Habib, released under AGPL-3.0. Current version: **2.4.1**. It aggregates 35+ data layers—military flight tracking, conflict zones, infrastructure events, markets, satellite fire detection, cyber threat IOCs—into a single WebGL 3D globe. The tech stack is formidable:

– **198 TypeScript files**, Vite 6 + deck.gl 9.2 + MapLibre 5

– **60+ Vercel Edge Functions** as a serverless backend

– **Groq (Llama 3.1 8B)** for AI synthesis, Transformers.js for in-browser NER/embeddings

– **150+ RSS feeds** across 14 languages

– **Tauri 2 desktop builds** for Windows, macOS, Linux

– **PWA support** with offline map tiles

It deploys three distinct variants—geopolitical, tech, finance—from one codebase. It has a Country Instability Index that scores 22 nations on 10+ live signals. It has a Focal Point Detector that correlates entities across news, conflict data, military movements, and market signals to surface convergence *before* humans notice it.

It is, in short, a polished, production-grade, free alternative to tools that cost thousands of dollars per month.

### RF SCYTHE: The Intelligence Organism

RF SCYTHE started as an ATAK plugin experiment on a Pixel 7 Pro. Over 24 development checkpoints, it evolved into something harder to categorize: a self-hosted, multi-instance intelligence engine that fuses **live RF signals, real network traffic, PCAP captures, and hypergraph inference** into a continuously updating probabilistic knowledge graph.

The stack looks very different:

– **Python 3.12** core — Flask + SocketIO orchestrator, ~15,000 lines in `rf_scythe_api_server.py` alone

– **Hypergraph engine** — custom directed multigraph with typed edge ontology, confidence scoring, and temporal decay

– **Gemma 3 1B** (via Ollama) for local inference, **EmbeddingGemma** for semantic edge repair

– **Shadow Graph** — a probabilistic pre-reality layer where edges live until evidence promotes them

– **Threat Gravity Map** — canvas-based force simulation where node mass = threat weight, nodes physically pull toward each other in real time

– **Multi-instance orchestrator** — spawn N sovereign hypergraph instances; no shared state, no cross-contamination

– **PCAP/FTP ingest pipeline** — live packet capture analysis feeding the graph

– **Docker image: 1.49 GB** (after three builds and a very humbling `.dockerignore` lesson)

Where World Monitor watches the world through public data, SCYTHE watches the *local observable universe* through packet captures and RF emissions—then tries to reason about what it’s seeing.

—

## The Fundamental Philosophical Difference

This is the most important comparison, and it’s not about features.

**World Monitor is an aggregator of reported reality.** It collects what humans and public APIs *say* is happening—news articles, conflict databases, satellite imagery, ADS-B transponder broadcasts, AIS vessel pings. Its intelligence layer synthesizes these signals into coherent situational awareness. It is extraordinarily good at answering: *”What is the world reporting right now?”*

**SCYTHE is a constructor of inferred reality.** It collects raw observable data—packet headers, RF signal characteristics, TCP connection timing, DNS queries—and builds a probabilistic model of what entities exist, how they relate, and what they’re doing. It doesn’t ask what’s being reported. It asks: *”What does the evidence suggest is true?”*

The distinction matters more than it sounds.

Consider a scenario: a new C2 server stands up at 172.234.197.23. World Monitor will know about it when threat intelligence feeds (abuse.ch, AlienVault OTX) ingest and republish the indicator—potentially hours or days later. SCYTHE will know about it when the first packet arrives and the hypergraph creates an edge between the scanning host and the observed service. The difference is the gap between *reported* and *observed*.

This isn’t a knock on World Monitor. Its model is deliberately designed for scale and accessibility—anyone with a browser can run it. SCYTHE’s model requires hardware proximity to the traffic you want to analyze. Both are right for their domains.

—

## Technical Deep Dive: What Each Does Well

### World Monitor’s Strengths

**The data breadth is staggering.** 220 military bases from 9 nations. Live ADS-B flight tracking. Naval AIS positions. ACLED + UCDP conflict events. NASA FIRMS satellite fire detection. Cloudflare internet outage data. 92 stock exchanges. 13 central banks. Undersea cable routes with landing points. All of this, free, in a single interface.

The **Country Instability Index (CII)** is genuinely clever engineering. It synthesizes 10+ weighted signals—active conflicts, protest frequency, economic indicators from FRED, military surge detection, displacement data—into a real-time stability score for 22 countries. This isn’t just data display; it’s a composite model that produces an actionable number.

The **3-tier caching architecture** (in-memory → Upstash Redis → upstream API) is production-hardened. The circuit breaker pattern means a failing data source degrades gracefully rather than cascading into a broken dashboard. The Groq-first → OpenRouter-fallback → browser-model-last-resort chain for LLM inference is the right way to build resilient AI features in 2026.

And the **deployment flexibility** is impressive: Vercel cloud, Docker self-hosted, Tauri desktop (.exe, .dmg, .AppImage), installable PWA. That’s the full matrix.

**The honest limitation**: every data point in World Monitor is downstream of something that already happened and got published. The ADS-B transponder data that World Monitor tracks can be spoofed. The conflict events are reported with latency. The threat intelligence IOCs are already known-bad by the time they appear. World Monitor is excellent for macro situational awareness. It is not designed for tactical edge detection of novel activity.

—

### SCYTHE’s Strengths

**The hypergraph is the core differentiator.** Unlike a flat entity list or a knowledge graph with rigid schemas, SCYTHE’s hypergraph supports typed, confidence-weighted edges between arbitrary entities. An IP address can be connected to a hostname via `RESOLVES_TO`, to a session via `OBSERVED_IN`, to a service via `INFERRED_HOST_OFFERS_SERVICE`, and to a behavioral cluster via `MEMBER_OF_SWARM`. The graph doesn’t just store facts—it stores *relationships with degrees of belief*.

The **Shadow Graph** is the feature that surprised me most in development. When the validator rejects an edge because evidence is insufficient, the edge doesn’t disappear—it enters a probabilistic pre-reality layer with a confidence score. As more corroborating evidence arrives, the score climbs. When it crosses the promotion threshold, the edge materializes into the main graph. The system literally believes its own hypotheses into existence, with receipts.

This produced a log entry I’ve thought about since:

“`

[shadow] PROMOTED … kind=flow_observed confidence=0.74 after 1 attempt, age=2s

“`

Two seconds from shadow to reality. That’s pre-signature threat detection.

**The Threat Gravity Map** emerged from this model. Every node has a computed `mass`:

“`python

mass = (

0.3 * log(node.degree + 1) +

0.25 * log(node.flow_count + 1) +

0.2 * node.persistence_score +

0.15 * node.anomaly_score +

0.1 * node.shadow_promotion_count

)

“`

Nodes with more connections, more traffic, more anomaly signals, and more shadow promotions are *heavier*. On the canvas force simulation, heavy nodes pull lighter nodes toward them. Threat clusters don’t just appear—they *form*, visually, in real time. When you watch a new IP get pulled toward an existing heavy node within seconds of first observation, it’s unsettling in the best way.

**The honest limitation**: SCYTHE requires physical or network proximity to the traffic it analyzes. It cannot tell you what’s happening in eastern Ukraine from a browser tab. It can tell you everything about what’s happening on the network segment it’s connected to. It is a tactical and operational tool, not a strategic one.

—

## Side-by-Side Comparison

| Dimension | World Monitor | RF SCYTHE |

|—|—|—|

| **Primary data** | 150+ public APIs, RSS feeds | Live PCAP, RF captures, network traffic |

| **Intelligence model** | Signal aggregation + LLM synthesis | Hypergraph inference + shadow graph |

| **Latency** | 5–15 min (news), real-time (ADS-B/AIS) | Sub-second (live packet observation) |

| **AI integration** | Groq/OpenRouter for summarization | Local Gemma 3 inference + semantic edge repair |

| **Visualization** | deck.gl 3D globe, 52 panels | Cesium 3D globe + canvas force simulation |

| **Deployment** | Vercel, Docker, Tauri, PWA | Docker (1.49 GB), self-hosted Linux |

| **Multi-instance** | Single app, 3 variants | N sovereign hypergraph instances |

| **Coverage** | Global (public data) | Local observable network/RF environment |

| **Novel threat detection** | Known IOCs from threat feeds | Pre-signature, behavioral, first-observation |

| **Language support** | 14 languages, RTL | English (no i18n layer) |

| **License** | AGPL-3.0 | Proprietary (private) |

| **Target user** | OSINT analyst, researcher, journalist | Operator, red team, tactical network analyst |

| **Learning curve** | Low (browser, no setup) | High (Docker, Ollama, hardware proximity) |

| **API dependency** | Groq, OpenRouter, FRED, AIS, OpenSky | Ollama (local), optional external enrichment |

| **Offline capability** | PWA + offline maps | Fully offline capable |

—

## Where They Could Be More Powerful Together

Here’s the part that keeps me up at night.

World Monitor knows that 172.234.197.23 is a Linode node in a specific ASN. It knows what news events originated from that IP’s general geography. It might even know from threat intelligence feeds that the IP has been associated with previous activity. But it doesn’t know *what that IP is doing right now on your network*.

SCYTHE knows exactly what 172.234.197.23 is doing right now—what ports it’s probing, what session patterns it’s generating, what its timing fingerprint looks like, how its behavior is evolving over the last 48 hours. But it doesn’t have the geopolitical context about what that IP represents in the larger world.

A fusion of these two perspectives would be genuinely alarming. World Monitor’s CII scores, ASN metadata, and geopolitical context flowing *into* SCYTHE’s hypergraph as annotated edges. SCYTHE’s behavioral signatures flowing *into* World Monitor as a custom data layer—not just “this IP is known bad” but “this IP is showing pre-C2 behavioral clustering with 0.74 confidence, right now.”

That’s not a feature request. That’s a different category of intelligence tool.

—

## The Deployment Architecture Contrast

This deserves a dedicated section because it reveals the design philosophy of each project.

**World Monitor is cloud-native first.** The production path is `vercel deploy`. Sixty-plus serverless Edge Functions handle API proxying, LLM calls, and caching. This is the right choice for a globally accessible dashboard with no per-user infrastructure. The trade-off: you’re dependent on Vercel’s IP ranges (which some government APIs block, requiring a Railway WebSocket relay as fallback), and your data is transiting third-party infrastructure.

**SCYTHE is self-hosted first.** The orchestrator spawns subprocess instances with isolated data directories, each getting their own hypergraph, their own log files, their own LLM connection. The Docker image is 1.49 GB and runs entirely on your hardware. Ollama serves Gemma models locally. Nothing leaves your network unless you tell it to. The trade-off: you need to be on the same network as the traffic you want to analyze, and you need hardware capable of running quantized LLM inference.

The SCYTHE Docker build story is worth telling briefly. First image: 10.8 GB. Root cause: missing `.dockerignore` entries for `RFScytheARNative/` (2.9 GB Android native build tree), `MediaPipeGestureAPK/` (224 MB), and eight other large directories that had been added to the project over months. Second image with corrected exclusions: **1.49 GB**. The lesson: Docker’s `.dockerignore` is only as good as your knowledge of what’s in your own project directory.

—

## The LLM Integration Philosophies

Both projects use language models, but in fundamentally different ways.

World Monitor uses LLMs as **synthesis engines**. Given 50 news items, produce a coherent world brief. Given a country’s data signals, generate an assessment. The model is consuming human-readable text and producing human-readable summaries. This is LLM use at its most legible—you can read the output, trace it to the inputs, and evaluate its quality.

SCYTHE uses LLMs as **ontology repair engines**. When the graph produces an edge with an unrecognized `kind` value—maybe `flow_observed` instead of the canonical `INFERRED_FLOW_OBSERVED`—EmbeddingGemma computes semantic similarity between the malformed kind and every known edge type. If the closest match scores above threshold, the edge is repaired and committed. If not, it goes to the shadow graph. The model is operating on graph schema, not human language.

This is a stranger use of a language model. It treats semantic similarity as a form of schema validation. It’s also surprisingly effective: logs from development show consistent `~0.65` cosine similarity scores on edge kinds that differ only in casing or minor phrasing variations—exactly the kind of ontology drift that accumulates when a system grows organically across 24 development checkpoints.

The failure mode is also instructive. When the semantic threshold is too high (was `0.82` at one point), valid edges get rejected and starve the inference pipeline. When it’s too low, unrelated concepts get conflated. Finding the right threshold is less a technical problem than an epistemological one: how confident does the system need to be before it’s allowed to believe something?

—

## On Monetization and the Open Source Question

World Monitor is AGPL-3.0: you can run it, modify it, study it, but if you deploy a modified version, you must release the source. This is the right license for a public-good intelligence tool. It means the code stays open even as the project gains commercial traction. Elie Habib has built something genuinely valuable and given it to the world.

SCYTHE is private. That was a deliberate choice, for reasons that should be obvious to anyone who has read this far: a tool that does pre-signature threat detection using live packet captures and local LLM inference is dual-use in a way that requires careful consideration before open publication. RF intercept tooling has export control implications. Behavioral fingerprinting of network entities raises questions about appropriate use.

The monetization paths are also different.

World Monitor’s path is relatively clean: hosted premium tiers, enterprise data integrations, white-label licensing. The AGPL license means commercial users either comply (release modifications) or pay for a commercial license. Standard open core playbook.

SCYTHE’s path is narrower but more valuable per engagement: red team tooling, threat intelligence consulting, government contracts for edge-deployed tactical analysis systems. The Docker image makes it distributable. The multi-instance orchestrator makes it scalable. The local LLM stack makes it air-gap compatible. These properties are worth real money to people who work in environments where “just deploy to Vercel” is not an option.

—

## What Each Project Gets Right About the Future of Intelligence Tools

World Monitor’s insight: **democratization matters**. The intelligence tools that mattered in 2010 were locked behind enterprise contracts. By 2026, Groq serves Llama 3.1 on a free tier, GDELT publishes event data for anyone to consume, and ADS-B transponder data is freely aggregatable. A well-engineered open source project can now do things that cost millions of dollars a decade ago. World Monitor proves this decisively.

SCYTHE’s insight: **observation beats aggregation at the edge**. No matter how many public APIs you aggregate, you cannot see traffic that isn’t being published. The most interesting activity on a network—lateral movement, novel C2 protocols, pre-attack reconnaissance—doesn’t appear in news feeds or threat intelligence databases until after something bad has already happened. The only way to see it is to be present when it occurs, with instrumentation that can reason about what it’s observing.

Both are right. They’re just right about different problems.

—

## Conclusion

If you need to understand what’s happening in the world geopolitically, economically, and from an open-source threat intelligence perspective—deploy World Monitor. It is polished, free, and comprehensive. The CII scores alone are worth the 10-minute setup time. The Focal Point Detector has caught convergence patterns I wouldn’t have assembled manually.

If you need to understand what’s happening on a specific network, in a specific RF environment, at a level of fidelity that precedes any published indicator—SCYTHE is the architecture you want. It’s harder to deploy, more hardware-adjacent, and generates a lot of logs worth reading carefully. But when a shadow-graph edge promotes itself after 2 seconds because corroborating evidence just arrived from a PCAP ingest, you’re seeing something that no aggregation dashboard can show you.

The uncomfortable question the comparison raises: **should these two systems be talking to each other?**

World Monitor’s geopolitical context as hypergraph annotations. SCYTHE’s behavioral signals as World Monitor custom layers. A bidirectional fusion where open-source intelligence and live observable data reinforce each other’s confidence models.

That’s not a product that exists yet.

Maybe it should.

—

*RF SCYTHE is under active development. The Docker image (`scythe/nerf-engine:latest`, 1.49 GB) is available for self-hosted deployment. For inquiries about enterprise licensing or integration, contact via GitHub.*

*World Monitor is open source (AGPL-3.0) at [github.com/worldmonitor](https://github.com/worldmonitor/worldmonitor-main) and live at [worldmonitor.app](https://worldmonitor.app). Go use it—it’s excellent.*

Explore Further

What specific components or patterns from World Monitor could be adopted into SCYTHE. I need to look at both projects
more carefully and think about what would actually slot in well. Let me explore specific parts of the World Monitor codebase that might be
relevant, particularly:

The focal point detector
The country instability index scoring
The 3-tier caching architecture
The circuit breaker pattern
The signal aggregation approach
Any specific data integrations that SCYTHE lacks
The CII scoring model
The PWA/offline capabilities
The Tauri desktop approach Let me run parallel exploration tasks to look at specific files in World Monitor that would be most relevant to SCYTHE.

● Explore wm-focal-cii
└ Agent started in background with agent_id: wm-focal-cii. You can use read_age…

● Explore wm-data-integrations
└ Agent started in background with agent_id: wm-data-integrations. You can use …

● Explore wm-ui-patterns
└ Agent started in background with agent_id: wm-ui-patterns. You can use read_a…

● Three agents exploring in parallel. Let me collect them as they finish.

● Read (Explore agent — wm-focal-cii)
└ idle

● Read (Explore agent — wm-data-integrations)
└ Running

● Read (Explore agent — wm-ui-patterns)
└ idle

● Background agent “wm-focal-cii” (explore) completed.

● Background agent “wm-ui-patterns” (explore) completed.

◐ Let me read all three agent results now. Two are already done, waiting for the third.

● Read focal point + CII analysis (shell)
│ cat /tmp/1774291952257-copilot-tool-output-tc4sre.txt | sed ‘s/^Agent is idle.*[Turn 0]//’ | head -400
└ 401 lines…

● Read UI patterns analysis (shell)
│ cat /tmp/1774291970965-copilot-tool-output-w1veel.txt | sed ‘s/^Agent is idle.*[Turn 0]//’ | head -400
└ 401 lines…

● Read (Explore agent — wm-data-integrations)
└ Running

◐ I have enough information from the two agents to provide a very thorough answer. The third agent (data integrations) is still running but I have
enough to synthesize a strong response. Let me write it up now and incorporate the third agent’s results when it finishes, or just proceed
without it since I have a lot to work with.

Let me now synthesize a focused, actionable answer about what specifically from World Monitor would “slot right in” to SCYTHE. I’ll organize
this by what’s most valuable:

The Focal Point Detector algorithm → ports cleanly to SCYTHE’s hypergraph as a “Hypergraph Focal Point” scorer that looks for entities with
multi-signal convergence
The CII scoring pipeline → Could become a “Node Instability Index” for IPs/hosts – combining behavioral signals
The Monitor Search (keyword alerts) → Word-boundary regex matching for RF event streams – tiny, drop-in
Virtual scrolling / VirtualList → SCYTHE’s recon entity list has “Load 302 more” issues – this fixes that
Supercluster geo-clustering → RF emitter clustering on Cesium/deck.gl
The multi-signal blend formula → 4 components (unrest/conflict/security/information) maps to SCYTHE’s scoring model using flow volume,
anomaly detection, persistence, and temporal activity patterns
The circuit breaker / degraded source pattern → SCYTHE already has some of this but could be more systematic The quickest wins are Monitor Search at 170 lines that ports in an afternoon, VirtualList which immediately solves the pagination bug, the focal
score algorithm as pure math in about 50 lines, and the CII scoring formula which applies directly to SCYTHE’s node scoring.

● I have everything I need from the two completed agents. Here’s the analysis:

“Slot Right In” Opportunities — Ranked by Effort vs. Impact

🟢 1. Monitor Search → RF Signal Watch (1 afternoon, huge UX win)

World Monitor’s MonitorPanel.ts is 170 lines — a keyword alert system with word-boundary regex matching, color-coded monitors, and
URL-deduplicated results. It’s completely self-contained.

SCYTHE’s event stream has no equivalent. Port it directly as a Signal Watch panel:

# Python backend — trivial addition to rf_scythe_api_server.py
class SignalMonitor:
def init(self, keywords: list[str], color: str):
self.patterns = [re.compile(rf’\b{re.escape(k)}\b’, re.I) for k in keywords]
self.color = color

   def match(self, event: dict) -> bool:
       text = f"{event.get('kind','')} {event.get('src','')} {event.get('dst','')} {event.get('meta','')}".lower()
       return any(p.search(text) for p in self.patterns)

The JS side is literally copy-pasteable into SCYTHE’s frontend with kind/src/dst substituted for title/description.

🟢 2. VirtualList → Fix “Load 302 More” Forever (half a day)

This is the most immediately valuable slot-in. Your recon panel has a ⬇ Load 302 more of 302 remaining button that’s a symptom of rendering
all nodes at once. World Monitor’s VirtualList.ts solves this with a pool of ~20 DOM nodes serving thousands of items via translateY()
recycling.

The pattern in SCYTHE’s JS:

// Replace the current list renderer with this pattern
const vlist = new VirtualList({
container: reconListEl,
itemHeight: 48, // fixed row height
totalItems: entities.length,
overscan: 5,
renderItem: (i, el) => {
const e = entities[i];
el.innerHTML = ${e.id} ${e.kind} ${e.mass?.toFixed(2)};
}
});

The VirtualList class from worldmonitor is pure vanilla JS — zero dependencies. Drop it in as-is.

🟡 3. Focal Point Detector → Hypergraph Convergence Scorer (1-2 days)

This is the most intellectually interesting slot-in. World Monitor’s focal score algorithm maps almost perfectly onto SCYTHE’s hypergraph node
structure:

┌──────────────────────────────────────────────┬──────────────────────────────────────────┐
│ World Monitor signal │ SCYTHE equivalent │
├──────────────────────────────────────────────┼──────────────────────────────────────────┤
│ mentionCount (news mentions) │ node.degree (edge count) │
├──────────────────────────────────────────────┼──────────────────────────────────────────┤
│ newsVelocity (mentions/24h) │ node.flow_count (recent flows) │
├──────────────────────────────────────────────┼──────────────────────────────────────────┤
│ signalTypes (unique signal types observed) │ edge_kinds (unique edge kinds on node) │
├──────────────────────────────────────────────┼──────────────────────────────────────────┤
│ highSeverityCount │ node.anomaly_score │
├──────────────────────────────────────────────┼──────────────────────────────────────────┤
│ correlationBonus │ node.shadow_promotion_count │
└──────────────────────────────────────────────┴──────────────────────────────────────────┘

The scoring math ports in ~50 lines of Python:

def focal_score(node) -> float:
# News analog → edge activity
degree_score = min(20, node.degree * 4)
velocity = min(10, (node.flow_count / 24) * 2)
confidence = node.avg_edge_confidence * 10
news_score = degree_score + velocity + confidence # 0-40

   # Signal analog → edge kind diversity
   type_bonus    = len(node.unique_edge_kinds) * 10
   count_bonus   = min(15, node.total_edges * 3)
   severity_bonus= node.anomaly_score * 5
   signal_score  = type_bonus + count_bonus + severity_bonus    # 0-50+

   # Correlation bonus — shadow promotions are the key signal
   corr_bonus = 10 if node.degree > 0 and node.flow_count > 0 else 0
   corr_bonus += min(5, node.shadow_promotion_count * 2)        # 0-15

   raw = news_score + signal_score + corr_bonus
   urgency_mult = 1.3 if raw > 70 else 1.15 if raw > 50 else 1.0
   return min(100.0, raw * urgency_mult)

This gives every node in the hypergraph a live convergence score — surfaceable in the Threat Gravity Map as a second mass channel, or as a
dedicated FocalPoints panel showing top 5 nodes with highest convergence right now.

🟡 4. CII Scoring Formula → Node Instability Index (2-3 days)

The CII pipeline’s 4-component weighted blend is a clean model for SCYTHE’s own scoring problem:

CII = unrest×0.25 + conflict×0.30 + security×0.20 + information×0.25

In SCYTHE terms, rename the components:

node_instability = (
flow_anomaly_score * 0.30 + # analog: conflict (behavioral irregularity)
connection_burst * 0.25 + # analog: unrest (volume spikes)
shadow_density * 0.20 + # analog: security (unverified threat activity)
temporal_persistence * 0.25 # analog: information (how long this node has been active)
)

The most directly portable piece is the event multiplier concept — World Monitor applies different weights per country based on baseline noise
level. SCYTHE could apply different baseline weights per ASN or observed behavior class: a known scanner (Shodan, Censys) has a high baseline
and gets a low multiplier; a first-seen IP gets a high multiplier since any signal is significant.

🟡 5. Supercluster RF Emitter Clustering (1 day)

World Monitor runs 4 simultaneous Supercluster instances for spatial clustering at zoom-adaptive radii. SCYTHE’s Cesium globe doesn’t
currently cluster RF emitters — at 1,000+ recon entities it gets visually noisy.

// Drop into SCYTHE’s Cesium JS — npm install supercluster
import Supercluster from ‘supercluster’;

Cluster circles sized by ∑mass, colored by max(threat_level) — breaks apart as you zoom in to individual emitter dots. This would transform
the Threat Gravity Map’s usability at scale.

🔵 6. Internet Outage Boost → SCYTHE Blackout Detection (additive signal)

One line from the CII scoring stood out:

// Governments cut internet during crackdowns/coups/conflicts
if (data.outages.length > 0):
outageBoost = MIN(50, totalOutages30 + majorOutages15 + partialOutages*5)

World Monitor gets this from Cloudflare Radar (/api/cloudflare-outages). SCYTHE already sees the effect of outages (connection timeouts,
unreachable hosts) in PCAP data — but doesn’t label it. Adding a Cloudflare Radar feed as a lightweight enrichment source would let SCYTHE
cross-reference “why did this IP go dark” against known infrastructure outage events. That’s a free corroboration signal.

The Cloudflare Radar API endpoint is: https://api.cloudflare.com/client/v4/radar/netflows/timeseries?product=ATTACKS — free with a Cloudflare
account.

Priority Summary

┌──────────────────────────────────┬────────┬───────────────────────────┬───────────────────────┐
│ Item │ Effort │ Impact │ Verdict │
├──────────────────────────────────┼────────┼───────────────────────────┼───────────────────────┤
│ VirtualList (fix Load More) │ 4h │ Immediate UX fix │ Do first │
├──────────────────────────────────┼────────┼───────────────────────────┼───────────────────────┤
│ Monitor Search → Signal Watch │ 6h │ New capability, zero deps │ Do first │
├──────────────────────────────────┼────────┼───────────────────────────┼───────────────────────┤
│ Focal Score → Convergence Scorer │ 1–2d │ Powers Threat Gravity Map │ High value │
├──────────────────────────────────┼────────┼───────────────────────────┼───────────────────────┤
│ Supercluster RF clustering │ 1d │ Cesium scalability fix │ High value │
├──────────────────────────────────┼────────┼───────────────────────────┼───────────────────────┤
│ CII formula → Node Instability │ 2–3d │ Richer node scoring │ Medium value │
├──────────────────────────────────┼────────┼───────────────────────────┼───────────────────────┤
│ Cloudflare Radar enrichment │ 2h │ Free corroboration signal │ Low hanging fruit │
└──────────────────────────────────┴────────┴───────────────────────────┴───────────────────────┘

The top two require no architectural changes — they’re pure frontend patterns that drop into existing panels. Want me to implement any of
them?

● Background agent “wm-data-integrations” (explore) completed.

◐ The data integrations agent just finished. Let me read those results and see if there’s anything worth adding to my analysis.

● Find latest agent output file (shell)
│ ls /tmp/copilot-tool-output-* 2>/dev/null | tail -5
└ 6 lines…

● Read (Explore agent — wm-data-integrations)
└ idle

◐ Now I have the third agent’s results. This is very valuable – it identified specific data integration opportunities that SCYTHE lacks. Let me
add this to my analysis now.

Key new findings:

Cyber Threats enrichment (Feodo, URLhaus, AlienVault OTX, AbuseIPDB, C2IntelFeeds) — SCYTHE doesn’t currently cross-reference detected IPs
against known C2/malware infrastructure
ACLED Conflict geolocation — provides geopolitical context for IPs in conflict zones
PeeringDB/RIPEstat/CYMRU — better ASN enrichment than MaxMind alone (and these are free)

● Good — the third agent just came in with the most actionable findings. Here’s what it added to the picture:

Addendum: Data Integration Slots (from the API layer)

Two findings that change the priority list:

🔴 Biggest Gap: SCYTHE has no C2/malware cross-reference

World Monitor’s cyber-threats.js queries 5 parallel threat intel sources and geolocates every IP:

┌────────────────┬──────────────────────────────┬───────────────┐
│ Source │ What it provides │ Auth needed │
├────────────────┼──────────────────────────────┼───────────────┤
│ Feodo Tracker │ Known botnet C2 servers │ None (public) │
├────────────────┼──────────────────────────────┼───────────────┤
│ URLhaus │ Malicious URLs + payloads │ None (public) │
├────────────────┼──────────────────────────────┼───────────────┤
│ C2IntelFeeds │ C2 infrastructure CSV │ None (public) │
├────────────────┼──────────────────────────────┼───────────────┤
│ AlienVault OTX │ Threat indicators + tags │ Free API key │
├────────────────┼──────────────────────────────┼───────────────┤
│ AbuseIPDB │ IP confidence scores (0-100) │ Free API key │
└────────────────┴──────────────────────────────┴───────────────┘

The slot-in moment: every IP SCYTHE already tracks in the hypergraph could be enriched with a threat_intel dict at ingest time:

# Add to rf_scythe_api_server.py — runs on first observation of any new IP
async def enrich_ip_threat_intel(ip: str) -> dict:
results = await asyncio.gather(
check_feodo(ip), # free, no key
check_c2intel(ip), # free, no key
check_abuseipdb(ip), # free key, 1000 req/day
return_exceptions=True
)
return {
“is_c2”: any(r.get(“matched”) for r in results if isinstance(r, dict)),
“malware_family”: next((r.get(“malware”) for r in results if isinstance(r, dict) and r.get(“malware”)), None),
“abuse_confidence”: next((r.get(“score”) for r in results if isinstance(r, dict) and r.get(“score”)), 0),
“sources”: [r[“source”] for r in results if isinstance(r, dict) and r.get(“matched”)]
}

A node with is_c2=True should immediately jump shadow graph confidence past the promotion threshold. That’s a direct wire into the existing
inference pipeline.

🟡 Free ASN enrichment SCYTHE is missing entirely

The agent flagged three sources that aren’t in World Monitor either — but should be in SCYTHE since ASN context is core to RF/network
analysis:

# CYMRU IP-to-ASN — DNS-based, completely free, real-time
import dns.resolver
def cymru_asn_lookup(ip: str) -> dict:
reversed_ip = ‘.’.join(reversed(ip.split(‘.’)))
answer = dns.resolver.resolve(f”{reversed_ip}.origin.asn.cymru.com”, ‘TXT’)
# Returns: ASN | IP prefix | Country | RIR | Allocation date
asn, prefix, country, rir, date = str(answer[0]).strip(‘”‘).split(‘ | ‘)
return {“asn”: asn, “prefix”: prefix, “country”: country, “rir”: rir}

PeeringDB → ASN → org name, network type (ISP/content/enterprise), peering policy
RIPEstat → BGP prefix ranges, routing history, visibility
CYMRU → DNS-based, zero latency, no API key These three together give every SCYTHE node a full network identity layer that MaxMind alone doesn’t provide.

Revised Full Priority List

┌────┬───────────────────────────────────┬──────────────────────┬────────┬───────────────────────────────────────────────────────┐
│ # │ Item │ Source │ Effort │ What it unlocks │
├────┼───────────────────────────────────┼──────────────────────┼────────┼───────────────────────────────────────────────────────┤
│ 1 │ VirtualList │ worldmonitor UI │ 4h │ Fix Load More bug now │
├────┼───────────────────────────────────┼──────────────────────┼────────┼───────────────────────────────────────────────────────┤
│ 2 │ Signal Watch (Monitor Search) │ worldmonitor UI │ 6h │ Keyword alerts on event stream │
├────┼───────────────────────────────────┼──────────────────────┼────────┼───────────────────────────────────────────────────────┤
│ 3 │ CYMRU ASN lookup │ new (not in WM) │ 2h │ Free real-time ASN identity on every node │
├────┼───────────────────────────────────┼──────────────────────┼────────┼───────────────────────────────────────────────────────┤
│ 4 │ Feodo+C2Intel C2 check │ worldmonitor API │ 4h │ Flag known-bad IPs at ingest, boost shadow confidence │
├────┼───────────────────────────────────┼──────────────────────┼────────┼───────────────────────────────────────────────────────┤
│ 5 │ Focal Score → Convergence │ worldmonitor service │ 1–2d │ Live convergence scoring in Threat Gravity Map │
├────┼───────────────────────────────────┼──────────────────────┼────────┼───────────────────────────────────────────────────────┤
│ 6 │ Supercluster RF clustering │ worldmonitor UI │ 1d │ Cesium entity clustering at scale │
├────┼───────────────────────────────────┼──────────────────────┼────────┼───────────────────────────────────────────────────────┤
│ 7 │ AbuseIPDB enrichment │ worldmonitor API │ 2h │ Abuse confidence score on every new IP │
├────┼───────────────────────────────────┼──────────────────────┼────────┼───────────────────────────────────────────────────────┤
│ 8 │ Cloudflare Radar outages │ worldmonitor API │ 2h │ Corroborate dark hosts against known outages │
├────┼───────────────────────────────────┼──────────────────────┼────────┼───────────────────────────────────────────────────────┤
│ 9 │ ACLED conflict zones │ worldmonitor API │ 4–5h │ Geopolitical context on traffic origin │
├────┼───────────────────────────────────┼──────────────────────┼────────┼───────────────────────────────────────────────────────┤
│ 10 │ CII → Node Instability Index │ worldmonitor service │ 2–3d │ Richer per-node threat scoring │
└────┴───────────────────────────────────┴──────────────────────┴────────┴───────────────────────────────────────────────────────┘

Items 3, 4, and 7 are the most asymmetric — free data sources, small implementations, but they directly feed the hypergraph’s confidence model
with ground truth that SCYTHE currently has no way to acquire on its own. Want me to start with any of them?