It has been almost 60 days since launching BreachNews.
The original goal was simple: build a cybersecurity news platform focused on breach activity, ransomware claims, leaked datasets, threat actor chatter, and ongoing incidents while documenting events as they develop in real time.
A lot of cybersecurity news moves through Telegram channels, underground forums, leak sites, Discord servers, and X long before official disclosures happen. BreachNews was built around tracking those conversations, archiving evidence, monitoring incidents as they evolve, and publishing coverage quickly while still making it clear when something is unverified versus confirmed.
So far, the project has been one of the most enjoyable things I have built.
Infrastructure and Hosting
The site itself runs on WordPress, but much of the surrounding infrastructure is custom built.
Current infrastructure includes:
- Linode servers
- Cloudflare
- Self hosted tooling
- Docker based services
- Internal monitoring
- Elasticsearch experimentation
- Local infrastructure running inside my homelab
The site receives significantly more automated traffic than a normal blog because of the subject matter. There is constant scraping from bots, feed aggregators, AI crawlers, archive systems, and monitoring services.
A large amount of time has gone into performance optimization, caching, Cloudflare configuration, indexing, and making sure the infrastructure can handle traffic spikes when larger stories start circulating.
Publishing and Workflow
Most of my time goes directly into publishing and monitoring stories.
The workflow itself has become pretty natural at this point. Most stories involve monitoring multiple sources simultaneously, archiving evidence, validating screenshots or sample data where possible, and continuously updating posts as new information becomes available.
A lot of incidents now evolve over multiple days instead of being a single article and done. Threat actors delete posts, victims issue statements, datasets leak further, infrastructure gets taken offline, or additional victims appear later.
That constant movement is part of what makes cybersecurity reporting so interesting.
Recognition and Mentions
One of the coolest parts of the first two months has been seeing BreachNews start getting referenced by other researchers, communities, and security platforms.
The biggest milestone so far was being cited by Have I Been Pwned during reporting related to Pitney Bowes. Seeing BreachNews referenced by a platform that has been such a major part of the cybersecurity community for years was a huge moment for the project.
Beyond HIBP, articles from BreachNews have also been mentioned in quite a few other cybersecurity publications, social media, substack newsletters, and more.
The site is still relatively new, but it has already been interesting watching stories spread through the cybersecurity ecosystem.
Threat Map and Internal Projects
One of the more fun side projects has been building a live cyber threat map and intelligence feed tied into the site.
The map currently pulls from several sources including:
- RSS feeds
- CISA KEV data
- Threat intelligence feeds
- Public attack and scanning data
The goal is to create something that is actually useful rather than just visual noise. I also plan to eventually add data from my own honeypot infrastructure as the project grows.
A lot of the development around BreachNews has naturally expanded into infrastructure, automation, monitoring, and threat intelligence tooling simply because those systems become useful when you are tracking incidents constantly.
Self Hosting and Homelab Integration
Another interesting part of the project has been how much it overlaps with my homelab and self hosted infrastructure.
A lot of the tooling, monitoring, testing, and experimentation tied to BreachNews now runs through systems inside my homelab environment. Building the site has pushed me deeper into Linux administration, networking, Docker, Elasticsearch, monitoring, reverse proxies, and infrastructure management in general.
The more the project grows, the more valuable self hosted infrastructure becomes.
Traffic and Growth
Traffic grew significantly faster than I expected during the first two months.
Some stories gained traction very quickly, especially when incidents were still actively developing. One thing I learned almost immediately is how fast cybersecurity discussions move online. Stories can spread through forums, Telegram channels, X, Discord servers, and news sites within minutes.
That speed is part of what makes the space exciting.
There is always another incident developing, another threat actor posting, another leak site update, or another dataset being discussed somewhere.
What Is Next
The next phase of BreachNews will focus on expanding both the editorial side and the infrastructure behind it.
Some current priorities include:
- Expanding the threat map
- Improving monitoring pipelines
- Building additional automation
- Expanding infrastructure inside the homelab
- Improving internal tooling
- Publishing more long form research and guides
- Adding additional threat intelligence integrations
The first 60 days made one thing very clear: cybersecurity reporting is an incredibly fast moving space, and building infrastructure around tracking it has been just as interesting as the reporting itself.