DEV.co
Open-Source Observability · thalesgroup-cert

Watcher

Watcher is an open-source, Django and React-based threat intelligence platform that combines AI-powered analysis with automated monitoring of CVEs, ransomware, data leaks, and suspicious domains. It integrates with security tools like TheHive and MISP, and offers certificate transparency monitoring and domain surveillance capabilities.

Source: GitHub — github.com/thalesgroup-cert/Watcher
1.3k
GitHub stars
195
Forks
JavaScript
Primary language
AGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorythalesgroup-cert/Watcher
Ownerthalesgroup-cert
Primary languageJavaScript
LicenseAGPL-3.0 — OSI-approved
Stars1.3k
Forks195
Open issues13
Latest releasev3.5.0 (2026-06-30)
Last updated2026-07-01
Sourcehttps://github.com/thalesgroup-cert/Watcher

What Watcher is

Built on Django REST Framework with React frontend, Watcher leverages Hugging Face Transformers (FLAN-T5, BERT-NER) for threat summarization and IOC extraction. It monitors certificate transparency streams via certstream, performs fuzzy hashing with TLSH, domain enumeration via dnstwist, and integrates OIDC/LDAP authentication. Deployment via Docker is supported.

Quickstart

Get the Watcher source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/thalesgroup-cert/Watcher.gitcd Watcher# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Continuous CVE and Ransomware Tracking

Automated collection and correlation of CVEs from cve.circl.lu and ransomware data from ransomware.live/ransomlook.io with keyword-based alerting. Ideal for security teams needing real-time emerging threat visibility.

Typosquatting and Phishing Domain Detection

Uses certificate transparency monitoring and domain generation algorithm detection (dnstwist) to catch malicious domains targeting your organization. Reduces time-to-detection for brand abuse and phishing campaigns.

Data Leak and Information Exposure Monitoring

Scans Pastebin, GitHub, GitLab, StackOverflow, npm registries and similar platforms for leaked credentials and sensitive data. Critical for incident response teams managing credential compromise incidents.

Implementation considerations

  • Plan GPU/CPU allocation for Hugging Face Transformers inference; FLAN-T5 and BERT models have non-trivial memory footprint.
  • Configure external data sources carefully: CVE APIs, RSS feeds, certstream connections, and external WHOIS/RDAP queries. Validate rate limits and API access.
  • Audit OIDC/LDAP integration if using SSO; ensure compliance with your authentication provider's configuration and token policies.
  • Set up persistent storage for threat logs and alerts; database sizing depends on monitoring scope (number of domains, keywords, and data sources monitored).
  • Plan for regular model updates from Hugging Face if leveraging pre-trained models; document any fine-tuning or custom model paths.

When to avoid it — and what to weigh

  • Proprietary or Closed-Source Deployment Requirements — AGPL-3.0 license requires source code distribution to users of networked versions. If your organization prohibits AGPL or copyleft licenses, this is not suitable without legal review.
  • Minimal AI/ML Infrastructure Available — Watcher requires Hugging Face Transformers and model loading (FLAN-T5-base, BERT-NER). Depends on GPU or sufficient CPU for inference. Not suitable for resource-constrained environments without separate ML infrastructure.
  • Need for Commercial SLA or Enterprise Support — This is community-maintained open source. No formal SLA, vendor support, or guaranteed response times. If you require commercial guarantees, investigate commercial alternatives.
  • Fully Isolated Air-Gapped Networks — Watcher relies on external data sources (RSS feeds, CVE APIs, ransomware feeds, certificate transparency streams). Air-gapped environments would require manual data ingestion or proxy setup.

License & commercial use

Licensed under AGPL-3.0 (GNU Affero General Public License v3.0). This is a strong copyleft license requiring that any modified versions distributed over a network must provide source code to users. Use as-is or internal modifications are permissible; external distribution or SaaS use triggers source code disclosure obligations.

AGPL-3.0 permits commercial use, but with significant restrictions. Internal use for commercial threat intelligence is allowed. However, if you modify Watcher and offer it as a service or distribute it externally, you must provide source code to recipients. Consult legal counsel before deploying in revenue-generating SaaS or licensed software contexts. No commercial support, warranties, or indemnification from the maintainers is provided.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Watcher handles sensitive threat data and external integrations. Key areas to review: (1) OIDC/LDAP credential handling and token expiry; (2) API key storage for CVE, ransomware, and MISP/TheHive integrations; (3) data sanitization in information leak monitoring to prevent SQL injection or XSS; (4) rate limiting and DDoS protection for external feed ingestion; (5) TLS/certificate validation for certstream and RDAP/WHOIS connections. Security audit of custom integrations and model inference pipelines is recommended. No explicit security audit results or CVE history provided.

Alternatives to consider

Splunk Enterprise Security or Splunk Cloud Threat Intelligence

Commercial SIEM with built-in threat intelligence, advanced analytics, and enterprise support. Higher cost but vendor-backed and fully managed. No AGPL or copyleft concerns.

Anomali ThreatStream or Mandiant Advantage

Mature commercial platforms with threat intelligence feeds, API integrations, and SLA support. Require subscription but offer professional threat research and 24/7 support.

TheHive with Cortex Community or Shuffler SOAR

Open-source SOAR/case management platforms with community-driven threat intelligence. Different licensing (AGPL for TheHive) and workflow model; lighter on AI/ML but flexible.

Software development agency

Build on Watcher with DEV.co software developers

Review the full documentation, test the Docker deployment, and assess AGPL licensing implications with your legal team. If AGPL compatibility and open-source hosting fit your security operations, Watcher offers flexible, community-backed threat intelligence capabilities.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

Watcher FAQ

Can I use Watcher commercially without releasing my modifications as open source?
Internal commercial use is allowed. However, if you modify Watcher and distribute it (including as a SaaS offering), AGPL-3.0 requires you to provide source code to users. Commercial services for unmodified Watcher or integration consulting are generally permissible; consult legal counsel for your specific use case.
What AI models does Watcher use, and can I swap them?
Watcher uses google/flan-t5-base for threat summarization and dslim/bert-base-NER for named entity recognition (IOC extraction). Both are open-source Hugging Face models. You can typically swap them by updating model configuration, but performance and output format may differ; test before production.
Is GPU required for Watcher to function?
No, but strongly recommended for acceptable inference latency. Hugging Face Transformers can run on CPU, but FLAN-T5 and BERT inference will be slow (seconds to minutes per query). GPU (NVIDIA/AMD/Apple Silicon) reduces inference time to sub-second. Plan infrastructure accordingly.
Does Watcher include a security audit or penetration test report?
Not documented in the provided README or GitHub repo. No explicit security audit, CVE history, or third-party security assessment is mentioned. Perform your own security review or engage a security firm before production deployment, especially for sensitive threat data.

Software development & web development with DEV.co

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If Watcher is part of your open-source observability roadmap, our team can implement, customize, migrate, and maintain it.

Evaluate Watcher for Your Threat Intelligence Stack

Review the full documentation, test the Docker deployment, and assess AGPL licensing implications with your legal team. If AGPL compatibility and open-source hosting fit your security operations, Watcher offers flexible, community-backed threat intelligence capabilities.