Watcher
Watcher is an open-source, Django and React-based threat intelligence platform that combines AI-powered analysis with automated monitoring of CVEs, ransomware, data leaks, and suspicious domains. It integrates with security tools like TheHive and MISP, and offers certificate transparency monitoring and domain surveillance capabilities.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | thalesgroup-cert/Watcher |
| Owner | thalesgroup-cert |
| Primary language | JavaScript |
| License | AGPL-3.0 — OSI-approved |
| Stars | 1.3k |
| Forks | 195 |
| Open issues | 13 |
| Latest release | v3.5.0 (2026-06-30) |
| Last updated | 2026-07-01 |
| Source | https://github.com/thalesgroup-cert/Watcher |
What Watcher is
Built on Django REST Framework with React frontend, Watcher leverages Hugging Face Transformers (FLAN-T5, BERT-NER) for threat summarization and IOC extraction. It monitors certificate transparency streams via certstream, performs fuzzy hashing with TLSH, domain enumeration via dnstwist, and integrates OIDC/LDAP authentication. Deployment via Docker is supported.
Get the Watcher source
Clone the repository and explore it locally.
git clone https://github.com/thalesgroup-cert/Watcher.gitcd Watcher# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Plan GPU/CPU allocation for Hugging Face Transformers inference; FLAN-T5 and BERT models have non-trivial memory footprint.
- Configure external data sources carefully: CVE APIs, RSS feeds, certstream connections, and external WHOIS/RDAP queries. Validate rate limits and API access.
- Audit OIDC/LDAP integration if using SSO; ensure compliance with your authentication provider's configuration and token policies.
- Set up persistent storage for threat logs and alerts; database sizing depends on monitoring scope (number of domains, keywords, and data sources monitored).
- Plan for regular model updates from Hugging Face if leveraging pre-trained models; document any fine-tuning or custom model paths.
When to avoid it — and what to weigh
- Proprietary or Closed-Source Deployment Requirements — AGPL-3.0 license requires source code distribution to users of networked versions. If your organization prohibits AGPL or copyleft licenses, this is not suitable without legal review.
- Minimal AI/ML Infrastructure Available — Watcher requires Hugging Face Transformers and model loading (FLAN-T5-base, BERT-NER). Depends on GPU or sufficient CPU for inference. Not suitable for resource-constrained environments without separate ML infrastructure.
- Need for Commercial SLA or Enterprise Support — This is community-maintained open source. No formal SLA, vendor support, or guaranteed response times. If you require commercial guarantees, investigate commercial alternatives.
- Fully Isolated Air-Gapped Networks — Watcher relies on external data sources (RSS feeds, CVE APIs, ransomware feeds, certificate transparency streams). Air-gapped environments would require manual data ingestion or proxy setup.
License & commercial use
Licensed under AGPL-3.0 (GNU Affero General Public License v3.0). This is a strong copyleft license requiring that any modified versions distributed over a network must provide source code to users. Use as-is or internal modifications are permissible; external distribution or SaaS use triggers source code disclosure obligations.
AGPL-3.0 permits commercial use, but with significant restrictions. Internal use for commercial threat intelligence is allowed. However, if you modify Watcher and offer it as a service or distribute it externally, you must provide source code to recipients. Consult legal counsel before deploying in revenue-generating SaaS or licensed software contexts. No commercial support, warranties, or indemnification from the maintainers is provided.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Watcher handles sensitive threat data and external integrations. Key areas to review: (1) OIDC/LDAP credential handling and token expiry; (2) API key storage for CVE, ransomware, and MISP/TheHive integrations; (3) data sanitization in information leak monitoring to prevent SQL injection or XSS; (4) rate limiting and DDoS protection for external feed ingestion; (5) TLS/certificate validation for certstream and RDAP/WHOIS connections. Security audit of custom integrations and model inference pipelines is recommended. No explicit security audit results or CVE history provided.
Alternatives to consider
Splunk Enterprise Security or Splunk Cloud Threat Intelligence
Commercial SIEM with built-in threat intelligence, advanced analytics, and enterprise support. Higher cost but vendor-backed and fully managed. No AGPL or copyleft concerns.
Anomali ThreatStream or Mandiant Advantage
Mature commercial platforms with threat intelligence feeds, API integrations, and SLA support. Require subscription but offer professional threat research and 24/7 support.
TheHive with Cortex Community or Shuffler SOAR
Open-source SOAR/case management platforms with community-driven threat intelligence. Different licensing (AGPL for TheHive) and workflow model; lighter on AI/ML but flexible.
Build on Watcher with DEV.co software developers
Review the full documentation, test the Docker deployment, and assess AGPL licensing implications with your legal team. If AGPL compatibility and open-source hosting fit your security operations, Watcher offers flexible, community-backed threat intelligence capabilities.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
Watcher FAQ
Can I use Watcher commercially without releasing my modifications as open source?
What AI models does Watcher use, and can I swap them?
Is GPU required for Watcher to function?
Does Watcher include a security audit or penetration test report?
Software development & web development with DEV.co
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If Watcher is part of your open-source observability roadmap, our team can implement, customize, migrate, and maintain it.
Evaluate Watcher for Your Threat Intelligence Stack
Review the full documentation, test the Docker deployment, and assess AGPL licensing implications with your legal team. If AGPL compatibility and open-source hosting fit your security operations, Watcher offers flexible, community-backed threat intelligence capabilities.