ThreatIngestor
ThreatIngestor is an open-source Python tool that extracts and aggregates indicators of compromise (IOCs) from multiple threat feeds—Twitter, RSS, GitHub, web pages—and routes them to downstream systems like MISP or ThreatKB. It enables security teams to centralize threat intelligence collection and distribution through a modular plugin architecture.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | InQuest/ThreatIngestor |
| Owner | InQuest |
| Primary language | Python |
| License | GPL-2.0 — OSI-approved |
| Stars | 921 |
| Forks | 136 |
| Open issues | 15 |
| Latest release | v1.4.0 (2023-11-02) |
| Last updated | 2026-05-26 |
| Source | https://github.com/InQuest/ThreatIngestor |
What ThreatIngestor is
A Python 3.6+ application using a source/operator plugin pattern to poll threat feeds at configurable intervals, parse IOCs (IPs, domains, YARA signatures, hashes), and output to CSV, databases, SQS, or APIs. Supports image extraction via OpenCV/pytesseract, integrates natively with MISP and ThreatKB, and runs standalone or containerized.
Get the ThreatIngestor source
Clone the repository and explore it locally.
git clone https://github.com/InQuest/ThreatIngestor.gitcd ThreatIngestor# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Configure threat sources (Twitter, RSS, GitHub, web) in config.yml; Twitter source requires developer account and API credentials; some sources may have rate limits.
- Plan operator destinations (MISP, ThreatKB, SQS, MySQL, SQLite, CSV) and validate connectivity and authentication before production polling.
- Optional dependencies (opencv-python, pytesseract, numpy) required only for image extraction; full install via pip install threatingestor[all] may introduce unnecessary bloat.
- Default 15-minute polling interval is configurable; balance freshness against source rate limits and downstream system capacity.
- Containerized deployment via Docker is available; use Dockerfile for production or Dockerfile.dev for development; ensure volume mounts for config.yml and persistent storage for operators.
When to avoid it — and what to weigh
- Real-Time Threat Response Required — ThreatIngestor polls feeds on fixed 15-minute intervals by default; if sub-minute latency is critical for incident response, consider streaming-based alternatives.
- Strict Proprietary License Requirement — GPL-2.0 requires derivative works and modifications to remain open-source; if your organization cannot publish modifications, evaluate proprietary threat intelligence platforms.
- No External Threat Intelligence Platform — ThreatIngestor is primarily an aggregator and does not perform threat analysis, correlation, or enrichment natively; it requires integration with MISP, ThreatKB, or custom operators downstream.
- Windows-First or Non-Python Environment — Requires Python 3.6+ with development headers and optional system dependencies (tesseract, OpenCV); deployment in Windows-only or non-Python stacks adds friction.
License & commercial use
GPL-2.0 (GNU General Public License v2.0). Any modifications, forks, or derivative works must be released under the same GPL-2.0 license and source code must be made publicly available.
Commercial use of the unmodified binary is permitted under GPL-2.0. However, any custom modifications, operator plugins, or integrated forks created for internal or commercial purposes must be open-sourced under GPL-2.0 and distributed with source code. Internal corporate use without modification is allowed; consult legal counsel if your deployment involves substantial modifications or plugin development.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Source integrations (Twitter, GitHub, web scraping) consume external data; validate and sanitize parsed IOCs to prevent injection attacks. Credentials for MISP, ThreatKB, database operators, and cloud APIs must be protected; use environment variables and avoid hardcoding in config. Database operators expose IOC data; ensure backend databases are access-controlled and encrypted. Dependency vulnerabilities in Python packages should be monitored; no built-in vulnerability scanning or SBOM provided. No explicit mention of TLS enforcement, input validation, or rate-limiting protections.
Alternatives to consider
MISP (Malware Information Sharing Platform)
Full-featured threat intelligence platform with built-in feed ingestion, analysis, and correlation; better if you need threat enrichment and community sharing, but heavier to deploy than ThreatIngestor alone.
Splunk Add-on for Threat Intelligence or native Splunk ingestion
If threat data is already flowing into Splunk, native ingestion and correlation within Splunk may eliminate the need for a separate aggregation layer; better for Splunk-centric SOCs.
Anomali ThreatStream or similar commercial platforms
Managed, proprietary threat intelligence platforms with real-time feeds, reputation scoring, and API integrations; better for organizations seeking vendor support and SaaS simplicity over open-source flexibility.
Build on ThreatIngestor with DEV.co software developers
Evaluate ThreatIngestor's architecture, plugin ecosystem, and integration points. Our team can help design a threat feed aggregation pipeline tailored to your SOC and SIEM stack.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
ThreatIngestor FAQ
Can I use ThreatIngestor in a commercial product or SaaS offering?
What threat sources can ThreatIngestor ingest?
How frequently does ThreatIngestor poll threat feeds?
Does ThreatIngestor perform threat analysis or correlation?
Software developers & web developers for hire
Need help beyond evaluating ThreatIngestor? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Ready to Centralize Your Threat Intelligence?
Evaluate ThreatIngestor's architecture, plugin ecosystem, and integration points. Our team can help design a threat feed aggregation pipeline tailored to your SOC and SIEM stack.