DEV.co
Open-Source Security · InQuest

ThreatIngestor

ThreatIngestor is an open-source Python tool that extracts and aggregates indicators of compromise (IOCs) from multiple threat feeds—Twitter, RSS, GitHub, web pages—and routes them to downstream systems like MISP or ThreatKB. It enables security teams to centralize threat intelligence collection and distribution through a modular plugin architecture.

Source: GitHub — github.com/InQuest/ThreatIngestor
921
GitHub stars
136
Forks
Python
Primary language
GPL-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryInQuest/ThreatIngestor
OwnerInQuest
Primary languagePython
LicenseGPL-2.0 — OSI-approved
Stars921
Forks136
Open issues15
Latest releasev1.4.0 (2023-11-02)
Last updated2026-05-26
Sourcehttps://github.com/InQuest/ThreatIngestor

What ThreatIngestor is

A Python 3.6+ application using a source/operator plugin pattern to poll threat feeds at configurable intervals, parse IOCs (IPs, domains, YARA signatures, hashes), and output to CSV, databases, SQS, or APIs. Supports image extraction via OpenCV/pytesseract, integrates natively with MISP and ThreatKB, and runs standalone or containerized.

Quickstart

Get the ThreatIngestor source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/InQuest/ThreatIngestor.gitcd ThreatIngestor# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Centralized Threat Feed Aggregation

Consolidate IOCs from disparate sources (Twitter, RSS, GitHub, web pages) into a single ingestion pipeline, reducing manual data collection and enabling consistent parsing.

MISP/ThreatKB Integration

Automate enrichment and synchronization of threat intelligence from public feeds directly into MISP or ThreatKB platforms, keeping threat databases current with minimal manual overhead.

Custom Threat Intelligence Workflows

Build bespoke IOC pipelines for security teams using the plugin architecture to connect in-house data sources, custom operators, or SQS/Beanstalk queues in existing SOC infrastructure.

Implementation considerations

  • Configure threat sources (Twitter, RSS, GitHub, web) in config.yml; Twitter source requires developer account and API credentials; some sources may have rate limits.
  • Plan operator destinations (MISP, ThreatKB, SQS, MySQL, SQLite, CSV) and validate connectivity and authentication before production polling.
  • Optional dependencies (opencv-python, pytesseract, numpy) required only for image extraction; full install via pip install threatingestor[all] may introduce unnecessary bloat.
  • Default 15-minute polling interval is configurable; balance freshness against source rate limits and downstream system capacity.
  • Containerized deployment via Docker is available; use Dockerfile for production or Dockerfile.dev for development; ensure volume mounts for config.yml and persistent storage for operators.

When to avoid it — and what to weigh

  • Real-Time Threat Response Required — ThreatIngestor polls feeds on fixed 15-minute intervals by default; if sub-minute latency is critical for incident response, consider streaming-based alternatives.
  • Strict Proprietary License Requirement — GPL-2.0 requires derivative works and modifications to remain open-source; if your organization cannot publish modifications, evaluate proprietary threat intelligence platforms.
  • No External Threat Intelligence Platform — ThreatIngestor is primarily an aggregator and does not perform threat analysis, correlation, or enrichment natively; it requires integration with MISP, ThreatKB, or custom operators downstream.
  • Windows-First or Non-Python Environment — Requires Python 3.6+ with development headers and optional system dependencies (tesseract, OpenCV); deployment in Windows-only or non-Python stacks adds friction.

License & commercial use

GPL-2.0 (GNU General Public License v2.0). Any modifications, forks, or derivative works must be released under the same GPL-2.0 license and source code must be made publicly available.

Commercial use of the unmodified binary is permitted under GPL-2.0. However, any custom modifications, operator plugins, or integrated forks created for internal or commercial purposes must be open-sourced under GPL-2.0 and distributed with source code. Internal corporate use without modification is allowed; consult legal counsel if your deployment involves substantial modifications or plugin development.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Source integrations (Twitter, GitHub, web scraping) consume external data; validate and sanitize parsed IOCs to prevent injection attacks. Credentials for MISP, ThreatKB, database operators, and cloud APIs must be protected; use environment variables and avoid hardcoding in config. Database operators expose IOC data; ensure backend databases are access-controlled and encrypted. Dependency vulnerabilities in Python packages should be monitored; no built-in vulnerability scanning or SBOM provided. No explicit mention of TLS enforcement, input validation, or rate-limiting protections.

Alternatives to consider

MISP (Malware Information Sharing Platform)

Full-featured threat intelligence platform with built-in feed ingestion, analysis, and correlation; better if you need threat enrichment and community sharing, but heavier to deploy than ThreatIngestor alone.

Splunk Add-on for Threat Intelligence or native Splunk ingestion

If threat data is already flowing into Splunk, native ingestion and correlation within Splunk may eliminate the need for a separate aggregation layer; better for Splunk-centric SOCs.

Anomali ThreatStream or similar commercial platforms

Managed, proprietary threat intelligence platforms with real-time feeds, reputation scoring, and API integrations; better for organizations seeking vendor support and SaaS simplicity over open-source flexibility.

Software development agency

Build on ThreatIngestor with DEV.co software developers

Evaluate ThreatIngestor's architecture, plugin ecosystem, and integration points. Our team can help design a threat feed aggregation pipeline tailored to your SOC and SIEM stack.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

ThreatIngestor FAQ

Can I use ThreatIngestor in a commercial product or SaaS offering?
Using the unmodified software is allowed for commercial purposes under GPL-2.0. However, any modifications, custom operators, or derivative works must be open-sourced and distributed under GPL-2.0. Consult legal counsel if your deployment involves significant customization.
What threat sources can ThreatIngestor ingest?
Built-in sources include Twitter, RSS feeds, sitemaps, GitHub repositories/gists, Git repositories, generic web pages, Amazon SQS, and image extraction from URLs. Custom sources can be developed via the plugin architecture.
How frequently does ThreatIngestor poll threat feeds?
Default is every 15 minutes; this is configurable per source in config.yml. Rate limits imposed by external sources (Twitter, GitHub) may constrain actual polling frequency.
Does ThreatIngestor perform threat analysis or correlation?
No. ThreatIngestor extracts and parses IOCs; analysis, enrichment, and correlation must be performed by downstream systems such as MISP, ThreatKB, or custom operator plugins.

Software developers & web developers for hire

Need help beyond evaluating ThreatIngestor? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Ready to Centralize Your Threat Intelligence?

Evaluate ThreatIngestor's architecture, plugin ecosystem, and integration points. Our team can help design a threat feed aggregation pipeline tailored to your SOC and SIEM stack.