Skip to content

Odysafe/ODYSAFE-CTI

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
cti-platform
cti-platform
 
 
docs/images
docs/images
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
COPYING
COPYING
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
install.sh
install.sh
 
 
start.sh
start.sh
 
 
uninstall.sh
uninstall.sh
 
 

Repository files navigation

ODYSAFE CTI Platform

Open-source, on-premise Cyber Threat Intelligence platform. Extract IOCs, manage indicators, run investigations, visualize threats with STIX 2.1, and export to your security tools. Fully offline after install. No admin rights needed to run. No licensing costs.

Built for SOC analysts, DFIR teams, CERT/CSIRT, and small security teams who need a lightweight, privacy-first CTI workspace.

What it does

  • Extract 50+ IOC types from files, text, or URLs automatically
  • Browse, filter, tag, and manage all your indicators from one view
  • Manage and organize your CTI sources with groups
  • Export to TXT, CSV, JSON, XLSX or Firewall Rules
  • Visualize STIX 2.1 bundles in an interactive graph
  • Access DeepDarkCTI, MITRE ATT&CK, and Ransomware Tool Matrix directly
  • Analyze security logs and map events to MITRE ATT&CK techniques automatically
  • Generate structured CTI Flash Reports in Excel format
  • Everything stays on your machine. No cloud. No telemetry.

Screenshots

IOC Management

STIX Graph Analyzer

MITRE ATT&CK Browser

Requirements

Compatible OS: Debian / Ubuntu

Dependency Details
Python 3.8 or higher
git any recent version
pip included with Python
openssl any recent version
Disk space < ~500 MB

Installation and startup

The only step that requires sudo is the initial system package install. Everything after that runs as a normal user, no root, no admin rights needed.

Step 1 - Install system packages (one time, requires sudo)

sudo apt update
sudo apt install -y python3 python3-venv python3-pip git openssl

Step 2 - Clone and install

git clone https://github.com/Odysafe/ODYSAFE-CTI.git
cd ODYSAFE-CTI
./install.sh

./install.sh sets up the Python virtual environment, installs all dependencies, generates the SSL certificate locally, and optionally downloads the DeepDarkCTI repository. No sudo needed.

Step 3 - Start the application

./start.sh

Then open https://localhost:5001 in your browser.

The SSL certificate is auto-generated locally at first start. No external certificate authority is contacted.

To uninstall (removes venv, database, uploads, and cache):

./uninstall.sh

Manual DeepDarkCTI setup if you skipped it during install:

git clone https://github.com/fastfire/deepdarkCTI.git ODYSAFE-CTI/cti-platform/modules/deepdarkCTI-main

Where your data is stored

Everything stays inside the installation directory.

Type Location
Uploaded files cti-platform/uploads/
IOC exports cti-platform/outputs/iocs/
Reports cti-platform/outputs/reports/
SQLite database cti-platform/database/
Cache cti-platform/modules/cache/
SSL certificates cti-platform/ssl/

Features

IOC Extraction

Collect IOCs from four input methods:

  • File upload - drag and drop or select a file: .txt, .html, .htm, .docx, .doc, .csv, .json, .log, .xml, .md (up to 100 MB)
  • Paste text - paste any content directly, IOCs are extracted instantly
  • URL import - provide a URL, the platform fetches the page and extracts IOCs
  • Manual entry - add a single IOC with type, value, source name, and context

Defanged indicators like hxxp://example[DOT]com are detected and normalized automatically.

Each import creates a named source with a configurable source name and optional context.

Powered by iocsearcher.

50+ IOC types detected automatically:

Category Types
Network Indicators URL, FQDN (Domain), IPv4, IPv6, IPv4 Subnet, Tor v3 Address
File Hashes MD5, SHA1, SHA256
Communication Email Address, Phone Number
Blockchain Bitcoin, Bitcoin Cash, Cardano, Dashcoin, Dogecoin, Ethereum, Litecoin, Monero, Ripple, Solana, Stellar, Tezos, Tron, Zcash
Social Media Facebook, GitHub, Instagram, LinkedIn, Pinterest, Telegram, Twitter, WhatsApp, YouTube, YouTube Channel
Identifiers CVE, MITRE ATT&CK TTP, UUID, Android Package Name, Amazon ARN
Financial IBAN, WebMoney
Legal and Compliance Copyright, Trademark, Chinese ICP License, Spanish NIF
Other TOX Identifier

IOC Management

Browse and manage all extracted indicators from one view.

All IOCs are automatically tagged with their type, source, and extraction date.

Filtering and search:

  • Full-text search across all IOC values
  • Filter by type, source, group, date range, or duplicates
  • Interactive hashtag filtering by type, source, date, and group
  • Smart pagination for large lists

Per IOC:

  • Mark as True Positive or False Positive
  • Assign TLP level (CLEAR, GREEN, AMBER, RED)
  • Set confidence level
  • View first seen and last seen dates
  • Add to a group

Bulk actions:

  • Select multiple IOCs and apply bulk deletion or group assignment

Manual addition:

  • Add individual IOCs with type, value, and context directly from the IOC list

One-click enrichment links per IOC:

Sources

Every import creates a source. Sources are the origin records tied to your IOCs.

  • Organize sources into custom drag-and-drop groups
  • View detailed statistics per source: IOC count, detected types, creation date
  • Bulk selection and deletion
  • Trash system with reversible deletion and configurable auto-cleanup
  • Filter and sort sources by name, date, or IOC count
  • View context and metadata for each source

Data-Shield IPv4 Blocklist is accessible directly from the Sources page. Refresh the blocklist or export it as firewall rules in one click.

Export

Export your IOC data in multiple formats. All exports respect active filters and can be scoped by IOC type, source, tag, group, or date range.

Format Use case
TXT (with types) General purpose with IOC type labels
TXT Simple Firewalls, EDR, proxies, blocklists - one value per line
CSV Excel, reporting, data analysis
CSV Firewall Palo Alto, Cisco, Fortinet, Check Point
JSON APIs, automation, custom integrations
JSON Simple Lightweight scripts, grouped by IOC type
XLSX Formatted Excel report for documentation
Firewall Rules Ready-to-use blocking rules

Scope options: All IOCs, by Sources, by Tags, or by Groups.

The last 5 exports are listed with direct download links.

STIX Graph Analyzer

Import and visualize any STIX 2.x bundle in an interactive graph.

Import options:

  • Upload a STIX JSON file
  • Paste raw JSON
  • Load from existing exports
  • Load a previously saved model

Graph features:

  • Interactive network graph with zoom, pan, and click-to-inspect
  • Filter visible nodes by STIX object type (Indicator, Malware, Threat Actor, Campaign, Attack Pattern...)
  • Full-text search across nodes and relationships
  • Temporal filtering with a slider to explore threat evolution over time
  • Side panel with full object properties and connections on node click
  • Save models for later analysis
  • Export graph and data to various formats

100% client-side. All STIX data is processed locally in your browser. No data is sent to any server.

Based on cti-stix-visualization by OASIS TC Open Repository. All assets including vis-network are bundled locally with no CDN calls.

CTI Resources

Access external threat intelligence resources integrated directly into the platform.

DeepDarkCTI

2518 CTI sources organized in 19 categories:

Category Sources
Telegram Threat Actors 964
Ransomware Gang 624
Forum 316
Telegram Infostealer 125
Markets 159
Search Engines 63
Others 54
Exploits 24
Twitter Threat Actors 39
Twitter 22
Phishing 19
MaaS 10
Discord 7
Counterfeit Goods 8
CVE Most Exploited 74
Malware Samples 3
Methods 3
Defacement 3
RAT 1

Search and filter sources by name or category. Add sources manually with URL, name, and description. Mark sources as favorites. Refresh the repository on demand.

MITRE ATT&CK Enterprise

Full ATT&CK enterprise matrix available locally:

Stat Value
Tactics 15
Techniques 365
Sub-techniques 493
Groups 189
Software 824
Mitigations 268

Browse the full ATT&CK matrix by tactic column. Filter by group, by platform, or search by technique name or ID (e.g. T1059, PowerShell). Click any technique to expand sub-techniques and view details. Browse the 189 threat groups. Link IOCs to specific techniques. Update the local ATT&CK data file from MITRE at any time.

Ransomware Tool Matrix

Tools, groups, and community reports on ransomware gangs. Search and filter by tool or group name. Download the repository on demand.

Data-Shield IPv4 Blocklist

Community-maintained malicious IPv4 list for firewall and WAF protection. Import to the platform in one click, refresh on demand, or export directly as firewall rules.

Flash Report (FLINT)

Generate structured CTI reports and export them in Excel format.

The report follows a 13-step structure:

  1. Header and metadata: reference number (FLINT-YYYY-XXX), TLP (RED / AMBER / GREEN / CLEAR), PAP (RED / AMBER / GREEN / WHITE), priority (Critical / High / Medium / Low), status (Draft / Review / Final), author, created and updated dates
  2. Subject
  3. Summary
  4. Key takeaways
  5. Timeline
  6. Analysis
  7. IOCs
  8. Detection rules
  9. Actions
  10. Gaps
  11. Assessment
  12. Sources
  13. Distribution

Save reports as drafts, browse saved report history, and export to .xlsx at any time.

Log Analyzer

Upload security logs and automatically map events to MITRE ATT&CK techniques.

Supported log formats:

  • CSV: SIEM exports, Windows Event exports, spreadsheet logs with headers
  • JSON: AWS CloudTrail, Azure Activity Logs, API logs, structured SIEM events
  • TXT / LOG: Syslog (RFC 3164/5424), Windows application logs, Apache/Nginx/IIS access logs, firewall logs, plain text
  • XML: Windows Event Log exports

How it works:

Each log event is scanned against 200+ regex patterns covering all 14 MITRE ATT&CK tactics. Coverage includes endpoint activity (Windows, Linux), network events (firewall, proxy, DNS), web application logs (Apache, Nginx, IIS), Active Directory events, and cloud logs (AWS CloudTrail, Azure Activity). Keywords include powershell, mimikatz, lsass, registry run key, lateral movement, dns tunneling, vssadmin, wbadmin.

From each log line the system extracts:

  • timestamp - parsed from the line itself (ISO 8601, Syslog, Windows Event format), falls back to upload time
  • source - originating system or log type (firewall, sysmon, webserver, AD, cloud...)
  • description - the full raw log message used for pattern matching
  • host - hostname or IP of the machine involved, when present

Signal strength per match:

  • 🔴 High (>= 80%) - strong multi-keyword match on a high-severity tactic
  • 🟠 Medium (50-79%) - partial match or lower-severity tactic
  • 🟡 Low (< 50%) - weak single-keyword match

Signal strength reflects pattern confidence only, not the actual severity of the incident.

Output:

  • Cyber Kill Chain visualization showing which phases had detected events and which are Blind Zones
  • Detected technique cards with technique ID, name, tactic, and event count
  • Chronological attack timeline grouped by MITRE tactic in Kill Chain order: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Command and Control, Impact
  • All Events table with timestamp, source, description, matched technique, and signal strength
  • Export results to JSON or CSV
  • Past analyses saved and accessible from the Past Incidents tab

Tactics with no detected events are marked as Blind Zones. Their absence does not confirm the attack skipped that phase.

A match signals an area requiring investigation. It does not confirm a compromise. Manual analyst review is always required.

Settings

Authentication Enable or disable login. When enabled, users must authenticate to access the platform. Default credentials are configured during installation.

Auto-tagging Automatically tag extracted IOCs based on their type, source, date, and other metadata. Manual tags remain available regardless of this setting.

Source management

  • Enable automatic source rotation: when the maximum source count is reached, the oldest sources are deleted automatically
  • Set the maximum number of sources to keep (default: 20)
  • Set the number of recent sources shown on the dashboard (default: 20)
  • Configure trash auto-cleanup delay in days (default: 5)
  • Manually trigger trash cleanup at any time

Storage monitoring

  • View total disk usage and free space with live refresh
  • View space used by uploads, database, and outputs separately
  • Manual cleanup controls:
    • Clean uploads (files, paste, URLs)
    • Clean outputs (TXT, JSON, CSV, STIX exports)
    • Delete all sources and their associated IOCs
    • Delete all IOCs from the database
    • Delete all STIX uploaded files
    • Full reset: deletes all uploads, outputs, IOCs, sources, groups, STIX files, incidents, and cache

Backup and restore

  • Create a full ZIP backup containing all IOCs with tags and groups, all sources and metadata, custom groups and settings, and CTI favorites
  • Restore from a backup ZIP file: existing data is preserved, backup data is merged, duplicate IOCs are skipped

Settings are saved and applied immediately.

Dashboard overview

The home page shows a live summary of your CTI workspace:

  • Total sources and active IOC count
  • True Positive / False Positive / unvalidated counts
  • Temporal trends: IOCs and sources added in the last 24h / 7d / 30d
  • Top 5 IOC types and distribution by category
  • Quality and validation ratios
  • TLP classification breakdown
  • Operational metrics: IOCs with notes, IOCs with query URLs
  • Alerts: critical IOCs (TLP:RED + True Positive), recent unvalidated, sources in error
  • Most productive sources
  • Recent sources list
  • CTI Resources status (DeepDarkCTI last update, MITRE ATT&CK import status, Ransomware Matrix status, Data-Shield blocklist last update and IP count)

Privacy and offline operation

After installation, the platform makes zero network connections by default.

Action Connection Destination
Normal usage None Everything is local
URL import On demand URL you provide
DeepDarkCTI download or refresh On demand github.com/fastfire/deepdarkCTI
Ransomware Matrix download On demand github.com/BushidoUK/Ransomware-Tool-Matrix
Data-Shield blocklist refresh On demand github.com/duggytuxy/Data-Shield_IPv4_Blocklist
MITRE ATT&CK update On demand raw.githubusercontent.com/mitre-attack/attack-stix-data

All frontend assets including vis.js, CSS, and JavaScript are bundled locally. No CDN calls at runtime.

To run fully air-gapped:

  • Skip CTI resource downloads during installation
  • Do not use URL import, use file upload or paste text instead
  • Do not click Download or Refresh in CTI Resources

Data privacy:

  • All IOC data, sources, tags, and exports stay on your server
  • No telemetry or analytics
  • No automatic updates or background connections
  • IOC extraction runs locally via iocsearcher
  • The SQLite database and all files stay within your infrastructure

Compliance

Standard Control How ODYSAFE-CTI helps
ISO 27001:2022 Control 5.7 - Threat Intelligence Centralized IOC management, STIX 2.1 export for standardized sharing
NIS2 Art. 21 - Risk Management Centralized IOC view for threat assessment, STIX visualization
NIS2 Art. 23 - Incident Management IOC lifecycle tracking, tagging system, full audit history
NIS2 Art. 23 - Information Sharing STIX 2.1 bundles shareable with CERT/CSIRT and other tools
ISO 27001:2022 A.8.16 - Monitoring Application logs to stdout, full audit trail in SQLite

Architecture

Browser (Jinja2 templates, vanilla JS, vis-network bundled locally)
                    |
              HTTPS localhost:5001
                    |
         Flask backend (Python)
         runs as normal user, no root needed
                    |
         SQLite database (single local file)
                    |
    IOCs / Sources / Investigations / Exports
                    |
    Security tools (Firewalls, SIEM, EDR, CERT/CSIRT, MISP, OpenCTI)

Key components:

  • Flask - lightweight Python web framework, runs as a normal user
  • SQLite - single-file database, no database server required
  • iocsearcher - open-source IOC extraction library
  • vis.js - interactive graph visualization, bundled locally

Open-source tools used

ODYSAFE CTI Platform thanks all developers and maintainers of these open-source projects.

Contributing

  1. Fork the repository
  2. Create a branch: git checkout -b feature/your-feature
  3. Make your changes and test thoroughly
  4. Commit with clear messages: git commit -m 'Add your feature'
  5. Push and open a Pull Request

For bugs: open an issue with steps to reproduce. For security vulnerabilities: report privately, not in a public issue.

Code style: PEP 8 for Python, comments for complex logic, updated docs for user-facing changes.

License

GNU Affero General Public License v3.0 (AGPL-3.0)

Free to use, modify, and distribute under the terms of the AGPL-3.0. See the LICENSE file for details.

Developed by Odysafe

About

A comprehensive Cyber Threat Intelligence platform featuring IOC management, STIX integration, automatic threat extraction, secure web interface, and integration for threat intelligence sources.

Topics

ioc cybersecurity threat-hunting cti automatisation threat-intelligence stix2 cyber-threats

Resources

Readme

License

Unknown, AGPL-3.0 licenses found

Licenses found

Unknown
LICENSE
AGPL-3.0
COPYING
Activity

Stars

4 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages