Local threat intelligence database. Aggregates data from MISP feeds, vendor security blogs, open threat actor catalogs, dark web intel, and exploited CVEs into a local MongoDB instance. Everything runs locally — no cloud services, no API keys, no accounts needed.
- MISP feeds — syncs events from 5 free MISP-native feeds (abuse.ch, CIRCL, Botvrij.eu)
- Threat reports — fetches RSS from 12 vendor blogs (Mandiant, CrowdStrike, Talos, etc.), extracts structured threat intel via a local LLM (Ollama)
- Threat actors — merges actor data from 5 open sources (MISP Galaxy, MITRE ATT&CK, Malpedia, ThaiCERT, GapMATRIX) using union-find on overlapping aliases
- Dark web intel — parses deepdarkCTI for ransomware gangs, forums, markets, Telegram/Twitter actors
- Exploited CVEs — tracks commonly exploited vulnerabilities with PoC links and actor cross-references
All data lands in MongoDB with full-text indexes for fast querying.
git clone https://github.com/JonasColmsjo/watchpost.git
cd watchpost
just setup # install MongoDB, Python, tools (no root needed)
just db start # start local MongoDB
just sync # pull everything (skip threat reports if no Ollama)
just status # dashboard- Linux (Debian 12 / Kali tested, other distros should work)
- just command runner (installed by
just setup) - ~2 GB disk for the database
- Optional: Ollama with a ~8B parameter model for threat report extraction
just setup Install all prerequisites via Ansible
just status Dashboard: processes, DB stats, sync progress
just sync Sync all data sources
just db start Start local MongoDB
just db stop Stop MongoDB
just db status Show all databases with sizes
just db shell misp Open mongosh on misp database
just db export Full database dump (gzip compressed)
just db restore <dir> Restore from a previous export
just misp sync Sync MISP feed events
just misp status Per-feed stats: event counts, date range
just misp recent 7d Events published in the last 7 days
just misp query "APT28" Search events by keyword
just reports sync Fetch vendor blog RSS, extract intel via LLM
just reports status Report collection stats + top actors
just reports search "APT28" Search by actor, TTP, malware, CVE
just reports list List 20 most recent reports
just actors sync Download & merge actor catalogs
just actors search "APT28" Search by name, alias, country, MITRE ID
just actors show "APT28" Full detail view for one actor
just actors profile SE Full threat profile for a region
just darkweb sync Clone deepdarkCTI, parse all, update DB
just darkweb gangs --online List online ransomware gangs
just darkweb forums --online List online forums/markets
just cves status Exploited CVE stats
just cves show CVE-2024-21762 Full CVE detail with cross-refs
The just reports sync command fetches articles from vendor security blogs and uses a local LLM (via Ollama) to extract structured threat intelligence: actors, TTPs, targeted industries/regions, malware, tools, and CVEs.
By default, Ollama is expected to be running locally on port 11434. If Ollama runs on a remote host accessible via SSH:
export OLLAMA_SSH_HOST=myserver # SSH hostname where Ollama runs
just reports sync| Source | Type | What you get |
|---|---|---|
| abuse.ch (3 feeds) | MISP events | Malware IOCs, distribution URLs, sample hashes |
| CIRCL OSINT | MISP events | Curated APT/campaign analysis |
| Botvrij.eu | MISP events | European threat intel |
| 12 vendor blogs | RSS + LLM | Structured threat reports with actor attribution |
| MISP Galaxy | Actor catalog | 940+ actors with aliases, motivation, targets |
| MITRE ATT&CK | Actor catalog | 170+ actors with techniques, software |
| Malpedia | Actor catalog | 940+ actors with country attribution |
| ThaiCERT ETDA | Actor catalog | 500+ actors, independent attribution |
| GapMATRIX | Actor catalog | 470+ actors with techniques, CVEs |
| deepdarkCTI | Dark web intel | Ransomware gangs, forums, markets, Telegram |
MIT