Skip to content
An open source framework for enterprise level automated analysis.
Python Dockerfile
Branch: master
Clone or download

Latest commit

mlaferrera Merge pull request #150 from malvidin/ioc_update
Fix Docker IOC Extract Issues
Latest commit 6fea9c8 May 11, 2020


Type Name Latest commit message Commit time
Failed to load latest commit information.
.github/ISSUE_TEMPLATE Update issue templates Dec 21, 2018
docs Fixed typo, and added space before code (in so that it gets … Mar 25, 2020
extras Set provider_consumers to a more reasonable setting for most uses cases Dec 31, 2019
stoq Ensure `always_dispatch` is parsed as list (#149) May 7, 2020
.coveragerc Add more unit tests Dec 13, 2018
.gitignore Add mypy to gitignore Nov 9, 2018
.pyre_configuration Cleanup in prep for v3 release Dec 4, 2019
.travis.yml Cleanup in prep for v3 release Dec 4, 2019 Ensure `always_dispatch` is parsed as list (#149) May 7, 2020 Add Code of conduct and contributing guidelines Dec 14, 2018 Update contact information Jan 25, 2019 Add another thank you for contributing. Nov 6, 2019
Dockerfile Move to 3.0.0 from 3.0.0b3 May 7, 2020
LICENSE Update: Prevent logo from displaying at every start Feb 6, 2017 Bump exiftool and stoq versions. Fix triddef install path. Cleanup MA… Feb 5, 2020 Fix documentation for installiing v3 beta Dec 4, 2019
readthedocs.yaml Add readthedocs config to pass docs build Nov 20, 2018
requirements.txt Update bs4 version to >= 4.5.1 Jan 8, 2019 Cleanup in prep for v3 release Dec 4, 2019

Join the community on Spectrum

Build Status Coverage Status Documentation Status Docker Build pypi License

Get Started


stoQ is an automation framework that helps to simplify the mundane and repetitive tasks an analyst is required to do. It enables analysts and DevSecOps teams to quickly transition between different data sources, databases, decoders/encoders, and numerous other tasks using enriched and consistent data structures. stoQ was designed to be enterprise ready and scalable, while also being lean enough for individual security researchers.

Why use stoQ?

  • Extremely lightweight and designed with simplicity in mind.
  • Fully supports AsyncIO.
  • A wide range of publicly available plugins.
  • stoQ makes no assumptions about your workflow. Analysts decide everything, from where data originates, how it is scanned/decoded/processed, to where it is saved.
  • Scalable in not only native/bare metal environments, but also using solutions such as Kubernetes, AWS Lambda, Google Cloud Functions, Azure Functions, and many more.
  • Written to be easily and quickly extended. All you need is a plugin.
  • Can be used in an enterprise environment or by individuals without the need for client/server infrastructure
  • Over 95% of code is covered by unittests.
  • All core functions and plugins leverage typing and are type-checked at commit.
  • Actively developed since 2011, open source since 2015.
  • Extensive up-to-date documentation.


stoQ was initially a collection of scripts that helped us solve problems we encountered daily. These tasks, such as parsing an SMTP session, extracting attachments, scanning them with a multitude of custom and open source tools, saving the results, and then finally analyzing them took up an increasing amount of our team's resources. We spent an ever increasing amount of time simply attempting to collect and extract data. This took valuable resources away from our ability to actually find and analyze adversaries targeting our networks.

We grew tired of being the hamster in a wheel and decided to do something about it. In 2011, we began development of a framework that would not only tackle the problem above, but also allow us to quickly change the flow of data and automated analytics, quickly pivot to new databases to house the results, and simply be able to respond to the adversaries changing their tactics, techniques, and procedures (TTPs).

Most importantly, our focus was to build a tool that would allow us to do what we love to do -- defend networks from adversaries that are determined, focused, and relentless.

In 2015, after stoQ had been matured in multiple large scale operational networks, we decided to open source our work in hopes of helping the wider Network Defense community. Since then, we've been constantly enhancing stoQ thanks to the feedback and contributions from the community of stoQ users.

You can’t perform that action at this time.