// the find
InQuest/ThreatIngestor
Extract and aggregate threat intelligence.
ThreatIngestor is a pipeline daemon that polls threat intel sources (RSS, Twitter, GitHub, SQS, web pages) and extracts IOCs—IPs, domains, URLs, YARA rules—then routes them to destinations like MISP, SQLite, or SQS queues. It's for SOC analysts and threat hunters who want to automate the grunt work of monitoring security blogs and feeds without building the plumbing themselves.
The plugin architecture is clean: sources and operators are separate abstractions, so you can wire arbitrary inputs to arbitrary outputs in YAML without touching code. MISP integration is first-class, which matters since MISP is where most serious threat sharing actually happens. The image extraction source (OCR via tesseract) is a genuine differentiator—malware researchers regularly screenshot IOCs to defeat automated scraping, and this handles that. Test coverage is thorough with per-module test files, and the state management for tracking what's already been processed is properly abstracted rather than scattered.
Twitter source is effectively dead—the API changes in 2023 killed free access, and the README still points you toward a Twitter developer account as if that's a reasonable suggestion. The Docker instructions are outdated enough that they include a note to comment out lines in the Dockerfile to make it work, which is a bad sign for production use. Last meaningful activity appears to be years ago; the May 2026 push likely reflects dependency bumps rather than active development. No built-in deduplication of extracted IOCs across sources—if the same domain appears in five RSS feeds, you'll write it five times to your operator unless you handle that yourself downstream.