Skip to main content


Threat Bus is a real-time pub/sub broker for security content. Indicators of compromise (IoCs) can be distributed to detection tools (e.g., NIDS) and sightings can be reported back to intelligence databases. Threat Bus features a modular plugin architecture and is easily extendable. Currently, plugins exist to connect Zeek, MISP, and VAST to the bus.



  • Connect Open-Source Security Tools: Threat Bus is a pub-sub broker for security content. With Threat Bus you can seamlessly integrate threat intelligence platforms like OpenCTI or MISP with detection tools and databases like Zeek or VAST.

  • Native STIX-2: Threat Bus transports indicators and sightings encoded as per the STIX-2 open format specification.

  • Plugin-based Architecture: The project is plugin-based and can be extended easily. Read about the different plugin types and how to write your own. We welcome contributions to adopt new open source tools!

  • Official Plugins: We maintain many plugins right in the official Threat Bus repository. Check out our integrations for MISP, Zeek, CIFv3, and generally apps that connect via ZeroMQ, like VAST Threat Bus and our OpenCTI connector.

  • Snapshotting: The snapshot feature allows subscribers to directly request historic security content for a certain time range from other applications. Threat Bus handles the point-to-point communication of all involved apps.