Threat Bus is a real-time pub/sub broker for threat intelligence. Indicators of compromise (IoCs) can be distributed to detection tools (e.g., NIDS) and sightings can be reported back to intelligence databases. Threat Bus features a modular plugin architecture and is easily extendable. Currently, plugins exist to connect Zeek, MISP, and VAST to the bus.



  • Connect Open-Source Security Tools: Threat Bus is a pub-sub broker for threat intelligence data. With Threat Bus you can seamlessly integrate MISP threat data with the Zeek intel framework or report sightings - to MISP or your custom intel database.

  • Plugin-based Architecture: The project is plugin-based and can be extended easily. We welcome contributions to adopt new open-source tools!

  • Snapshotting: The snapshot feature allows subscribers to directly request threat intelligence data for a certain time range from other applications. Threat Bus handles the point-to-point communication of all involved apps.