Skip to main content


Threat Bus is a real-time pub/sub broker for security content. Indicators of compromise (IoCs) can be distributed to detection tools (e.g., NIDS) and sightings can be reported back to intelligence databases. Threat Bus features a modular plugin architecture and is easily extendable. Currently, plugins exist to connect Zeek, MISP, and VAST to the bus.



  • Connect Open-Source Security Tools: Threat Bus is a pub-sub broker for security content. With Threat Bus you can seamlessly integrate threat intelligence platforms like OpenCTI or MISP with detection tools and databases like Zeek or VAST.

  • Native STIX-2: Threat Bus transports indicators and sightings encoded as per the STIX-2 open format specification.

  • Plugin-based Architecture: The project is plugin-based and can be extended easily. Read about the different plugin types and how to write your own. We welcome contributions to adopt new open source tools!

  • Official Plugins: We maintain many plugins right in the official Threat Bus repository. Check out our integrations for MISP, Zeek, CIFv3, and generally apps that connect via ZeroMQ, like pyvast-threatbus and our OpenCTI connector.

  • Snapshotting: The snapshot feature allows subscribers to directly request historic security content for a certain time range from other applications. Threat Bus handles the point-to-point communication of all involved apps.