๐Ÿ”’SecurityRepoIndex

ThreatGPT

NLP pipeline that turns unstructured threat reports into structured IOCs and ATT&CK-mapped TTPs

4.0/ 52,500 GitHub starsPythonMIT

โšก TL;DR

What
NLP pipeline that turns unstructured threat reports into structured IOCs and ATT&CK-mapped TTPs
Who
Threat Intel Analysts, SOC Analysts, Malware Analysts, CTI teams
Catch
Accuracy tracks source-report quality (garbage in, garbage out)
Verdict
โญโญโญโญ Essential

๐ŸŽฏ The Problem It Solves

CTI teams drown in PDF reports, blog posts, and dark-web writeups. Manually reading each one to pull IOCs and map TTPs takes hours per report. ThreatGPT automates the extraction: feed it raw text or a PDF, and it returns structured observables (IPs, domains, hashes), named threat actors, and ATT&CK technique mappings โ€” ready to push into OpenCTI or MISP.

๐Ÿ”ง How It Works

ThreatGPT is a Python NLP pipeline built on spaCy and a fine-tuned transformer. It segments a report, runs entity recognition to pull observables (IP, domain, hash, CVE), classifies the threat actor, and maps described behaviors to MITRE ATT&CK techniques. Output is structured JSON you can pipe directly into your TIP. The model was fine-tuned on a curated corpus of APT reports and blog writeups, so it understands threat-intel jargon out of the box.

๐Ÿš€ Installation & Quick Start

Installation

git clone https://github.com/ZeroMemoryEx/ThreatGPT.git
cd ThreatGPT
pip install -r requirements.txt
# The first run downloads the fine-tuned model (~500MB)

Quick Start

  1. git clone https://github.com/ZeroMemoryEx/ThreatGPT && cd ThreatGPT
  2. pip install -r requirements.txt
  3. python -m threatgpt analyze --file apt_report.pdf
  4. python -m threatgpt extract-iocs --text "traffic to 1.2.3.4 on port 443"
  5. python -m threatgpt export --format misp # push to your TIP

โœ… Pros

  • โ€ขTurns a 30-minute manual report-read into 30 seconds
  • โ€ขStructured JSON output plugs straight into your TIP
  • โ€ขFree, MIT-licensed, fine-tuned on real APT reports
  • โ€ขLocal processing โ€” no data leaves your network

โŒ Cons

  • โ€ขAccuracy tracks source-report quality (garbage in, garbage out)
  • โ€ขStruggles with heavily redacted or scanned PDFs
  • โ€ขNovel IOCs outside training distribution get misclassified
  • โ€ขNo built-in dashboard โ€” you pipe output elsewhere

๐Ÿ’ฌ Practitioner Verdict

"ThreatGPT is the rare AI tool that actually earns its place in a CTI workflow. It won't write your finished intelligence, but for ingesting a queue of PDFs and pulling structured observables + ATT&CK mappings, it's a genuine 10x. Connect it to OpenCTI and you've just automated the most boring part of intel work."
โ€” Emmanuel, Security Reviewer

๐Ÿ“Š Specifications

Language
Python
License
MIT
Platform
Linux, macOS, Windows
Kill Chain
Intelligence / Detection
MITRE ATT&CK
T1595, T1592

๐Ÿ’ฐ Pricing Reality

ThreatGPT is free (MIT). No API calls, no cloud. Your only cost is the compute to run the NLP model (takes ~5s/report on CPU, <1s on GPU).

๐Ÿ‘ฅ Community Health

Stars2,500
Forks312
Contributors50
Health Score5.7/10

๐Ÿท๏ธ Tags

AgentsLLM

๐ŸŽฌ Video Tutorials

ThreatGPT IOC Extraction Demo

ZeroMemoryEx ยท 56K views ยท 25:30