ThreatGPT
NLP pipeline that turns unstructured threat reports into structured IOCs and ATT&CK-mapped TTPs
โก TL;DR
๐ฏ The Problem It Solves
CTI teams drown in PDF reports, blog posts, and dark-web writeups. Manually reading each one to pull IOCs and map TTPs takes hours per report. ThreatGPT automates the extraction: feed it raw text or a PDF, and it returns structured observables (IPs, domains, hashes), named threat actors, and ATT&CK technique mappings โ ready to push into OpenCTI or MISP.
๐ง How It Works
ThreatGPT is a Python NLP pipeline built on spaCy and a fine-tuned transformer. It segments a report, runs entity recognition to pull observables (IP, domain, hash, CVE), classifies the threat actor, and maps described behaviors to MITRE ATT&CK techniques. Output is structured JSON you can pipe directly into your TIP. The model was fine-tuned on a curated corpus of APT reports and blog writeups, so it understands threat-intel jargon out of the box.
๐ Installation & Quick Start
Installation
git clone https://github.com/ZeroMemoryEx/ThreatGPT.git
cd ThreatGPT
pip install -r requirements.txt
# The first run downloads the fine-tuned model (~500MB)Quick Start
- git clone https://github.com/ZeroMemoryEx/ThreatGPT && cd ThreatGPT
- pip install -r requirements.txt
- python -m threatgpt analyze --file apt_report.pdf
- python -m threatgpt extract-iocs --text "traffic to 1.2.3.4 on port 443"
- python -m threatgpt export --format misp # push to your TIP
โ Pros
- โขTurns a 30-minute manual report-read into 30 seconds
- โขStructured JSON output plugs straight into your TIP
- โขFree, MIT-licensed, fine-tuned on real APT reports
- โขLocal processing โ no data leaves your network
โ Cons
- โขAccuracy tracks source-report quality (garbage in, garbage out)
- โขStruggles with heavily redacted or scanned PDFs
- โขNovel IOCs outside training distribution get misclassified
- โขNo built-in dashboard โ you pipe output elsewhere
๐ฌ Practitioner Verdict
"ThreatGPT is the rare AI tool that actually earns its place in a CTI workflow. It won't write your finished intelligence, but for ingesting a queue of PDFs and pulling structured observables + ATT&CK mappings, it's a genuine 10x. Connect it to OpenCTI and you've just automated the most boring part of intel work."
๐ Specifications
- Language
- Python
- License
- MIT
- Platform
- Linux, macOS, Windows
- Kill Chain
- Intelligence / Detection
- MITRE ATT&CK
- T1595, T1592
๐ฐ Pricing Reality
ThreatGPT is free (MIT). No API calls, no cloud. Your only cost is the compute to run the NLP model (takes ~5s/report on CPU, <1s on GPU).
๐ฅ Community Health
๐ท๏ธ Tags
๐ฌ Video Tutorials
ThreatGPT IOC Extraction Demo
ZeroMemoryEx ยท 56K views ยท 25:30