Open source tools to integrate threat intelligence into your existing security workflows, log pipelines, and analysis tools.
Website • Documentation • Contact
Most organizations have access to threat intelligence feeds but struggle to use them effectively. The data sits unused while security teams manually hunt through logs.
We build tools that change that. Our software plugs into the data pipelines you already run, automatically matching indicators of compromise against your logs, network traffic, and security data.
Our flagship project. A fast IoC matching engine that builds memory-mapped databases from threat intel feeds.
- Sub-millisecond lookups on 100K+ indicators
- Unified database for IPs, CIDRs, domains, hashes, and glob patterns
- CLI, Rust library, and C API for integration anywhere
- MaxMind MMDB compatible - works with existing tooling
# Build a threat database
matchy build threats.csv -o threats.mxy
# Scan logs for matches
matchy match threats.mxy access.log
# Query individual indicators
matchy query threats.mxy 1.2.3.4| Project | Stars | Description |
|---|---|---|
| elasticsearch-matchy-ingest-plugin |  |
Elasticsearch ingest processor |
| fluent-bit-matchy |  |
Fluent Bit WASM filter plugin |
| zeek-matchy-plugin |  |
High-performance Zeek plugin (7M+ queries/sec) |
| matchy-wireshark-plugin |  |
Real-time threat matching in Wireshark |
| Binding | Description |
|---|---|
| matchy-wasm | JavaScript/TypeScript via WebAssembly |
| matchy-java | Java wrapper for JVM integration |
We're open to contributions. Check out CONTRIBUTING.md in any repo to get started.