ZettelForge: The AI-Powered CTI Analyst That Never Forgets – And It Runs Entirely Offline + Video

Listen to this Post

Featured Image

Introduction:

In modern Security Operations Centers (SOCs), analysts are drowning in an endless tide of cyber threat intelligence (CTI) reports—hundreds of PDFs, detection rules, and incident notes that pile up faster than anyone can read【1†L3-L5】. The critical intelligence buried within these documents is often lost in the noise, forcing teams to reread the same reports repeatedly when hunting for threats. ZettelForge emerges as a paradigm-shifting solution: a local-first AI engine that ingests, organizes, and interconnects threat data automatically, allowing analysts to query complex relationships in plain English and receive answers in milliseconds—all without a single byte of sensitive data leaving the machine【1†L12-L15】.

Learning Objectives:

  • Understand how ZettelForge automates the extraction and correlation of cyber threat intelligence (CTI) from unstructured reports.
  • Learn to leverage local AI models for secure, offline threat research and IOC (Indicator of Compromise) management.
  • Master the integration of MITRE ATT&CK frameworks, APT group aliasing, and automated CVE mapping into daily SOC workflows.

You Should Know:

  1. Automated Intelligence Extraction: From Raw PDFs to Actionable Data

ZettelForge functions as an intelligent parser that transforms static documents into a dynamic, queryable knowledge graph. When you feed it a threat report, it doesn’t just store the text; it performs deep semantic analysis to extract structured data. The tool automatically identifies and tags Common Vulnerabilities and Exposures (CVEs), hacker group aliases (e.g., APT28, Fancy Bear, Sofacy, STRONTIUM), malicious IP addresses, domains, file hashes, and maps techniques directly to the MITRE ATT&CK framework【1†L6-L9】.

But the real power lies in its relational understanding. For instance, if a report mentions “Fancy Bear,” ZettelForge recognizes this as an alias for APT28 and STRONTIUM. A query for “Fancy Bear” will automatically return all intelligence associated with APT28, eliminating the manual cross-referencing that typically consumes hours of an analyst’s day【1†L10-L11】.

Step‑by‑step guide: How to process a CTI report with ZettelForge

  1. Installation: Clone the repository from the official project link (https://lnkd.in/e5dx5itj)【1†L14】. Ensure your system meets the dependencies (typically Python 3.8+ and relevant ML libraries).
  2. Ingestion: Place your CTI PDFs, text files, or detection rules into the designated input folder. ZettelForge supports batch processing for bulk historical analysis.
  3. Processing: Run the ingestion engine. The tool will parse the documents, extract entities, and build internal vector embeddings for semantic search.
  4. Verification: Check the generated output logs to confirm that CVEs, IPs, and MITRE techniques have been correctly identified and linked.
  5. Querying: Use the natural language interface. Ask questions like “What tools does APT28 use?” or “Show me recent CVE-2024-XXXX mitigations.”
  6. Export: Extract the structured data (e.g., JSON or CSV) for integration into your SIEM or ticketing systems.

If you want to build a similar lightweight parser for Linux (using open-source tools), consider this Python snippet using the `yara-python` and `stix2` libraries to extract IOCs:

import re
import yara
from stix2 import TTP, Indicator

Example: Regex patterns for IOC extraction (simplified)
ip_pattern = re.compile(r'\b(?:[0-9]{1,3}.){3}[0-9]{1,3}\b')
domain_pattern = re.compile(r'\b(?:[a-zA-Z0-9-]+.)+[a-zA-Z]{2,}\b')

def extract_iocs(text):
ips = ip_pattern.findall(text)
domains = domain_pattern.findall(text)
 Further logic to check against YARA rules or STIX patterns
return {"ips": ips, "domains": domains}

For Windows environments, you can utilize PowerShell to parse CSV exports from ZettelForge and feed them directly into Defender for Endpoint via the `Add-MpPreference` cmdlet for custom indicators.

  1. Mastering the MITRE ATT&CK Mapping and APG Alias Resolution

One of the most challenging aspects of threat intelligence is the fragmentation of data regarding threat actors. Different vendors assign different names to the same group—APT28, Fancy Bear, Sofacy, STRONTIUM, and Sednit all refer to the same Russian state-sponsored actor【1†L10】. ZettelForge solves this by maintaining an internal alias database that cross-references these names.

When a report is ingested, the tool not only tags the group name mentioned but also links it to all known aliases. This ensures that when you search for “Sofacy,” the system returns intelligence from reports that used “APT28” or “STRONTIUM.” This is achieved through a combination of Named Entity Recognition (NER) models and a curated knowledge base of threat actor profiles.

Step‑by‑step guide: Leveraging ATT&CK mappings for proactive defense

  1. Identify Techniques: Run a query in ZettelForge for a specific group (e.g., “Lazarus Group”). The tool returns a list of MITRE ATT&CK techniques (e.g., T1059 – Command and Scripting Interpreter, T1566 – Phishing).
  2. Analyze Procedure: Click on a specific technique to see how it was used in the context of the reports (e.g., specific PowerShell commands or file names).
  3. Deploy Detections: Use the extracted techniques to create or update Sigma rules. For example, if T1059.001 (PowerShell) is prevalent, create a rule to monitor for suspicious PowerShell execution.

Example Sigma Rule for PowerShell abuse (T1059.001):

title: Suspicious PowerShell Command Line
status: experimental
description: Detects suspicious PowerShell invocation patterns
logsource:
product: windows
service: powershell
detection:
selection:
CommandLine|contains|all:
- '-ExecutionPolicy'
- 'Bypass'
- '-EncodedCommand'
condition: selection

3. Local-First Architecture: The Zero-Trust Approach to CTI

Data sovereignty and privacy are paramount in cybersecurity. ZettelForge’s architecture ensures that all processing occurs locally on your machine【1†L12-L13】. No sensitive indicators, internal network data, or proprietary intelligence is ever transmitted to the cloud. This is crucial for government agencies, financial institutions, and critical infrastructure providers where data leakage is not an option.

By running locally, ZettelForge also offers performance benefits. The tool responds to queries in approximately 50 milliseconds, as it doesn’t suffer from network latency or API rate limiting【1†L11】. This speed allows analysts to conduct iterative, real-time investigations without interruption.

Step‑by‑step guide: Securing your local AI environment

  1. Isolation: Run ZettelForge in a dedicated virtual machine or container (e.g., Docker) to isolate it from your production environment.
  2. Access Control: Implement strict file system permissions. Only allow the ZettelForge service account to read the input directories and write to the output directories.
  3. Encryption: Ensure that the local database (likely SQLite or similar) is encrypted at rest using tools like `sqlcipher` or BitLocker (Windows) / LUKS (Linux).
  4. Audit Logging: Enable detailed logging for all queries made to the system to maintain an audit trail of what intelligence was accessed and when.

Linux Command to encrypt the ZettelForge database directory using LUKS:

 Create a encrypted container
dd if=/dev/zero of=zettelforge_volume.img bs=1M count=1024
sudo cryptsetup luksFormat zettelforge_volume.img
sudo cryptsetup open zettelforge_volume.img zettelforge_encrypted
sudo mkfs.ext4 /dev/mapper/zettelforge_encrypted
sudo mount /dev/mapper/zettelforge_encrypted /mnt/zettelforge_data

Windows Command to enable BitLocker on the drive containing ZettelForge data:

Manage-bde -on C: -RecoveryPassword -SkipHardwareTest

4. Semantic Search and Natural Language Querying

Traditional CTI platforms often require precise keyword searches or complex query languages (e.g., STIX, TAXII). ZettelForge disrupts this by allowing analysts to ask questions in plain French or English【1†L11】. This is powered by a locally hosted Large Language Model (LLM) or a robust sentence-transformer that converts your question into a vector and performs a similarity search against the ingested documents.

This capability drastically reduces the learning curve for new analysts and speeds up investigations for veterans. Instead of guessing the exact terminology used in a report, an analyst can ask, “What are the latest phishing techniques used against the finance sector?” and receive a synthesized answer drawn from multiple reports.

Step‑by‑step guide: Optimizing semantic search queries

  1. Be Specific: While the tool understands natural language, specific queries yield better results. Instead of “hackers,” use “APT29 techniques.”
  2. Use Context: Combine entities. “Lazarus Group + macOS malware” will filter results more effectively than a broad search.
  3. Verify Sources: Always cross-check the AI-generated answer with the original source documents (which ZettelForge links back to).
  4. Feedback Loop: If the search returns irrelevant results, refine your query or check if the ingested reports contain the necessary information.

If you are interested in building a local semantic search engine, you can use the `sentence-transformers` library in Python:

from sentence_transformers import SentenceTransformer
import numpy as np

Load a local model (e.g., all-MiniLM-L6-v2)
model = SentenceTransformer('all-MiniLM-L6-v2')

Example: Encode your documents and queries
documents = ["APT28 uses spear-phishing", "Lazarus Group targets cryptocurrency"]
doc_embeddings = model.encode(documents)
query = "Which group uses phishing?"
query_embedding = model.encode(query)

Compute similarities
similarities = np.dot(doc_embeddings, query_embedding)

5. Automating IOC Enrichment and Threat Hunting

Once ZettelForge has extracted IPs, domains, and file hashes, these IOCs can be automatically enriched. While the tool itself focuses on organization and retrieval, it can be integrated with external (or other local) enrichment tools like MISP, VirusTotal (via API, though this would break the local-only principle if used), or Shodan.

For a truly local workflow, you can set up a local instance of MISP and use ZettelForge’s export function to feed IOCs directly into your threat intelligence platform. This creates a closed-loop system where intelligence is ingested, processed, and operationalized without ever touching the internet.

Step‑by‑step guide: Setting up a local IOC enrichment pipeline

  1. Export IOCs: From ZettelForge, export the list of extracted IPs and domains in a structured format (e.g., JSON).
  2. Local Enrichment: Use a local threat intelligence feed (e.g., a daily dump of known malicious IPs) to cross-reference the IOCs.
  3. Blocking: Automatically push confirmed malicious IPs to your firewall or proxy using scripts.
  4. SIEM Integration: Forward the enriched IOCs to your SIEM (e.g., Splunk or Elastic) for correlation with network logs.

Linux script to check IOCs against a local threat feed (using `grep` and `curl` for a public blocklist):

!/bin/bash
 Check IPs against a local blocklist
while read ip; do
if grep -q "^$ip$" /path/to/blocklist.txt; then
echo "Malicious IP found: $ip"
 Add to iptables
sudo iptables -A INPUT -s $ip -j DROP
fi
done < iocs.txt

PowerShell script to add malicious IPs to Windows Firewall:

$ips = Get-Content -Path "C:\iocs.txt"
foreach ($ip in $ips) {
New-1etFirewallRule -DisplayName "Block $ip" -Direction Inbound -LocalAddress $ip -Action Block
}

6. The Human Element: Training and Upskilling Analysts

ZettelForge is not a replacement for human analysts; it is a force multiplier. By handling the tedious work of reading and memorizing reports, it frees up analysts to focus on higher-order thinking—strategic threat hunting, incident response, and vulnerability analysis.

However, to maximize the tool’s potential, teams need to be trained on how to formulate effective queries and how to interpret the AI’s responses critically. The tool provides the “what” and “where,” but the analyst still provides the “why” and “how.”

Step‑by‑step guide: Integrating ZettelForge into SOC training

  1. Onboarding: New analysts should be trained on the tool’s interface and query language (even though it’s natural language, understanding the underlying data model helps).
  2. Scenario-Based Training: Create mock incident scenarios. Ask trainees to use ZettelForge to research a specific threat actor and produce a brief on their TTPs (Tactics, Techniques, and Procedures).
  3. Continuous Learning: Encourage analysts to use the tool to stay updated on the latest threats. Set up a daily “threat briefing” generated by querying the tool for reports published in the last 24 hours.

What Undercode Say:

  • Key Takeaway 1: ZettelForge addresses the critical bottleneck of information overload in SOCs by automating the extraction and correlation of threat intelligence, effectively acting as a “digital colleague” with perfect memory【1†L2-L3】.
  • Key Takeaway 2: The local-first, offline architecture ensures that sensitive data remains secure, making it an ideal solution for highly regulated industries where cloud-based AI tools are often prohibited【1†L12-L13】.

Analysis:

The emergence of tools like ZettelForge signals a significant shift in the cybersecurity landscape. For years, the industry has focused on collecting massive amounts of data, but the ability to operationalize that data has lagged behind. ZettelForge bridges this gap by leveraging AI not just for detection, but for intelligence synthesis. This allows smaller SOC teams to operate with the efficiency of much larger ones. However, the reliance on AI also introduces risks—namely, the potential for hallucinations or incorrect correlations. Analysts must maintain a healthy skepticism and always verify AI-generated insights against original sources. Furthermore, the tool’s effectiveness is entirely dependent on the quality and relevance of the ingested reports. Garbage in, garbage out remains a fundamental truth.

Prediction:

  • +1 The adoption of local AI tools like ZettelForge will accelerate, democratizing access to advanced threat intelligence for small and medium-sized businesses (SMBs) that cannot afford large analyst teams.
  • +1 We will see a rise in “AI-assisted threat hunting” as a standard certification or skill requirement for SOC analysts within the next 2-3 years.
  • -1 The convenience of natural language queries may lead to a degradation in analysts’ traditional research skills (e.g., STIX/TAXII mastery, complex regex writing), creating a dependency on the tool.
  • -1 Without rigorous validation, the automated extraction and alias resolution could propagate false positives or incorrect attributions, potentially leading to misinformed defensive strategies or even geopolitical incidents if the AI misidentifies a threat actor.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Laurent Biagiotti – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky