ZettelForge documentation¶
Your SOC's hardest-won context walks out the door when a senior analyst leaves. Two or three years of customer environments, prior investigations, actor TTPs, and false-positive patterns leave with them. ZettelForge keeps that context with the team.
ZettelForge extracts CVEs, threat actors, IOCs, and ATT&CK techniques from analyst notes and threat reports, resolves aliases (APT28 = Fancy Bear = STRONTIUM), and indexes vector-embedded notes for natural-language recall by analysts and by agents over MCP. It runs local-first with no external API keys required.
Two products, one core¶
ZettelForge ships in two forms. This site documents the open-source core.
- ZettelForge (open source). The self-hosted Apache-2.0-licensed engine you install with
pip install zettelforge. You run it on your own hardware, fully offline if you choose. Everything on this site applies to it. - ThreatRecall.ai (hosted SaaS). The managed, multi-tenant service built on the ZettelForge core for SOC teams that want recall, a tenant-scoped knowledge graph, structured ingest, and STIX 2.1 export without running infrastructure. Plans run Individual Researcher ($49/mo), Pro ($199/mo), and Enterprise (contact sales).
Get started¶
Install the core and store your first memory in about five minutes.
pip install zettelforge
Then follow the Quickstart to store, recall, and synthesize your first threat intelligence. Prefer a browser dashboard over the API? The web management interface gives you search, knowledge-graph exploration, live logs, and bulk ingestion.
Documentation map¶
This documentation follows the Diataxis framework, split into four quadrants.
- Tutorials (learning). Start here if you are new. Quickstart (5 min), then Ingest your first CTI report (10 min).
- How-to guides (tasks). Recipes for specific goals, such as Store a threat actor with automatic entity extraction.
- Reference (lookup). Exact specifications, including the full Configuration reference and the Memory Manager API.
- Concepts (understanding). Design rationale, including why the hybrid TypeDB plus LanceDB architecture.
At a glance¶
Every value below is verified against the v2.7.0 source.
| Property | Value |
|---|---|
| Version | 2.7.0 |
| License | Apache-2.0 |
| Python | 3.10 or newer |
| Default storage | SQLite plus LanceDB (vector index) |
| Optional graph store | TypeDB 3.x (Docker, port 1729) |
| Embeddings | fastembed nomic-embed-text-v1.5-Q, 768-dim, in-process ONNX |
| LLM generation | Configurable. The v2.7.0 reference config selects Ollama at http://localhost:11434; the offline local provider defaults to Qwen/Qwen2.5-3B-Instruct-GGUF through llama-cpp-python. |
| Other LLM providers | local (GGUF via llama-cpp-python, or ONNX via onnxruntime-genai) and litellm (100+ cloud backends) |
ZettelForge selects its LLM backend through llm.provider and llm.model in config.yaml. Use an Ollama tag you have pulled, switch to local for fully offline GGUF inference, or use litellm for OpenAI, Anthropic, Google, Groq, NVIDIA, and other hosted backends. See the Configuration reference for every key, default, and environment override.