Skip to content

ZettelForge documentation

Your SOC's hardest-won context walks out the door when a senior analyst leaves. Two or three years of customer environments, prior investigations, actor TTPs, and false-positive patterns leave with them. ZettelForge keeps that context with the team.

ZettelForge extracts CVEs, threat actors, IOCs, and ATT&CK techniques from analyst notes and threat reports, resolves aliases (APT28 = Fancy Bear = STRONTIUM), and indexes vector-embedded notes for natural-language recall by analysts and by agents over MCP. It runs local-first with no external API keys required.

Two products, one core

ZettelForge ships in two forms. This site documents the open-source core.

  • ZettelForge (open source). The self-hosted Apache-2.0-licensed engine you install with pip install zettelforge. You run it on your own hardware, fully offline if you choose. Everything on this site applies to it.
  • ThreatRecall.ai (hosted SaaS). The managed, multi-tenant service built on the ZettelForge core for SOC teams that want recall, a tenant-scoped knowledge graph, structured ingest, and STIX 2.1 export without running infrastructure. Plans run Individual Researcher ($49/mo), Pro ($199/mo), and Enterprise (contact sales).

Get started

Install the core and store your first memory in about five minutes.

pip install zettelforge

Then follow the Quickstart to store, recall, and synthesize your first threat intelligence. Prefer a browser dashboard over the API? The web management interface gives you search, knowledge-graph exploration, live logs, and bulk ingestion.

Documentation map

This documentation follows the Diataxis framework, split into four quadrants.

At a glance

Every value below is verified against the v2.7.0 source.

Property Value
Version 2.7.0
License Apache-2.0
Python 3.10 or newer
Default storage SQLite plus LanceDB (vector index)
Optional graph store TypeDB 3.x (Docker, port 1729)
Embeddings fastembed nomic-embed-text-v1.5-Q, 768-dim, in-process ONNX
LLM generation Configurable. The v2.7.0 reference config selects Ollama at http://localhost:11434; the offline local provider defaults to Qwen/Qwen2.5-3B-Instruct-GGUF through llama-cpp-python.
Other LLM providers local (GGUF via llama-cpp-python, or ONNX via onnxruntime-genai) and litellm (100+ cloud backends)

ZettelForge selects its LLM backend through llm.provider and llm.model in config.yaml. Use an Ollama tag you have pulled, switch to local for fully offline GGUF inference, or use litellm for OpenAI, Anthropic, Google, Groq, NVIDIA, and other hosted backends. See the Configuration reference for every key, default, and environment override.