Open source · Built on MISP

Run threat intelligence as an operational capability.

zsazsa is a CTI program management and production platform built around MISP. It links collection, triage, analyst workflows, requirement management, publishing and stakeholder delivery in one place, rather than as loose documents and disconnected scripts.

Get started Explore features
Built on MISP events & objects Licence open source Workflows PIR · GIR · RFI · Products
zsazsa CTI overview
One workflow, end to end

From source events to validated intelligence products

Analysts move from collection to published output, align their work to PIR and GIR priorities, distribute with channel and TLP controls, and use stakeholder feedback to track how the program matures over time.

Live program dashboard

Active PIRs and GIRs, stakeholder counts, analyser pipeline freshness, 24-hour processing outcomes and pending scraper events awaiting analysis.

Stakeholder management

Roles, organisations, TLP clearance, per-product subscription modes and notification channel preferences, so distribution matches real organisational needs.

Requirement management

Full PIR and GIR lifecycle editing with decision context, priority, scope and ownership. Scope fields sync with focus points and MISP galaxies.

Data collection

A cached view of scraper and additional MISP servers. Browse events, refresh, flag for follow-up, import newsletters and generate LLM summaries back into MISP.

Intelligence products

Flash Intel Alerts, vulnerability advisories, daily threat briefings and threat landscape reports, each with draft, review, approval and publish flows.

Statistics & CTI-CMM

Pipeline and program metrics plus a CTI-CMM maturity signal panel across five domains, mapping observable indicators to CTI0 to CTI3 levels.

Notification & distribution

The right product reaches the right stakeholder

Distribution is built around stakeholders, roles, product subscriptions, audiences and notification channels. A stakeholder receives a product only when their role is in the audience, they're subscribed to that product type, and their TLP clearance is high enough.

  • Audience, subscription and TLP checks applied in one place
  • Delivery over Mattermost and Flowintel notification channels, with more to come
  • A recipient preview before publishing that shows who will receive each product and who is blocked
  • Requirements notify an explicit stakeholder distribution list
zsazsa intelligence flow
zsazsa data stored in MISP
Stored in MISP

Easy to audit

zsazsa keeps its data in MISP, using events, object templates, attributes and event reports. Each record is one MISP event, with its data held inside a custom object, so teams can open and check the raw records directly in MISP whenever they need to.

All zsazsa: tags are applied as local tags, so they never sync to connected MISP instances. Your program data stays in your own MISP and every record stays easy to trace.

Ready to run your CTI program in one place?

zsazsa is open source and runs on top of your existing MISP servers. Clone it, point it at your servers, and start producing intelligence.

Download & install Read the docs