ThreatDeck provides a terminal interface for monitoring threat intelligence feeds and generating alerts. Developed in Rust and hosted on GitHub under gripebomb/ThreatDeck, it has 64 stars. The tool targets security operations centers (SOCs), security researchers, and threat intelligence analysts who need to track threats from multiple sources without relying on web-based dashboards. It pulls data from APIs, RSS/Atom feeds, website scraping, and even .onion sites through Tor, then applies keyword matching to flag relevant items.
Users interact entirely in the terminal, with screens for dashboards, feeds, alerts, articles, keywords, and tags. A demo GIF shows navigation between these views, while static previews display the dashboard with statistics and trends, feeds lists, alert details, article caches, keyword configurations, and tag overviews. This setup suits environments where graphical tools are unavailable or undesirable, such as servers or remote sessions.
Core features
ThreatDeck handles threat data aggregation and alerting through these capabilities:
- Multi-source feed management: Supports APIs, RSS/Atom, website scraping, and .onion sites via Tor. API feeds use JSONPath templates to parse fields like title, description, date, URL, and source.
- Keyword matching and alerts: Matches text or regex patterns across four criticality levels—Low, Medium, High, Critical. Alerts include deduplication via content hashing, snippet extraction, and metadata.
- Tagging and organization: Applies color-coded tags to feeds, keywords, and alerts.
- Notifications and monitoring: Sends alerts through Email (SMTP), Webhook, or Discord, with per-channel criticality thresholds. Tracks feed health with status (Healthy/Warning/Error/Disabled) and failure logs.
- Terminal UI elements: Offers a dashboard with stats, 7-day trends, recent alerts; cached article browsing; five themes (dark, light, solarized, dracula, monokai); and configurable settings like alert retention.
These features run on Linux or macOS, requiring Rust 1.75 or higher.
Getting it running
Installation relies on Cargo, Rust's package manager. For a quick setup:
cargo install ThreatDeck
This places the ThreatDeck binary in ~/.cargo/bin/, typically added to your PATH.
To build from source:
git clone https://github.com/gripebomb/ThreatDeck.git
cd ThreatDeck
cargo build --release
The optimized binary lands at target/release/ThreatDeck.
On first run, execute ThreatDeck. It creates directories automatically:
- Config:
~/.config/ThreatDeck/config.toml - Database:
~/.local/share/ThreatDeck/ThreatDeck.db
Run ThreatDeck --config-paths to confirm paths on your system.
From there, add feeds: Launch with ThreatDeck, press 2 for the Feeds screen, a to add. Enter details like name, URL, type (API, RSS, Website, Onion), polling interval (minimum 60 seconds). For APIs, pick a template and add a key if needed. Tab cycles fields; Enter saves.
The tool polls feeds at set intervals, processes matches, generates alerts, and updates the dashboard. Configure notifications in settings, such as SMTP for email or Discord webhooks. Themes switch via settings, and tags apply through dedicated screens.
Who this is for
Security teams in SOCs use ThreatDeck to centralize threat feeds without browser dependencies. Analysts monitor indicators from diverse sources—public APIs, RSS blogs, scraped sites, or dark web .onion pages—directly in a terminal. Researchers benefit from cached articles for quick reading and keyword-based filtering at varying criticality levels.
Real-world use includes daily polling of threat intel sources, like Abuse.ch or AlienVault OTX via API templates. Health monitoring flags failing feeds early. For shift workers, Discord alerts with snippets notify on High/Critical matches only. Tagging helps segment alerts by topic, such as "ransomware" or "APT groups." If your workflow involves tmux or SSH sessions, the terminal focus avoids context-switching to GUIs.
It's less ideal for beginners unfamiliar with terminals or Rust dependencies. Teams needing mobile access or collaborative web views might look elsewhere.
How it compares
ThreatDeck stands out for its terminal-only design and Rust efficiency, contrasting with web-heavy tools like MISP or TheHive, which require servers and browsers. Lighter CLI alternatives, such as rss2email for feeds or custom scripts with jq for JSON parsing, lack built-in alerting, deduplication, and multi-source support. Tools like OSINT Framework aggregate links but don't poll or alert automatically.
For .onion access, it integrates Tor natively, unlike basic curl-based scrapers. At 64 GitHub stars, it's niche but focused, with lower resource use than Electron-based apps. If you prefer GUIs, Threat Dragon or Maltego offer visual threat modeling, though they demand more setup.
Feed management in practice
Once feeds are added, the Feeds screen lists them with health status, last poll time, and failure counts. Press r to refresh manually or e for health logs. API templates handle common providers; JSONPath extracts data reliably from irregular JSON responses.
Keyword setup happens on the Keywords screen: Add patterns with regex support and assign criticality. Matches trigger alerts preserved in the database, viewable with filters by tag or level. The Articles screen loads full text from caches, cleaned for terminal display.
Dashboard aggregates: Criticality pies, alert counts, 7-day line charts via terminal graphs. Settings cover retention (e.g., delete alerts older than 30 days) and theme selection.
ThreatDeck fits analysts prioritizing control and speed in text environments. Source code and full README at https://github.com/gripebomb/ThreatDeck.
Comments