TL;DR, What is Yeti (Your Everyday Threat Intelligence)?
Yeti (Your Everyday Threat Intelligence) is an open-source forensics intelligence platform that bridges the critical gap between cyber threat intelligence (CTI) and digital forensics and incident response (DFIR) teams.
CTI analysts and DFIR teams struggle with disconnected workflows when correlating threat intelligence with forensic artifacts, often wasting valuable time on manual “Google the artifact” searches and lacking a unified repository to track IOCs, TTPs, and threat knowledge across investigations. Yeti addresses these pain points by providing a centralized platform for organizing observables, indicators of compromise, TTPs, and threat knowledge. For DFIR teams, Yeti eliminates the tedious process of tracking artifact origins and finding related IOCs, while CTI analysts can focus on adding intelligence value without worrying about export formats.
The platform was born out of real-world frustration with answering questions like “Where have I seen this artifact before?” and serves as an essential bridge between strategic threat intelligence and tactical forensic investigation.
Detect active cloud threats
Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.
Common use cases
1. Incident Response Acceleration: DFIR teams query artifacts found during investigations to immediately understand if they've been observed before, their threat context, and relevant detection rules. Instead of manual research, analysts can instantly access correlated intelligence, associated forensic procedures, and related IOCs to guide their investigation strategy. The platform proves particularly valuable during active incidents where time is critical and analysts need immediate context about observed indicators. Yeti's ability to correlate new observables against historical intelligence enables rapid threat attribution and helps determine investigation priorities based on known threat actor behaviors and campaign patterns.
2. Proactive Threat Hunting: Security teams leverage Yeti's intelligence repository to search for indicators of specific threat actors or campaigns across their environment. Hunters can focus on a particular threat group and quickly retrieve all associated IOCs, TTPs, and forensic artifacts to build hunting queries for their SIEM or endpoint detection tools. This proactive approach enables organizations to identify potential compromises before they escalate into full incidents, using Yeti's correlation capabilities to develop targeted hunting hypotheses based on current threat landscapes and emerging campaign intelligence.
3. Security Tool Integration: Yeti serves as an intelligence backend for malware sandboxes, SIEM enrichment, and incident management platforms. Through its REST API, external systems can automatically query observables for threat context, submit new artifacts for analysis, and retrieve intelligence in formats suitable for immediate defensive action. Its integration capabilities make Yeti an attractive choice when comparing Yeti vs MISP: In other words, Yeti is great for organizations requiring deep API integration with existing security infrastructure and automated intelligence sharing workflows.
4. Intelligence Analyst Workflow Enhancement: CTI teams use Yeti to maintain and correlate threat intelligence from multiple sources, create threat actor profiles, and export intelligence in standardized formats for sharing with partners or feeding into security controls. The platform enables analysts to focus on high-value analysis rather than data formatting and correlation tasks, while maintaining threat landscapes that automatically evolve as new intelligence arrives, supporting both tactical and strategic intelligence requirements.
5. Forensic Investigation Support: Digital forensics teams utilize Yeti's artifact database to quickly identify relevant detection rules, investigation procedures, and forensic techniques based on observed indicators during examinations. Yeti's forensic intelligence management capabilities enable investigators to leverage proven methodologies and detection logic specific to the threats they're analyzing, reducing investigation time while ensuring evidence collection and analysis approaches are applied consistently across different incident types.
How does Yeti work?
Yeti operates through a sophisticated containerized architecture that automatically ingests, processes, and correlates threat intelligence from multiple sources. The system begins by collecting data from various feeds including MISP instances, malware trackers, XML/JSON feeds, and the MITRE ATT&CK framework. Incoming observables are automatically enriched with contextual information and stored in ArangoDB with comprehensive relationship mappings, enabling continuous correlation with existing intelligence to update threat contexts and entity relationships.
API Server: Acts as the central processing hub, handling core functionality including data processing, intelligence correlation, and automated observable enrichment
Graph Database (ArangoDB): Stores complex relationships between observables, entities, TTPs, and threat actors, enabling sophisticated relationship queries and graph visualizations essential for threat intelligence analysis
Task Scheduler (Celery): Manages background processes including automated feed ingestion, observable enrichment (domain resolution, IP geolocation), and scheduled analytics tasks
Caching Layer (Redis): Serves dual purposes as a message broker for Celery and performance-optimizing cache layer
Web Interface: Provides VueJS-based frontend served by nginx for intuitive visualization and analyst management capabilities
How to Prepare for a Cloud Cyberattack: An Actionable Incident Response Plan Template
A quickstart guide to creating a robust incident response plan - designed specifically for companies with cloud-based deployments.
Core Capabilities
1. Automated Observable Enrichment and Correlation: Yeti automatically enriches observables such as IP addresses, domains, URLs, and file hashes without manual intervention. The system performs DNS resolution, geolocation lookup, reputation scoring, and correlates new observables against existing threat intelligence.
The enrichment feature eliminates the tedious manual research phase of incident response, automatically providing context about whether an artifact has been seen before and relationships to known threats, campaigns, or malware families. Automation significantly reduces the time analysts spend on routine enrichment tasks while ensuring comprehensive threat context is available for every observable encountered during investigations.
2. Forensics Intelligence Management: Yeti stores and manages comprehensive forensic intelligence including DFIQ (Digital Forensics Investigation Questions) objects, forensic artifact definitions, Sigma detection rules, and Yara malware signatures. The platform creates a centralized knowledge base that DFIR teams can query to quickly identify relevant detection rules, investigation procedures, and forensic techniques based on observed indicators or suspected threats.
Yeti significantly accelerates incident response workflows by providing immediate access to proven investigation methodologies and detection logic, enabling analysts to apply the most effective forensic approaches based on the specific threat context they're investigating.
3. Threat Actor and Campaign Tracking: The platform maintains detailed profiles of threat actors, intrusion sets, and campaigns with their associated TTPs, tools, and IOCs. Integration with the MITRE ATT&CK framework provides standardized TTP mapping, and the graph database enables visualization of complex relationships between actors, malware families, infrastructure, and attack patterns. The tracking feature allows analysts to pivot from a single observable to understand the full threat landscape and attribution context, providing crucial intelligence for understanding adversary motivations, capabilities, and likely next moves during active incidents or threat-hunting operations.
4. Multi-Format Intelligence Feeds Integration: Yeti ingests threat intelligence from diverse sources including MISP instances, commercial threat feeds, malware repositories, and custom XML/JSON sources. The platform normalizes data from these heterogeneous sources into a unified schema, enabling comprehensive correlation and analysis. This capability positions Yeti as a powerful alternative to other open-source threat intelligence platforms, offering similar feed integration capabilities to commercial solutions while maintaining the flexibility and customization options that security teams require for their specific intelligence.
5. REST API and Export Framework: A comprehensive REST API enables seamless integration with external security tools, incident management platforms, and SIEM solutions. The platform supports bulk observable queries, automated enrichment requests, and custom export formats. The API allows organizations to incorporate Yeti intelligence into existing workflows, automate threat hunting processes, and maintain consistent intelligence sharing across security tools while supporting both human analysts and machine-driven security orchestration, making Yeti an excellent choice for CTI-DFIR integration scenarios.
Limitations
1. Steep Learning Curve: Yeti requires significant technical expertise to deploy and maintain effectively. The platform's comprehensive feature set and graph database architecture demand deep understanding of threat intelligence concepts, API integration, and database management. Organizations without dedicated CTI or technical security staff may struggle with initial setup, feed configuration, and ongoing maintenance requirements.
2. Resource-Intensive Deployment: The platform requires substantial computational resources, especially when processing large volumes of threat intelligence feeds. Organizations planning Yeti Docker installation should prepare for significant memory, storage, and processing requirements that scale with the volume of intelligence sources and observables being correlated, potentially making the platform unsuitable for resource-constrained environments.
3. Limited Native Visualization: While Yeti excels at data correlation and storage, the platform lacks advanced visualization capabilities found in some commercial platforms. Users requiring sophisticated threat landscape visualizations, executive dashboards, or complex relationship mapping may need to integrate additional tools or develop custom visualization solutions to meet their reporting requirements.
4. Feed Source Dependencies: Organizations without access to high-quality commercial feeds or mature intelligence sharing partnerships may find limited value, as the system's output quality directly correlates with input intelligence sources and their maintenance.
5. Complex Integration Requirements: Despite offering comprehensive APIs, integrating Yeti with existing security infrastructure requires significant development effort. Organizations expecting plug-and-play integration with their SIEM, SOAR, or incident management platforms may face substantial customization requirements to achieve seamless workflow integration.
Using Yeti to correlate threat intel with your forensic investigations? Amplify that intelligence with Wiz's cloud context. While Yeti helps you track IOCs and TTPs, Wiz shows you how those threats actually map to your cloud resources, attack paths, and sensitive data exposure—turning generic indicators into prioritized, actionable intelligence.
Getting Started
Step 1: Clone the Yeti Docker deployment repository
git clone https://github.com/yeti-platform/yeti-docker
cd yeti-docker/prodStep 2: Start the containers
/bin/bash ./init.shThis will start the following components:
apifrontendtasksredisarangodb
Step 3: Create an admin user
Replace <USERNAME> and <PASSWORD> with your desired credentials:
docker compose run --rm api create-user <USERNAME> <PASSWORD> --adminStep 4: Access the Yeti web UI
Open your browser and log in at: http://localhost:80/
Yeti vs. Alternatives
| Feature | Yeti | MISP | OpenCTI | TheHive (StrangeBee) |
|---|---|---|---|---|
| Primary Focus | Forensics Intelligence bridging CTI and DFIR | Threat intelligence sharing and collaboration | Knowledge management and graph-based analysis | Security incident response platform |
| Core Strength | DFIR-oriented with forensic artifact management | Community sharing and standardized threat feeds | Complex relationship visualization and STIX compliance | Case management and incident response workflows |
| Architecture | Docker-based with ArangoDB, Redis, Celery | PHP-based with MySQL/MariaDB | TypeScript/Node.js with GraphQL API | Scala-based with Elasticsearch (commercial) |
| Data Model | Observables, TTPs, campaigns with MITRE ATT&CK | Events and attributes with taxonomies | STIX2-based knowledge graph | Cases, tasks, observables with evidence |
| Integration Focus | DFIR tools, sandboxes, SIEM export | TAXII, STIX, community feeds | MISP, TheHive, MITRE ATT&CK connectors | MISP integration, Cortex analyzers |
| Best For | DFIR teams needing forensic context | Multi-org threat sharing communities | Comprehensive threat landscape visualization | Incident response case management |