Key Concepts
to understand DocIntel

DocIntel is an open-source knowledge platform for collecting, storing, processing, organizing, searching, and disseminating threat intelligence reports.

Documents and Files

A document is a coherent set of files, on a specific topic. A file can be a PDF report, an HTML file, a text file with Yara rules, a CSV file, etc.

Tags and Facets

A tag is a label applied to documents in order to organize them and facilitate searches on specific topics. Tags are grouped in coherent sets, called facets.


A source represents any producer or provider of documents, such as commercial cybersecurity companies, researchers, internal teams, etc.


CTI analysts use comments to provide additional information and context to the other users of the platform fostering collaboration.


Observables capture the technical information linked to a document, such as IPv4, IPv6, domain names, and MD5, SHA1, SHA256 hashes.

Classification & Groups

A classification is a document marking to indicates who has legitimate access, e.g. Confidential. A group is a set of users that can access the information.

Roles & Permissions

A role is a collection of permissions, e.g. CTI Analyst. A permission is a fine-grained control on user actions, e.g. Add tag or Register document.

Importers & Scrapers

Importers are software components that feed documents in the platform, e.g. Mandiant Threat Reports. They are automatically ingested via scrapers.


Users can subscribe to documents, tags and facets to customize their homepage. Based on their preference, users receive daily tailored newsletters.

A context-centric threat intelligence platform
for all your threat reports.

© 2022. All rights reserved. Designed by