You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<ahref="https://www.buymeacoffee.com/xypher22pr0"target="_blank"><imgsrc="https://cdn.buymeacoffee.com/buttons/v2/default-green.png"alt="Buy Me a Coffee"style="height: 60px!important;width: 217px!important;" ></a>
23
-
</p>
24
-
25
-
> **What's new in v2.6.2** (2026-04-27): the `/config` web editor now ships with working dropdowns for all enum fields (LLM provider, embedding provider, log level, governance PII action, synthesis format) and an Apply button that builds nested payloads against `/api/config`. Plus a new `[crewai]` extra exposes ZettelForge memory as CrewAI tools -- `pip install zettelforge[crewai]` and see [`examples/crewai_cti_crew.py`](examples/crewai_cti_crew.py). [Full changelog](CHANGELOG.md)
21
+
> **v2.6.2** (2026-04-27): Config web editor ships with working dropdowns for all enum fields (LLM/embedding provider, log level, PII action, synthesis format) and a working Apply button. New `[crewai]` extra exposes ZettelForge as CrewAI tools -- `pip install zettelforge[crewai]`. [Full changelog](CHANGELOG.md)
26
22
27
23
<palign="center">
28
24
<imgsrc="https://raw.githubusercontent.com/rolandpg/zettelforge/master/docs/assets/demo.gif"width="720"alt="ZettelForge demo -- CTI agentic memory in action">
@@ -38,7 +34,7 @@ General-purpose AI memory systems don't fix this for security teams. They can't
38
34
39
35
ZettelForge was built for analysts who think in threat graphs. It extracts CVEs, threat actors, IOCs, and ATT&CK techniques automatically, resolves aliases across naming conventions, builds a knowledge graph with causal relationships, and retrieves memories using intent-aware blended search -- all in-process, with no external API dependency.
40
36
41
-
>"Memory augmentation closes 33% of the gap between small and large models on CTI tasks (CTI-REALM, Microsoft 2026)." [1]
37
+
>Memory augmentation closes 33% of the gap between small and large models on CTI tasks ([CTI-REALM, Microsoft 2026](https://www.microsoft.com/en-us/security/blog/2026/03/20/cti-realm-a-new-benchmark-for-end-to-end-detection-rule-generation-with-ai-agents/), using GPT-4 as the large-model baseline). See [full benchmark report](benchmarks/BENCHMARK_REPORT.md) for methodology and comparisons.
See the [full benchmark report](benchmarks/BENCHMARK_REPORT.md) for methodologyand analysis.
198
+
The **Score** column reports ZettelForge measurements run with Ollama-hosted models, with one exception: the LOCOMO row was re-measured at v2.1.1 using an Ollama cloud judge for evaluation grading (not local generation). See the [full benchmark report](benchmarks/BENCHMARK_REPORT.md) for benchmark-specific methodology, version history, and per-suite judge configuration.
See [examples/athf_bridge.py](examples/athf_bridge.py).
246
242
247
243
248
-
## Extensions
244
+
## ThreatRecall (Hosted)
249
245
250
-
ZettelForge ships a complete agentic memory core. Everything documented above works from a single `pip install`.
246
+
[ThreatRecall](https://threatrecall.ai) is the commercial distribution of ZettelForge with enterprise extensions enabled. It is offered as managed SaaS by default, with optional self-hosted on-prem and air-gapped deployments for classified environments. Enterprise add-ons:
251
247
252
-
For teams that want TypeDB-scale graph storage, OpenCTI integration, or multi-tenant deployment, optional extensions are available:
248
+
-**TypeDB STIX 2.1 backend** -- schema-enforced ontology with inference rules
249
+
-**OpenCTI sync** -- bi-directional sync with your OpenCTI instance
250
+
-**Multi-tenant auth** -- OAuth/JWT with per-tenant data isolation
251
+
-**Sigma rule generation** -- detection rules from extracted IOCs (upcoming)
SaaS deploys in minutes with no infrastructure to maintain. Self-hosted ships as a deployable bundle for environments where outbound network egress is restricted or prohibited.
260
254
261
-
Extensions install separately:
262
-
263
-
```bash
264
-
pip install zettelforge-enterprise
265
-
```
266
-
267
-
**Hosted (private beta):**[ThreatRecall](https://threatrecall.ai) is the managed SaaS version of ZettelForge with enterprise extensions enabled. Currently accepting waitlist signups and a limited number of design partners.
255
+
**[Join the waitlist](https://threatrecall.ai)** -- currently onboarding design partners.
268
256
269
257
## Configuration
270
258
@@ -284,15 +272,11 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup.
284
272
285
273
MIT -- See [LICENSE](LICENSE).
286
274
287
-
## About the author
288
-
289
-
Built by **Patrick Roland** -- Director of SOC Services at Summit 7 Systems, where he built the Vigilance MxDR practice from the ground up. Navy nuclear veteran, CISSP, CCP (CMMC 2.0 Professional). [LinkedIn](https://www.linkedin.com/in/patrickgroland/).
275
+
Built by **Patrick Roland** -- [LinkedIn](https://www.linkedin.com/in/patrickgroland/) | Director of SOC Services, Summit 7 Systems | Navy nuclear veteran | CISSP, CCP (CMMC 2.0 Professional)
290
276
291
277
## Support the Project
292
278
293
-
ZettelForge is MIT-licensed. If it's useful in your workflow and you'd like to help keep it maintained:
294
-
295
-
<ahref="https://www.buymeacoffee.com/xypher22pr0"target="_blank"><imgsrc="https://cdn.buymeacoffee.com/buttons/v2/default-green.png"alt="Buy Me a Coffee"style="height: 40px!important;width: 145px!important;" ></a>
279
+
ZettelForge is MIT-licensed. Star the repo, open issues, and submit PRs — all contributions are welcome.
296
280
297
281
## Acknowledgments
298
282
@@ -302,4 +286,3 @@ ZettelForge is MIT-licensed. If it's useful in your workflow and you'd like to h
302
286
- Benchmarked against [LOCOMO](https://snap-research.github.io/locomo/) (ACL 2024) and [CTIBench](https://arxiv.org/abs/2406.07599) (NeurIPS 2024)
0 commit comments