IOCX is a deterministic, precision‑first static IOC extraction engine. Its mission is to provide fast, reliable, reproducible extraction and lightweight static analysis for security automation, malware triage, and defensive workflows.
IOCX is intentionally focused. It is not designed to be a full security platform, a dynamic analysis system, or an endpoint agent. Its value comes from doing one thing exceptionally well.
- Static‑First, Deterministic by Design
IOCX performs static analysis only. No execution, no sandboxing, no behavioural monitoring.
Outputs must be:
- deterministic
- reproducible
- explainable
- safe to run anywhere
This is the foundation of the project.
- Precision Over Breadth
IOCX prioritises correctness, clarity, and signal‑to‑noise ratio. It will never chase multi-purpose functionality at the expense of precision.
If a feature cannot be implemented deterministically and reliably, it does not belong in the core.
- Lightweight, Maintainable Architecture
The core engine remains small, clean, and dependency‑minimal.
Enhancements should:
- avoid unnecessary complexity
- avoid heavy frameworks
- avoid long‑term operational burden
- integrate cleanly into existing workflows
Sustainability matters as much as capability.
- Modular Extensions, Not Platform Expansion
IOCX supports optional modules for enrichment and static analysis enhancements, but it will not grow into:
- an EDR
- a sandbox
- a SOC dashboard
- a training platform
- a DevSecOps suite
- a reverse‑engineering framework
Modules must complement the core, not redefine it.
- High‑Quality Static Analysis Enhancements
The project welcomes improvements that deepen static insight while staying within deterministic boundaries, such as:
- entropy and anomaly scoring
- import/API analysis
- obfuscation and packing hints
- metadata anomalies
- phishing/lure artifact analysis
- reputation/enrichment plugins
These strengthen the engine without changing its identity.
- Clear, Accessible Outputs
IOCX is built for automation and integration.
Outputs must remain:
- machine‑readable
- structured
- predictable
- stable across versions
Human‑readable summaries are welcome, but never at the cost of structured clarity.
- Documentation and Education Matter
The project values:
- clear examples
- plugin development guidance
- walkthroughs
- training material
These help users adopt IOCX without expanding its technical scope.
To avoid ambiguity, IOCX will not become:
- a dynamic analysis tool
- a malware detonation environment
- an endpoint agent
- a full GUI analyst workbench
- a SOC/SIEM/SOAR platform
- a reverse‑engineering suite
- a security training platform
These are separate product categories with different goals and responsibilities.
IOCX aims to be the most precise, deterministic, and trustworthy static IOC extraction engine available — a tool that integrates cleanly into security workflows, enhances automation, and provides high‑quality static insight without unnecessary complexity.
The project grows by deepening its strengths, not by expanding its scope.