Zettelforge: Agentic Memory for CTI with STIX and RAG

Open-source MCP server for Claude Code, providing agentic memory for CTI, STIX knowledge graphs, and threat actor alias resolution.

View on GitHub→

Zettelforge: Agentic Memory for CTI with STIX and RAG

Zettelforge is an open-source MCP server designed to enhance Cyber Threat Intelligence (CTI) workflows for AI developers. It integrates agentic memory capabilities with STIX knowledge graphs and Retrieval Augmented Generation (RAG) to provide sophisticated context and analysis for threat intelligence data. This tool is built for developers working with large language models (LLMs) and complex data structures in the cybersecurity domain.

What Zettelforge Does

Zettelforge acts as a specialized memory layer for AI agents focused on CTI. It allows these agents to store, retrieve, and reason over vast amounts of threat intelligence data. By leveraging STIX (Structured Threat Information Expression) standards, it builds and queries knowledge graphs of indicators, observables, threat actors, and campaigns. The RAG implementation enables agents to access and synthesize relevant information from this knowledge base, improving the accuracy and depth of their threat analysis and reporting.

Key Features

Agentic Memory: Provides persistent, queryable memory for AI agents, enabling them to build context over time.
STIX Knowledge Graphs: Structures CTI data into interconnected graphs for advanced querying and relationship analysis.
RAG Integration: Facilitates the use of external knowledge bases to ground LLM responses and enhance analytical capabilities.
Threat Actor Alias Resolution: Aids in identifying and linking different aliases associated with known threat actors.
Claude Code Compatibility: Designed to work seamlessly with Claude Code, offering a robust backend for AI development.
Open-Source: Freely available for modification and integration into custom CTI solutions.

Who Zettelforge is For

Zettelforge is primarily intended for AI developers and cybersecurity professionals who are building or enhancing AI-powered CTI platforms. This includes researchers developing threat intelligence analysis tools, security operations center (SOC) analysts looking to automate threat hunting, and developers integrating LLMs into their cybersecurity workflows. If you are working with STIX data, building knowledge graphs, or need to provide AI agents with deep, contextual understanding of CTI, Zettelforge offers a powerful foundation.