Watcher – Open Source Cybersecurity Threat Hunting Platform

Watcher – Open Source Cybersecurity Threat Hunting Platform and developed with Django and React JS.

Watcher is a Django & React JS automated platform for discovering new potentially cybersecurity threats targeting your organisation.

It should be used on webservers and available on Docker.

Watcher capabilities

  • Detect emerging vulnerability, malware using social network and other RSS sources (,,,…).
  • Detect Keywords in pastebin & in other IT content exchange websites (stackoverflow, github, gitlab, bitbucket, apkmirror, npm…).
  • Monitor malicious domain names (IPs, mail/MX records, web pages using TLSH).
  • Detect suspicious domain names targeting your organisation, using dnstwist.
  • Useful as a bundle regrouping threat hunting/intelligence automated features.

Additional features

  • Create cases on TheHive and events on MISP.
  • Integrated IOCs export to TheHive and MISP.
  • LDAP and Local Authentication.
  • Email notifications.
  • Ticketing system feeding.
  • Admin interface.
  • Advance users permissions & groups.

Involved dependencies

  • RSS-Bridge
  • dnstwist
  • Searx
  • pymisp
  • thehive4py
  • TLSH
  • shadow-useragent
  • NLTK


Watcher is an open source software and provides a powerful user interface for data visualization and analysis. This interface can also be used to manage Watcher usage and to monitor its status.

Threats detection


Keywords detection


Malicious domain names monitoring


IOCs export to TheHive and MISP


Potentially malicious domain names detection


Django provides a ready-to-use user interface for administrative activities. We all know how an admin interface is important for a web project: Users management, user group management, Watcher configuration, usage logs…

Admin interface



Create a new Watcher instance in ten minutes using Docker (see Installation Guide).

Platform architecture

Watcher Platform-architecture
Watcher Platform-architecture

Thehive & MISP Export

You can export monitored DNS to TheHive or MISP:

  1. Go to /website_monitoring page.
  2. Add new DNS to monitored.
  3. Click on the blue upload/cloud button.
  4. Choose which service you want to use.

How to Update Watcher

To update Watcher image please follow the instructions below:

  • Stop all containers: docker-compose down
  • Remove the old docker images: docker rmi felix83000/watcher:latest searx/searx searx/searx-checker rssbridge/rss-bridge:latest
  • Pull the newer docker images: docker-compose up

This will update Watcher, Rss-bridge and Searx.

Download Watcher

Join Our Club

Enter your Email address to receive notifications | Join over Million Followers

Previous Article
Cyber Attack

Microsoft System Breached In SolarWinds Hack

Next Article
VPN Myth

Using a VPN? Here are the 5 Biggest Myths Debunked

Related Posts