Automic VaultAutomic Vault

brew

Install iocextract with Homebrew, Nix

Defanged indicator of compromise extractor. Version 1.16.1 via Homebrew; verified 2026-05-21.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install iocextract

local Homebrew formula metadata

overview

Package summary

Defanged indicator of compromise extractor

Commands and aliases

  • iocextract

history

Project history and usage

iocextract is an InQuest Python library and CLI for extracting indicators of compromise from text, including deliberately defanged URLs, IP addresses, email addresses, hashes, and YARA rules. It sits in the security-automation niche where analysts need to turn threat reports, tweets, notes, and pasted text into machine-readable observables.

Project history

The project documentation frames iocextract around a specific analyst problem: simple regular expressions miss indicators that have been defanged to avoid accidental clicks or live requests. iocextract combines custom regexes and post-processing so those strings can be detected and optionally refanged.

The GitHub release history shows continuing feature and bug-fix releases, including work around URL/IP extraction and CLI input sources. The documentation links the repository, PyPI package, issue tracker, and changelog, which is typical of a Python security utility distributed both as a library and as an executable command.

Adoption history

The docs list InQuest and PacketTotal as users and point analysts who need automation beyond extraction toward InQuest's ThreatIngestor. The Homebrew and Nix packaging in the input facts show the tool leaving Python-only workflows and becoming available as a command-line package.

How it is used

iocextract can be used as a Python iterator-based library or as the `iocextract` command. The CLI reads from standard input or files, extracts selected IOC classes, supports custom regex files, and can refang supported URLs, emails, and IPv4 addresses when an analyst wants normalized output.

Why package nerds care

The package is significant because it encodes a practical security convention: dangerous observables are often intentionally mangled before publication. A package manager shipping iocextract gives shell pipelines and incident-response scripts a reusable way to reverse that convention without every analyst copying fragile regexes.

Timeline

  • 2018: Public PyPI releases establish iocextract as an installable Python IOC extractor.
  • 2019-2023: InQuest-hosted documentation presents the library, CLI, related projects, and users.
  • 2023: v1.16.x releases add CLI extraction from remote data sources and fix URL/IP extraction behavior.
  • Package-manager era: Homebrew and Nix provide package installs for the `iocextract` executable.

Related projects

  • ThreatIngestor is the InQuest project suggested for automated IOC extraction, enrichment, and export workflows.
  • Cacador, ioc-extractor, and Cyobstract are listed by the docs as similar IOC extraction projects.
  • plyara is called out for users working with YARA rules.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for iocextract. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 2 runtime dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
iocextractcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.16.1
manager updated2026-05-21
local dataok
upstreamnot checked
latest detectednot detected

https://inquest.readthedocs.io/projects/iocextract/en/latest/

install metadata

Package metadata

Package keybrew:iocextract
Version1.16.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/iocextract
Homepagehttps://inquest.readthedocs.io/projects/iocextract/en/latest/
Repositoryhttps://github.com/InQuest/iocextract
Upstream docshttps://inquest.readthedocs.io/projects/iocextract/en/latest
LicenseGPL-2.0-only
Source archivehttps://files.pythonhosted.org/packages/ad/4b/19934df6cd6a0f6923aabae391a67b630fdd03c12c1226377c99a747a4f1/iocextract-1.16.1.tar.gz
Last updated2026-05-21T12:53:41Z
Pulseupdated
Dependenciescertifi, python@3.14
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameiocextract
Version Scheme0
Revision13
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

iocextract

nix profile install nixpkgs#iocextract
  • normalized package name match
  • Matched by: Iocextract
nixpkgs package indexes · raw.githubusercontent.com · nixpkgs package indexes: iocextract from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment