# Install iocextract with Homebrew, Nix

Defanged indicator of compromise extractor. Version 1.16.1 via Homebrew; verified 2026-05-21.

## Install

```sh
sudo av install brew:iocextract
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install iocextract
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#iocextract
```

  Evidence: nixpkgs package indexes: iocextract from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix

## Package facts

- **Package key:** brew:iocextract
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/iocextract>
- **Version:** 1.16.1
- **Source summary:** Defanged indicator of compromise extractor
- **Homepage:** <https://inquest.readthedocs.io/projects/iocextract/en/latest/>
- **Repository:** <https://github.com/InQuest/iocextract>
- **Upstream docs:** <https://inquest.readthedocs.io/projects/iocextract/en/latest>
- **License:** GPL-2.0-only
- **Source archive:** <https://files.pythonhosted.org/packages/ad/4b/19934df6cd6a0f6923aabae391a67b630fdd03c12c1226377c99a747a4f1/iocextract-1.16.1.tar.gz>
- **Last updated:** 2026-05-21T12:53:41Z
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- iocextract (cli)
- iocextract (alias)

## Dependencies

- certifi
- python@3.14

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.16.1
- Package-manager updated: 2026-05-21
- Local data: ok
- Upstream repository: https://inquest.readthedocs.io/projects/iocextract/en/latest/
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

iocextract is an InQuest Python library and CLI for extracting indicators of compromise from text, including deliberately defanged URLs, IP addresses, email addresses, hashes, and YARA rules. It sits in the security-automation niche where analysts need to turn threat reports, tweets, notes, and pasted text into machine-readable observables.

### Project history

The project documentation frames iocextract around a specific analyst problem: simple regular expressions miss indicators that have been defanged to avoid accidental clicks or live requests. iocextract combines custom regexes and post-processing so those strings can be detected and optionally refanged.

The GitHub release history shows continuing feature and bug-fix releases, including work around URL/IP extraction and CLI input sources. The documentation links the repository, PyPI package, issue tracker, and changelog, which is typical of a Python security utility distributed both as a library and as an executable command.

### Adoption history

The docs list InQuest and PacketTotal as users and point analysts who need automation beyond extraction toward InQuest's ThreatIngestor. The Homebrew and Nix packaging in the input facts show the tool leaving Python-only workflows and becoming available as a command-line package.

### How it is used

iocextract can be used as a Python iterator-based library or as the `iocextract` command. The CLI reads from standard input or files, extracts selected IOC classes, supports custom regex files, and can refang supported URLs, emails, and IPv4 addresses when an analyst wants normalized output.

### Why package nerds care

The package is significant because it encodes a practical security convention: dangerous observables are often intentionally mangled before publication. A package manager shipping iocextract gives shell pipelines and incident-response scripts a reusable way to reverse that convention without every analyst copying fragile regexes.

### Timeline

- 2018: Public PyPI releases establish iocextract as an installable Python IOC extractor.
- 2019-2023: InQuest-hosted documentation presents the library, CLI, related projects, and users.
- 2023: v1.16.x releases add CLI extraction from remote data sources and fix URL/IP extraction behavior.
- Package-manager era: Homebrew and Nix provide package installs for the `iocextract` executable.

### Related projects

- ThreatIngestor is the InQuest project suggested for automated IOC extraction, enrichment, and export workflows.
- Cacador, ioc-extractor, and Cyobstract are listed by the docs as similar IOC extraction projects.
- plyara is called out for users working with YARA rules.

### Sources

- <https://formulae.brew.sh/formula/iocextract>
- <https://github.com/InQuest/iocextract>
- <https://github.com/InQuest/iocextract/releases>
- <https://inquest.readthedocs.io/projects/iocextract/en/latest/>
- <https://pypi.org/project/iocextract/>


## Security Notes

No matching local secret-handling manifest was found for iocextract. Nucleus package metadata is still published here so future coverage has a stable package URL.


## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** iocextract
- **Version Scheme:** 0
- **Revision:** 13
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - iocextract: normalized package name match | nixpkgs package indexes: iocextract from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [Homebrew utility packages](https://www.automicvault.com/pkg/brew-utility-packages/) - Matched Homebrew package provider.
- [python@3.14](https://www.automicvault.com/pkg/brew/python-3-14/) - Runtime dependency declared by Homebrew.
- [dnstwist](https://www.automicvault.com/pkg/brew/dnstwist/) - Shares av.db curated category or tags: cli, security, threat-intelligence.
- [virustotal-cli](https://www.automicvault.com/pkg/brew/virustotal-cli/) - Shares av.db curated category or tags: cli, security, threat-intelligence.
- [aide](https://www.automicvault.com/pkg/brew/aide/) - Shares av.db curated category or tags: cli, security.
- [aircrack-ng](https://www.automicvault.com/pkg/brew/aircrack-ng/) - Shares av.db curated category or tags: cli, security.
- [amass](https://www.automicvault.com/pkg/brew/amass/) - Shares av.db curated category or tags: cli, security.
- [anubis](https://www.automicvault.com/pkg/brew/anubis/) - Shares av.db curated category or tags: cli, security.
- [authoscope](https://www.automicvault.com/pkg/brew/authoscope/) - Shares av.db curated category or tags: cli, security.
- [azurehound](https://www.automicvault.com/pkg/brew/azurehound/) - Shares av.db curated category or tags: cli, security.
- [shodan](https://www.automicvault.com/pkg/brew/shodan/) - Both packages touch the same language runtime or ecosystem. Shared terms: certifi, cli, intelligence, python, python-3-14.
- [bbot](https://www.automicvault.com/pkg/brew/bbot/) - Both packages touch the same language runtime or ecosystem. Shared terms: certifi, cli, python, python-3-14, security.

## Combined YAML source

View the package source record on GitHub. [combined/iocextract.yml](https://github.com/automic-vault/db/blob/main/combined/iocextract.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
