The open-source agentic memory engine behind ThreatRecall.
A typed memory model with blended retrieval, LangChain and CrewAI adapters, LanceDB + SQLite storage, and a FastAPI interface. Self-host it. Audit it. Fork it.
Not a generic vector store with a chat wrapper. A purpose-built memory engine for threat intelligence — typed, retrievable, and agent-native.
Every memory record is typed — actor, CVE, IOC, TTP, OSINT, tool, vulnerability. Structured recall, not free-text similarity guessing.
Keyword + vector + structured CTI routing in one query. Passes natural language, routes to the right retrieval path automatically.
Drop-in adapters for the two dominant agent frameworks. Your agents get structured CTI memory in under 20 lines of code.
Vectors in LanceDB, structured data in SQLite. No cloud database dependency. Runs on a laptop, a Raspberry Pi, or an air-gapped server.
REST + async. Auto-generated OpenAPI docs. Talks to any agent framework, any language. Ollama-compatible for fully local inference.
Use it in commercial products. Embed it in your platform. No CLA, no AGPL restrictions. Authored by Patrick George Roland II.
We open-sourced ZettelForge because operators need to see what's running in their environment. Vendor lock-in on memory infrastructure isn't something we'd accept either.
ZettelForge was designed by someone who ran security operations — not a product manager who read a few MITRE ATT&CK articles. The constraints are real. The design reflects that.
You can read every line of the memory engine. You can audit the retrieval logic. You can verify that TLP handling works the way we say it does. That's the point.
If you self-host ZettelForge, you own your memory indexes. If you migrate to ThreatRecall Cloud or away from it, your data stays yours. We designed the exit ramp on purpose.
Like WordPress.com vs .org. Or GitLab.com vs CE. You pick what fits your team.
| Feature | ZettelForge (self-host) | ThreatRecall Cloud |
|---|---|---|
| Deployment | Self-hosted — your server | Managed — we run the infra |
| Tenancy | Single-tenant | Multi-tenant with RLS isolation |
| LLM | You run Ollama (local or remote) | We run OpenAI — you bring context |
| Database | SQLite + LanceDB (on-disk) | Azure PostgreSQL — managed, HA |
| Compliance | You configure it | FedRAMP Moderate baseline built-in |
| STIX 2.1 | Partial (evidence model) | Full chain-of-custody, TLP propagation |
| OpenCTI sync | Not included | Enterprise only — bi-directional via pycti |
| Audit logs | Not included | Write-once, tenant-scoped OCSF logs |
| Support | Community (GitHub issues) | SLA-backed support |
| Cost | Free (MIT) | From $29/mo |
Docker Compose is the fastest path. No cloud accounts, no API keys required to start.
# Clone the repo git clone https://github.com/rolandpg/zettelforge cd zettelforge # Start with Docker Compose (includes Ollama + LanceDB) docker compose up # ZettelForge API is now running at http://localhost:8000 # OpenAPI docs at http://localhost:8000/docs
# LangChain adapter — drop-in memory for your agent from zettelforge.adapters.langchain import ZettelForgeMemory memory = ZettelForgeMemory( base_url="http://localhost:8000", tenant_id="my-soc-team" ) # Your agent now has structured CTI memory agent = initialize_agent(tools, llm, memory=memory)