Static IOC extraction engine for binaries, text, and logs.
Project description
IOCX — Deterministic, Zero‑Risk IOC Extraction for Modern Security Pipelines
Official IOCX Project
IOCX is a high‑performance, deterministic static analysis engine for extracting Indicators of Compromise (IOCs) from binaries and text. It exists for one reason: to provide a fast, safe, predictable IOC extractor that DFIR teams and automation pipelines can trust.
- PyPI: https://pypi.org/project/iocx/
- GitHub: https://github.com/iocx-dev/iocx
- Website: https://iocx.dev
IOCX is not an OSINT reputation checker or scoring tool. It is a binary‑aware IOC engine built for DFIR, SOC automation, CI/CD, and threat‑intel ingestion.
Why IOCX Exists
Most IOC extractors are:
- regex‑only
- non‑deterministic
- slow under adversarial input
- unaware of binary structure
- unstable across versions
IOCX fixes all of that.
It provides:
- snapshot‑stable output
- deterministic PE metadata extraction
- binary‑aware heuristics
- strict performance guarantees
- a stable JSON schema
- safe, static‑only analysis
If you need predictable, automatable IOC extraction — IOCX is built for you.
Version highlights (v0.7.3)
- Major hardening of all PE structural validators
- Deterministic, snapshot‑stable output across malformed binaries
- Stronger section, entrypoint, RVA‑graph, TLS, and signature checks
- Corrected RVA→file‑offset mapping for overlay detection
- Improved entropy analysis with clearer, conservative signals
- Cleaner, consistent
ReasonCodesacross the engine - Expanded structural + heuristic test coverage
Performance
- 150–300 MB/s on raw text
- 6–15 MB/s on typical PEs
- Predictable even under worst‑case adversarial load.
Features
- Extracts IOCs from PE files and raw text
- Detects domains, URLs, IPv4/IPv6, file paths, hashes, emails, Base64
- Crypto wallet detection (BTC, ETH)
- Deterministic, snapshot‑stable JSON output
- Multi‑level analysis depth (
basic→full) - Binary‑aware static analysis (entropy, sections, imports, TLS, signatures)
- Lightweight plugin system
- CLI + Python API
Install
pip install iocx
CLI
iocx suspicious.exe
echo "Visit http://bad.example.com" | iocx -
Python API
from iocx.engine import Engine
engine = Engine()
results = engine.extract("suspicious.exe")
print(results)
Project Identity
The name IOCX refers exclusively to this project and the repositories under iocx-dev. Third‑party tools must not present themselves as the IOCX engine.
Community integrations should use names like:
iocx-<plugin>iocx-extension-<feature>
License
MPL‑2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file iocx-0.7.3.tar.gz.
File metadata
- Download URL: iocx-0.7.3.tar.gz
- Upload date:
- Size: 52.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
88dc3f5600065e8768bafc3e20ed5fe919aa498327ddd4e6cc25d3fb9da0fa9c
|
|
| MD5 |
691d8cf69a35bdfa0e64066ae53d77ac
|
|
| BLAKE2b-256 |
f550666d591b8440882a5fa013777f3578dafc6a67118c5886359b457e139881
|
File details
Details for the file iocx-0.7.3-py3-none-any.whl.
File metadata
- Download URL: iocx-0.7.3-py3-none-any.whl
- Upload date:
- Size: 63.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0c4d032f7c5a0159cbce065a6a07ee98f7e03458f40241fe4f873c5afa40a43a
|
|
| MD5 |
768185e304af8f5d54961baea558b0e5
|
|
| BLAKE2b-256 |
bd7df8866b3d005b5864441c8f5292fc8b28c0c19ae15581202da0e394f7c23c
|
