A processing device in one embodiment comprises a processor coupled to a memory and is configured to direct one or more web crawlers to obtain textual information from a plurality of data sources accessible over at least one network, to extract terms likely to be associated with indicators of compromise from the obtained textual information, to filter the extracted terms to identify terms corresponding to respective valid indicators of compromise, to generate links between the terms corresponding to the respective valid indicators of compromise, and to convert the links and the corresponding terms into an output document in a specified indicator of compromise format. Feedback from an analyst device receiving the output document may be used to adjust a filter parameter of the extracted term filtering. Additionally or alternatively, one or more parameters of a network security system may be adjusted based at least in part on the output document.