diff --git a/pkgs/tools/security/ioc-scan/default.nix b/pkgs/tools/security/ioc-scan/default.nix
new file mode 100644
index 00000000000..0fea93dc508
--- /dev/null
+++ b/pkgs/tools/security/ioc-scan/default.nix
@@ -0,0 +1,43 @@
+{ lib
+, fetchFromGitHub
+, python3
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "ioc-scan";
+  version = "1.5.0";
+  format = "setuptools";
+
+  src = fetchFromGitHub {
+    owner = "cisagov";
+    repo = "ioc-scanner";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-dRrLd41HVVHJse7nkem8Cy+ltfJRnJiWrX/WShMfcOw=";
+  };
+
+  postPatch = ''
+    substituteInPlace pytest.ini \
+      --replace " --cov" ""
+  '';
+
+  propagatedBuildInputs = with python3.pkgs; [
+    docopt
+  ];
+
+  nativeCheckInputs = with python3.pkgs; [
+    pyfakefs
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [
+    "ioc_scan"
+  ];
+
+  meta = with lib; {
+    description = "Tool to search a filesystem for indicators of compromise (IoC)";
+    homepage = "https://github.com/cisagov/ioc-scanner";
+    changelog = "https://github.com/cisagov/ioc-scanner/releases/tag/v${version}";
+    license = with licenses; [ cc0 ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 522025e8baf..0d610fb77ca 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -8545,6 +8545,8 @@ with pkgs;
 
   iodine = callPackage ../tools/networking/iodine { };
 
+  ioc-scan = callPackage ../tools/security/ioc-scan { };
+
   ioccheck = callPackage ../tools/security/ioccheck { };
 
   ioping = callPackage ../tools/system/ioping { };