Skip to main content

CTI Project Ecosystem

Purpose

This page connects the CTI documentation projects into one practitioner ecosystem. Each project has a different role, but they are designed to be used together.

The Ecosystem

Start here

CTI Portfolio — Andrey Pautov is the top-level entry point: four documentation sites, 11 repositories, 36 articles. Start there to navigate the full body of work, then come back to the specific project you need.

ProjectRoleUse When
CTI PortfolioTop-level hub — all CTI work in one placeYou want an overview of the full body of work: actor research, methodology, detection engineering, labs
CTI as a CodeLab platform + structured training assignments + published case studiesYou want a hands-on lab, worked case studies, Sigma rules, and methodology scaffolds
CTI Analyst Field ManualGeneral CTI tradecraft and analytic operating manualYou need evidence discipline, analytic judgment, attribution methodology, infrastructure pivoting, or CTI-to-detection reasoning
Customer-Driven AI CTI ProjectDelivery methodology and customer engagement modelCTI work must become a managed project with phases, quality gates, and customer acceptance criteria
Israel Government Threat Actors CTIIsraeli sector and actor knowledge baseThe question involves Israeli government, municipal, telecom, critical infrastructure, or supplier exposure
HexStrike AIAI-powered offensive security automationAdversarially validating detection coverage built in A04 or A08 against real TTPs

Published Case Studies

Real investigations worked end-to-end using the CTI as a Code methodology — from first alert through stakeholder deliverables. Each article is a complete, reproducible walkthrough with evidence files, queries, and detection rules.

Case StudyScenarioKey TechniquesArticle
LifeTech Pharma — Reactive IRDual-entry pharmaceutical IP theft — AiTM + CFO phishing, DCSync, 381 MB exfiltrationT1557 · T1003.006 · T1133 · RBQL anomaly detection · Cobalt Strike beacon analysisMedium
CelltronX Telecom — Proactive AssessmentMuddyWater targeting Israeli telecom — crown jewels analysis, 5 attack scenarios, detection gap mapping, 5 Sigma rulesT1219 · T1133 · T1505.003 · T1572 · DeTT&CT scoring · SimpleHelp RMM detection

Each case study maps directly to a training assignment, a full technical walkthrough, and an ATT&CK Navigator layer:

How CTI as a Code Fits

CTI as a Code is the practice environment. It provides:

  • The Docker Compose lab stack where you run OpenCTI, TheHive, and Elastic SIEM
  • The structured training assignments (A01–A08) as worked case studies
  • Published case studies with full evidence analysis, detection gaps, and Sigma rules
  • Distributed analytical files demonstrating the methodology in action
  • Sigma rules derived from incident TTPs — ready for lab validation

The Field Manual is the reasoning standard behind everything. When CTI as a Code says "rate sources with the Admiralty Scale," "label claims," or "convert TTPs to detection logic" — the Field Manual explains the precise methodology those phrases refer to.

The Israel CTI knowledge base is the threat context for the NDSA narrative arc (A05–A08). The Iranian-nexus actor cluster, supply chain compromise patterns, and INCD regulatory context in those assignments are grounded in Israeli sector CTI documented there.

Cross-Project Workflows

Reactive Investigation → Sigma Rule → Lab Validation

  1. Read the LifeTech Pharma case study as a worked example of the full flow
  2. Run the same investigation yourself with Assignment A01 or A05 as the scenario
  3. Apply Field Manual — Evidence Labels and Source Reliability to each timeline event
  4. Convert findings to detection logic using Field Manual — CTI to Detection
  5. Deploy the Sigma rule to Elastic SIEM in the lab and validate with A04 or A08 emulation methodology
  6. Use HexStrike AI for adversarial red-team validation of coverage

Threat Modeling → Detection Backlog → Customer Project

  1. Use A02 or A06 as the proactive threat modeling framework
  2. Reference Israel Government Threat Actors CTI for sector-specific threat actor TTPs
  3. Produce a detection backlog with Sigma rules (CTI as a Code template structure)
  4. Hand off to Customer-Driven AI CTI Project for managed delivery with quality gates and customer acceptance criteria

CTI Program Build → INCD Compliance

  1. Use A07 (NDSA full-cycle program) as the governance framework template
  2. Apply Field Manual — PIR/SIR framework for requirement design
  3. Use A08 compliance report as the detection validation evidence format
  4. Cross-reference Israel Government Threat Actors CTI for INCD regulatory framework context

Actor Profile → Sector Context → Detection

  1. Use Field Manual — Actor Research to structure the actor profile
  2. Use Israel Government Threat Actors CTI for the Iranian-nexus cluster context relevant to A05–A08
  3. Extract detection-relevant TTPs using A04 TTP extraction methodology
  4. Turn the profile into a customer project with Customer-Driven AI CTI

NDSA Narrative Arc and the Israel CTI Project

The government assignments (A05–A08) are grounded in the Israeli public-sector threat landscape documented in the Israel Government Threat Actors CTI project:

CTI as a CodeIsrael CTI cross-reference
A05 — Iranian-nexus contractor breachIranian-nexus actor cluster targeting Israeli government digital identity systems
A06 — GovID 2.0 threat modelBiometricTech supply chain risk; vendor API abuse patterns
A07 — INCD regulatory programINCD-CID framework; Israeli CII operator obligations
A08 — INCD Section 8 emulationDetection validation methodology for Israeli government CTI programs

Boundary

All CTI documentation projects (CTI as a Code, Field Manual, Customer project, Israel CTI) are defensive and public-source oriented. They do not provide exploit instructions, malware source code, leaked data, credentials, or unauthorized-access guidance. HexStrike AI is an authorized offensive security and penetration testing platform; use it only in authorized engagements.