Skip to main content

What's Coming Next

AdversaryGraph is functional and actively developed.

Recently Shipped (v0.7.0)

Operational intelligence workbench — persistent campaign/investigation workspaces, evidence graph records, report intake and analyst review, tracked-actor change monitoring, and detection engineering lifecycle management.

Operations API — integrations can manage investigations, report intake, tracked actors, and detection candidates through /api/operations.

Web-workspace parity plus AI — Docker now includes intelligence discovery, global actor/TTP/report search, correlated CTI/IR reports, detection and hunting guidance, evidence/maturity assessments, workspaces, coverage overlay, detection-backlog export, shareable entity links, and investigation-report export.

Docker remains the superset product — AI-assisted report extraction, LLM technique assistant, private report sessions, campaigns, saved server layers, APIs, PDF export, and automated ATT&CK synchronization remain Docker-only capabilities.

Known architecture gap — the public web workspace has a static MITRE ATLAS matrix. Docker embeds and cross-links the Anomaly Detection Atlas reference book, but native MITRE ATLAS PostgreSQL ingestion still requires a dedicated adapter.

Group vs Group — compare up to 6 APT groups simultaneously: N×N Jaccard overlap matrix, combined ATT&CK view with per-group coloured dots, sortable technique table. See docs →

Clickable TTP detail panels — every technique ID in the UI (Navigator, ATT&CK Group Library, Compare, Group vs Group) opens a slide-in panel with description, detection guidance, Anomaly Detection Atlas links, ecosystem links, and CTI Field Manual. See docs →

Ecosystem sidebar links — one-click navigation to AdversaryGraph Web Tool (no-Docker browser version), CTI Knowledge Base, and 1200km.com directly from the sidebar.

Also Shipped — AdversaryGraph Web

Multi-domain ATT&CK — the browser tool now covers four frameworks: Enterprise, Mobile, ICS, and MITRE ATLAS (AI/ML adversarial techniques). A domain switcher in the header lazy-loads each framework on first click and caches it for instant re-switching.

Full technique descriptions — every TTP detail panel now includes the complete MITRE description bundled at build time. No network round-trip; works offline.

Ecosystem article deep-links — the detail panel now shows section-level links into the CTI Field Manual and ITDR Handbook, generated by scanning both documentation sites for technique ID mentions and recording the nearest heading. Each link jumps directly to the relevant paragraph.

On the Roadmap

TAXII/STIX import — accept threat intelligence directly from TAXII feeds (MISP, OpenCTI, commercial CTI platforms) so you can analyse structured intelligence without manual copy-paste.

Team collaboration — shared TTP layers with user namespacing; see who saved what and when.

Automatic APT tracking — when ATT&CK releases a new version that adds techniques to a group you're tracking, send a notification (webhook or email).

Native MITRE ATLAS ingestion — add an ATLAS-specific ingestion adapter and matrix domain to the Docker platform.

Contributing

The project is source-available. Personal/private use is free; business or organizational use requires approval from Andrey Pautov.