1. Map a new threat report to ATT&CK
Flow: Upload PDF/DOCX/TXT or paste text, run AI Analysis, review evidence, accept TTPs, and inject them into Navigator.
Output: Technique list, evidence, confidence, review status, layer, JSON, and PDF.
Use Case Library
These are practical ways to use the tool in CTI, SOC, incident response, malware analysis, detection engineering, and platform validation work.
2. Build a client-facing CTI briefing
Flow: Analyze a report, validate TTPs, compare actors, add IOCs, and export a PDF.
Output: Evidence-backed briefing with actor context and detection priorities.
3. Compare an incident to APT groups
Flow: Extract TTPs, run group comparison, inspect Jaccard overlap, and open actor pages.
Output: Ranked actor hypotheses, not definitive attribution.
4. Compare multiple reports
Flow: Store report analyses, compare shared TTPs, tactics, IOCs, and actor links.
Output: Relatedness view with shared and distinct behavior.
5. Turn CTI into a detection backlog
Flow: Accept validated TTPs, review tactic coverage, inspect guidance, and export evidence.
Output: Prioritized detection engineering candidates.
6. Create ATT&CK Navigator layers
Flow: Select TTPs manually, import layers, inject AI findings, or load actor TTPs.
Output: Navigator-compatible JSON and matrix visualization.
7. Review detection coverage gaps
Flow: Load TTPs, inspect tactic distribution, compare against actor or campaign profiles.
Output: Missing technique areas and priority gaps.
8. Track actor relevance by sector
Flow: Filter by sector, region, technology, and activity window in Sector Intel.
Output: Relevant actor ranking and matrix-ready TTPs.
9. Build a sector-specific threat model
Flow: Combine sector filters, actor profiles, relevant TTPs, and evidence cards.
Output: Customer-specific threat model and ATT&CK behavior map.
10. Enrich actor profiles with IOCs
Flow: Open actor IOCs, sync ThreatFox or custom feeds, and export CSV.
Output: Actor-linked observables with source and last-seen context.
11. Maintain a central IOC Library
Flow: Search by indicator, description, malware, campaign, actor, type, source, or last seen.
Output: Central observable library with enrichment actions.
12. Enrich an IOC with VirusTotal
Flow: Query an IP, domain, URL, or hash and review reputation, tags, rules, relationships, actors, and TTPs.
Output: Structured enrichment with pivots to matrix and actor pages.
13. Pull OTX, Malpedia, and ThreatFox context
Flow: Configure keys, sync sources, and enrich actor, malware, and IOC records.
Output: Source-backed external intelligence with timestamps.
14. Import custom private feeds
Flow: Add JSON, CSV, or TXT feeds and keep customer intelligence in the external DB.
Output: Private observables separated from public reference data.
15. Import and export STIX/TAXII
Flow: Export STIX indicators, import STIX files, or pull TAXII collection objects.
Output: Structured CTI exchange with compatible platforms.
16. Connect MISP JSON exports
Flow: Provide a MISP JSON export URL or gateway URL and sync it as a source.
Output: MISP-backed IOC records for search and enrichment.
17. Sync Sigma and YARA rule feeds
Flow: Add rule feeds and review detection-rule matches in enrichment context.
Output: Detection context for IOCs, malware families, and techniques.
18. Enrich malware behavior from sandboxes
Flow: Sync sandbox behavior sources and connect observed behavior to malware, IOCs, and TTPs.
Output: Runtime evidence for behavior and technique mapping.
19. Extract IOCs from uploaded reports
Flow: Analyze a report, extract observables, map them to actors or malware, and store them.
Output: Report-derived IOC records with source context.
20. Analyze DFIR report examples
Flow: Open DFIR Examples, inspect source-linked TTPs and actors, then use the report for AI analysis.
Output: Practice dataset for validation and demos.
21. Compare two APT groups
Flow: Select groups, inspect shared and different techniques, and review the combined matrix.
Output: Group-to-group behavior comparison.
22. Track ATT&CK changes over time
Flow: Track actor changes, sync references, and compare stored data to current ATT&CK.
Output: Visible actor and technique updates.
23. Use local or private LLMs
Flow: Configure a local/private LLM gateway and choose it during analysis.
Output: Private extraction with operator-controlled model routing.
24. Build a repeatable CTI pipeline
Flow: Track intake, analysis, review states, actor hypotheses, IOC enrichment, and detection candidates.
Output: Auditable CTI-to-detection workflow.
25. Validate deployment readiness
Flow: Run selftest, fix popup errors, recheck, and open troubleshooting when needed.
Output: Clear API, DB, ATT&CK, ATLAS, and enrichment readiness status.
26. Prepare release or maintainer evidence
Flow: Combine release notes, selftest output, screenshots, sample data, API docs, and validation pages.
Output: Evidence package for publication, review, or stakeholder approval.
Capability Map
| Capability | Relevant Use Cases |
|---|---|
| AI report extraction | 1, 2, 3, 4, 19, 20, 23, 24 |
| ATT&CK Navigator and layers | 1, 5, 6, 7, 8, 9, 21 |
| Actor and campaign comparison | 3, 4, 8, 9, 21, 22 |
| Sector intelligence | 8, 9 |
| IOC Library | 10, 11, 12, 14, 15, 16, 19 |
| External enrichment | 12, 13, 17, 18 |
| STIX/TAXII/MISP workflows | 15, 16 |
| Detection engineering handoff | 5, 7, 17, 18, 24 |
| Operations and pipeline | 2, 19, 24, 26 |
| Deployment reliability | 23, 25, 26 |