CTI Project Ecosystem
Purpose
This page connects the three CTI documentation projects into one practitioner ecosystem. Each project has a different role, but they are intended to be used together.
The Ecosystem
| Project | Role | Use When You Need |
|---|---|---|
| CTI Analyst Field Manual | General CTI tradecraft and analyst operating manual | Evidence discipline, analytic judgment, attribution, infrastructure pivoting, actor research workflow, CTI-to-detection foundations, templates |
| CTI as a Code | Lab platform and structured training framework | Hands-on practice applying the tradecraft in this manual — 8 assignments using evidence labels, claims ledger, ATT&CK gap taxonomy, Sigma rules, and git-based audit trails |
| Operation Desert Hydra | Complete CTI-to-detection pipeline on MuddyWater | Worked example of the full pipeline: source gathering → OpenCTI knowledge graph → 11 detection records → 14 PASS / 1 PARTIAL / 1 FAIL lab validation |
| Customer-Driven AI CTI Project | Delivery methodology and customer engagement operating model | Project phases, quality gates, customer outcomes, AI-assisted workflow controls, acceptance criteria, replay and delivery packages |
| Israel Government Threat Actors CTI | Sector and actor knowledge base | Israeli public-sector threat model, actors, tools, TTPs, detections, hunts, evidence registers, source tracking |
| AI vs Defense | Practitioner guide: AI-era threat model and SOC adaptation | How skill-floor collapse changes the Pyramid of Pain, legacy defense failures, behavioral detection, and CTI evolution requirements |
| ThreatMapper | Self-hosted AI threat intelligence platform | Automated ATT&CK technique extraction from reports, APT attribution via Jaccard similarity, interactive Navigator heatmap, campaign overlay, and PDF report generation — all locally, no cloud API required |
| HexStrike AI | AI-powered offensive security automation platform | MCP agent-based tool orchestration, 150+ security tools, AI-driven penetration testing, adversarial validation of detection coverage |
Recommended Navigation
- Start here when you need the tradecraft standard: CTI Analyst Field Manual.
- Move to the delivery model when work must become a managed customer project: Customer-Driven AI CTI Project.
- Use the Israel-focused knowledge base when the question involves Israeli government, municipal, telecom, critical-infrastructure, or supplier exposure: Israel Government Threat Actors CTI.
Cross-Project Workflows
Actor Profile to Customer Delivery
Use Actor Research to structure the profile, then use Customer-Driven AI CTI Project to turn it into a project plan, quality gates, and accepted deliverables. Use Israel Government Threat Actors CTI when the actor requires Israel-sector context.
CTI Finding to Detection Backlog
Use Intelligence to Detection for the reasoning chain. Use Customer-Driven AI CTI Project for phase control and gate evidence. Use Israel Government Threat Actors CTI for concrete actor, tool, TTP, hunt, and detection examples.
Source Claim to Evidence Register
Use Evidence Labels and Source Reliability as the analytic standard. Use the Customer project for delivery gates. Use the Israel project for a live example of source and evidence governance.
Repository Links
- CTI Analyst Field Manual repository
- CTI as a Code repository
- Operation Desert Hydra repository
- Customer-Driven AI CTI Project repository
- Israel Government Threat Actors CTI repository
- ThreatMapper repository
- HexStrike AI repository
Boundary
The CTI documentation projects (Field Manual, Customer project, Israel CTI) are defensive and public-source oriented. They do not provide exploit instructions, malware source code, leaked data, credentials, or unauthorized-access guidance. HexStrike AI is an authorized offensive security and penetration testing platform; use it only in authorized engagements.