ThreatMapper — Self-Hosted AI Threat Intelligence

What It Does

You give ThreatMapper a threat report — malware writeup, IR summary, vendor advisory, raw Slack thread. It gives you ATT&CK technique IDs, confidence scores, evidence snippets, and a ranked list of APT groups whose known TTP profile overlaps with what you observed. All computation is local. Nothing leaves your machine.

Core Features

AI Analysis

Upload PDF, DOCX, or TXT — or paste text — and get a streamed ATT&CK technique extraction with evidence snippets and confidence scores. Supports Claude, GPT-4o, and Gemini.

ATT&CK Navigator

Interactive heatmap of the full ATT&CK matrix (Enterprise, Mobile, ICS). Build, save, reload, and export named TTP layers. Overlay any APT group for instant visual diff.

APT Attribution

Automatic Jaccard similarity ranking against 174+ named threat groups and 56+ named campaigns. See exactly which techniques you share and what your detection gaps are.

Two Databases

DB 1 holds the full MITRE ATT&CK dataset including named campaigns. DB 2 stores every AI analysis you run — re-compare any past report without re-calling the LLM.

PDF Reports

Generate multi-page formatted PDF reports from any analysis or Navigator layer. Includes cover page, executive summary, technique table, APT attribution, and tactic coverage.

REST API

Drive the entire workflow programmatically. Headless analysis, batch comparisons, layer management — all exposed as a documented REST API (Swagger at /docs).

AI Analysis — upload a report and pick a provider (Claude, GPT-4o, Gemini)
Inject into Navigator — push extracted techniques into the live ATT&CK matrix
Compare → Groups — find which APT groups match your observed TTP set
Compare → Campaigns — narrow down to a specific named operation
Gap Analysis — turn the technique gap into a structured hunt checklist
Export PDF — share findings as a formatted report