Reports are inconsistent and verbose
Vendor CTI reports, incident writeups, and OSINT sources vary widely in structure, depth, and terminology. Extracting ATT&CK technique references manually is slow and error-prone at scale.
Public demo privacy note.
The hosted demo at 1200km.com/threat-matrix/
is intended for exploration and demonstration.
Do not upload confidential, customer-sensitive, classified, or internal reports into the public demo.
Use the self-hosted Docker deployment for private analysis.
The Analyst Problem
CTI work has a structural bottleneck between raw intelligence and structured, actionable output.
ATT&CK mapping is a repetitive bottleneck
Mapping behaviors in a report to ATT&CK technique IDs requires reading, judgment, and cross-referencing — repeated for every source, every engagement, every campaign update.
Comparing reports to groups is manual
Checking whether extracted TTPs resemble a known APT group's profile means manually looking up groups, comparing technique lists, and tracking overlaps and gaps — without tooling, this is ad hoc at best.
CTI-to-detection requires structured output
Turning CTI into a detection backlog requires structured technique IDs, tactic context, and evidence. Unstructured report text doesn't translate directly into Sigma rules, SIEM queries, or detection priorities.
Existing tools visualize — they don't automate the workflow
ATT&CK Navigator and similar tools are excellent for visualization, but they require the analyst to build layers manually. The extraction, comparison, and export workflow still requires custom effort.
Privacy-sensitive reports can't go to commercial tools
Customer reports, red team debriefs, and internal incidents can't be uploaded to cloud-hosted SaaS analysis platforms. Analysts need self-hosted options with full data control.
What ThreatMapper Does
ThreatMapper automates the mechanical steps of the CTI-to-detection workflow while keeping analyst judgment at every decision gate.
From report to ATT&CK techniques
Upload a PDF, DOCX, or paste raw text. Select your LLM provider. ThreatMapper extracts ATT&CK technique IDs with supporting evidence and confidence scores, streamed token by token.
PDF · DOCX · TXT
Claude · GPT-4o · Gemini
Streaming extraction
TTP overlap against known groups and campaigns
Extracted techniques are compared against all known ATT&CK groups and campaigns using Jaccard similarity. Results surface groups with the highest TTP overlap — useful as an analytical signal for hypothesis generation and investigation prioritization.
Current ATT&CK group profiles
Jaccard TTP overlap
Hypothesis generation
ATT&CK Navigator heatmaps
Extracted techniques are visualized as an interactive ATT&CK Navigator-style heatmap. Layer overlays, campaign comparisons, and named layer libraries allow side-by-side analytical views.
Navigator layers
Campaign overlay
Layer library
Structured outputs for detection workflows
Export structured technique lists, confidence scores, and evidence references. One-click PDF reports suitable for analyst handoffs, briefings, or detection backlog tickets.
PDF reports
Structured JSON
Detection backlog support
Workflow
End-to-end flow from raw threat report to analyst-ready output.
Threat Report
→
LLM-assisted extraction
→
ATT&CK technique mapping
→
Group / Campaign TTP overlap
→
Gap analysis
→
Navigator layer / PDF / detection backlog
All steps include analyst review points. ThreatMapper accelerates mechanical work — it does not replace analyst judgment on evidence quality, confidence calibration, or attribution decisions.
Key Capabilities
- PDF, DOCX, and plain-text threat report ingestion
- MITRE ATT&CK Enterprise, Mobile, and ICS domain support
- Multi-provider LLM support — Claude, OpenAI GPT-4o, Google Gemini — configurable per analysis
- Real-time streaming technique extraction with evidence and confidence scores
- ATT&CK group and campaign TTP-overlap scoring with Jaccard similarity
- Stored report comparison — compare current analysis against previously analyzed reports
- ATT&CK Navigator-compatible layer output for visualization and export
- Interactive ATT&CK Navigator heatmap with campaign overlay support
- Named layer library for managing multiple analytical views
- One-click PDF report generation for analyst handoffs and briefings
- API-first FastAPI backend — scriptable and extensible
- PostgreSQL storage for analysis history and stored report comparison
- Self-hosted Docker Compose deployment with operator-controlled storage, networking, and LLM-provider configuration
ThreatMapper Web vs ThreatMapper Docker
ThreatMapper Web
A public browser-native ATT&CK workspace for exploring techniques, building layers, comparing group profiles, loading sample workflows, reviewing detection gaps, and exporting analyst-ready outputs. It does not perform LLM report extraction or backend private-report storage.
ThreatMapper Docker
The full self-hosted platform for provider-configured AI-assisted report extraction, private PostgreSQL-backed analyses, campaign comparison, API access, PDF reports, and ATT&CK synchronization.
Privacy and deployment note. In Docker mode, report content is sent only to the LLM provider configured by the operator. For fully private analysis, use a local or private LLM gateway. Internet-facing deployments require access control, TLS, restricted network exposure, backups, retention controls, and secrets management.
On Attribution and TTP Overlap
ThreatMapper does not perform definitive attribution.
TTP overlap scores are Jaccard similarity values computed against known ATT&CK group and campaign profiles.
These scores are useful as analytical signals for hypothesis generation, investigation prioritization,
and detection focus — not as definitive attribution claims.
TTP overlap with a known group's profile does not confirm that group's involvement.
Multiple groups share common techniques. Analyst judgment and corroborating evidence
are required before any attribution conclusion is drawn.
Architecture Overview
ThreatMapper is a self-hosted stack deployable via Docker Compose.
Frontend
React single-page application. Interactive ATT&CK Navigator matrix, streaming extraction panel, comparison views, and report generation. Runs in the browser after container startup.
Backend API
FastAPI (Python). Handles report ingestion, LLM provider routing, ATT&CK data lookups, similarity computation, and structured output generation. REST endpoints, documented and testable.
Storage
PostgreSQL database for storing analysis results, technique extractions, report metadata, and layer configurations. Enables stored report comparison across multiple analyses.
ATT&CK Data Layer
Bundled MITRE ATT&CK STIX data for Enterprise, Mobile, and ICS domains. Group and campaign profiles used for TTP overlap computation without requiring external API calls during analysis.
LLM Provider Abstraction
Configurable multi-provider LLM routing. Claude (Anthropic), OpenAI GPT-4o, and Google Gemini supported. Provider selection at analysis time — no vendor lock-in, switchable per use case.
Export and Reporting Layer
Structured JSON output for downstream tooling integration. ATT&CK Navigator-compatible layer files. PDF report generation for analyst briefings and detection backlog handoffs.
ThreatMapper in the 1200km Ecosystem
ThreatMapper is one component in a broader CTI and detection engineering portfolio. Related projects it connects to:
CTI Analyst Field Manual
Practitioner tradecraft for CTI analysts: evidence discipline, attribution methodology, Admiralty scale, hunting hypothesis construction, and detection backlog management. 80 pages, 10 modules.
Operation Desert Hydra
Complete CTI-to-detection pipeline on a real adversary — the kind of structured workflow ThreatMapper is designed to accelerate. From raw reports to 16 validated detection rules.
OpenCTI Intelligent Shield
OpenCTI platform with AI enrichment connector — structured STIX 2.1 intelligence management, source confidence scoring, and analyst-gated knowledge graph workflows.
Customer-Driven AI CTI
End-to-end methodology for structured CTI engagements with human validation gates. ThreatMapper fits into the extraction and mapping phases of this 15-phase cycle.
Anomaly Detection Atlas
Vendor-neutral reference connecting ATT&CK-aligned techniques to statistical anomalies and log sources. Useful downstream from ThreatMapper output for detection design.
Insider Threat Detection Guide
Detection engineering reference for insider threat scenarios — 14 documented cases, 4-tier detection taxonomy, UEBA, and deception. ATT&CK-aligned throughout.
Old Defense vs New-Age Attacks
How AI changes the attacker skill floor and what SOC teams must change in detection, CTI, and response. Context for why AI-assisted CTI tooling matters for defenders.
ThreatMapper Web
Browser-native ATT&CK explorer with dynamic current-release data, group-profile comparison, TTP gap analysis, local workspaces, sample workflows, and exports. No LLM extraction or backend report storage.
Israel Government Threat Actors CTI
Sector CTI covering Iranian, Palestinian, and regional threat actors targeting Israeli public sector and critical infrastructure — the type of structured CTI ThreatMapper helps produce.