FIREWATCH//CTI — User Guide
A single-file, browser-based Cyber Threat Intelligence operations console. It maps observed tradecraft to MITRE ATT&CK, attributes activity to threat groups, ingests live intel, and turns scans and reports into hunt plans — all client-side, no server.
This build adds four capabilities ported from two sister projects: Barracuda (sentence→technique mapping) and Piranha (Nessus/CVE mapping, tactic optimizer + coverage radar, and profile matching).
Getting started
- Open
console.html(or the Launch Console button on the landing page) in a modern browser (Chrome, Edge, or Firefox). Everything runs locally in the page. - On first launch it downloads the MITRE ATT&CK Enterprise bundle (~50 MB) and builds a local model. This is cached in your browser (IndexedDB) for 7 days, so subsequent loads are instant.
- When the top bar shows ATT&CK: v… · N groups · N techniques, you're ready.
- Switch tabs with the top navigation or press 1–9. Hover almost anything for an inline explanation.
Fastest way in — the demo
On first launch a welcome panel offers to load a demo investigation. It drops a fictional intrusion report into the Extractor, auto-extracts the techniques, lights up Attribution, and files everything — TTPs and IOCs — into a ready-made case. It is the quickest way to see the whole pipeline end to end. You can re-run it any time from the empty Attribution screen, the empty Cases screen, or the command palette.
Core concepts
T1566.001. Your working "selection" of TTPs drives Attribution, recommendations, Hunt Plan and Profile Match.1 · Attribution core
Select the TTPs you observed in an intrusion and rank the threat groups most likely responsible, using a naive-Bayes posterior over ATT&CK group–technique mappings.
- In the left Technique Selection panel, expand a tactic or search (e.g.
lsassorT1003) and click techniques to select them. - The center Attribution Probability list ranks groups live as you select. Bars show normalized posterior probability.
- Read the confidence banner — it warns about single observables, weak matches, or low separation between candidates, to resist over-attribution.
- Click any group to open its full dossier; use the Evidence Matrix to see which candidate uses which of your TTPs.
- The right panel suggests mitigations and detections ranked by how many of your techniques they cover — your SOC bridge.
2 · Intel Feed core
Three live modes. Reports and vulnerabilities are filtered to your sector; IOC feeds are global. Report sources are curated in js/sources.js — the one file to edit to add feeds — leaning on the community-maintained awesome-threat-intelligence list.
| Mode | What it pulls |
|---|---|
| Threat Reports | Narrative reports from 30+ credible sources (CISA, Talos, Unit 42, Mandiant, The DFIR Report…), auto-enriched with extracted TTPs and IOCs, and flagged against your Priority Intel Requirements. |
| Vulnerabilities | Live CVEs from NVD, marked with CISA-KEV (actively exploited) and EPSS (exploitation probability), scored into a composite 0–100 risk and ranked for your sector. |
| IOC Feeds new | Machine-readable indicator blocklists (IPsum, ThreatFox, URLhaus, Feodo Tracker, SSL Blacklist, OpenPhish, CINS Army, Emerging Threats, DigitalSide) fetched client-side, with single-indicator lookup and one-click cross-checking of the active case. |
- Pick your Sector and time Window.
- (Vulnerabilities) set a minimum CVSS, or check Exploited only for KEV.
- Click ◈ Ingest. Expand any item for its BLUF, IOCs (with pivot links), and inferred techniques.
- Define ⚑ PIRs (actors/keywords) so matching reports float to the top on the next ingest.
- After ingest, a bar shows how fresh the results are and how many sources responded — click the failure count to see which feeds were unreachable. Results are cached, so switching tabs and back does not re-fetch.
2b · IOC Feeds new
Switch the Intel Feed to ◈ IOC FEEDS mode to work with open machine-readable blocklists, curated from the awesome-threat-intelligence list. Everything is fetched into browser memory — nothing is sent anywhere.
- Click ◈ Ingest to fetch all ten feeds (or fetch feeds individually). Each card shows the live indicator count.
- Lookup: paste any indicator — IP, domain, URL, or SSL SHA-1, defanged is fine — and hit ⌕ Check. Hits show which feeds list it (and why, when the feed says, e.g. the malware family from ThreatFox or the number of blocklists from IPsum). One click adds it to the active case.
- ◈ Cross-check active case: every IOC accumulated on your active case is checked against every fetched feed at once — instant triage of which of your indicators are already publicly known-bad.
3 · Report Extractor core enhanced — Barracuda
Turn any unstructured threat report into ATT&CK techniques using 4-layer matching: explicit IDs, exact technique names, ~55 curated analyst-phrasing patterns, and TF-IDF semantic sentence matching.
Getting text in — three ways
- Paste directly into the box.
- ↧ URL — paste a link to a vendor blog or advisory; readable text is scraped via proxy into the box.
- ↥ PDF — load a PDF report; text is extracted locally in-browser with pdf.js (nothing is uploaded).
Then click Analyze Report. Toggle the output between two views:
4 · APT Profiles core
A searchable dossier for every tracked group: aliases and G-ID, tactic footprint, associated software, attributed campaigns with date ranges, and the group's most distinctive (rarest) TTPs. Search by name, alias, or G-ID; optionally filter to financially-motivated groups. Each dossier can export a Navigator layer of that group's technique usage.
5 · Compare core
Pick 2–3 groups to see shared vs. unique techniques and a Jaccard similarity score. Useful when two actors are easy to confuse — the "unique" columns show each group's distinctive tradecraft that actually discriminates between them.
6 · Cases core now the spine
A case is a living investigation, not just a TTP snapshot. It accumulates TTPs, IOCs, CVEs and reports from every tab (see Active Case spine). The active case is highlighted with a green marker. For any case you can Set active, Load TTPs back into Attribution, edit its name/notes (✎), export a 📄 Markdown intelligence report (summary, attribution ranking, TTP table, IOC appendix — the artifact you paste into a ticket or wiki), list its IOCs, or export a STIX 2.1 bundle (attack-patterns + top attributed group + IOC indicators, for MISP/OpenCTI) or a candidate Sigma rule. Cases persist in your browser.
7 · Scan → TTP new — Piranha
Translate vulnerability findings into adversary techniques. Import a Nessus scan or paste CVEs; each CVE is mapped to ATT&CK techniques via the cve2capec database, then shown as a CVSS-weighted heatmap.
- Nessus: choose a
.nessus/.xmlexport — CVEs, CVSS scores and hosts are parsed locally. Or paste CVE IDs (one per line or comma-separated) into the CVE list. - Click ◈ Map CVEs → Techniques. The relevant year(s) of the cve2capec database are fetched once and cached; every CVE is resolved to techniques.
- The right panel lists mapped techniques, sorted by heat. The colored bar and score reflect the highest CVSS of any CVE mapping to that technique. Expand a row to see the contributing CVEs.
- Use Load techniques → Attribution to pivot into group attribution, or ⤓ Navigator heatmap to export a scored ATT&CK layer.
8 · Hunt Plan rebuilt
The Hunt Plan turns what you have observed into what to look for next — driven by your selection and automatic attribution.
Source & auto-attribution
Pick where your observed techniques come from — your current selection, the active case, or a specific APT's footprint. FireWatch immediately runs attribution over that set and shows the most likely actor, its posterior confidence, and how much of your set matches — with the same over-attribution caveats as the Attribution tab. (The likely actor also shows live in the active-case bar as you work, across every tab.)
Coverage & kill-chain spread
Two coverage meters show what fraction of your observed techniques have documented ATT&CK detections and mitigations — your defensive readiness at a glance. A kill-chain bar shows how your techniques spread across tactics, so gaps in the chain are obvious.
Hunt hypotheses
This is the core of the rebuilt tab. Given the attributed actor, FireWatch lists the techniques that actor is known to use but you have not observed yet — ranked most-distinctive first — each annotated with its documented detection strategy and mitigation (or flagged as a telemetry gap where none exists). It is a concrete "go look for these next" list. Click any hypothesis to fold it into your working selection.
Detection blind spots
Finally, any observed technique with no documented detection strategy is surfaced as a blind spot — validate that you actually have telemetry for it.
x_mitre_data_sources) that MITRE removed from ATT&CK v17 onward, so it read as empty on current data. The rebuilt plan uses detection, mitigation, and group-technique relationships that remain populated — and is far more actionable.
9 · Profile Match new — Piranha
Build reusable threat profiles and score a scan or selection against them with precision / recall / F1.
Build or import a profile
- Name the profile, optionally describe it, and select one or more APTs — their combined technique footprint becomes the profile's techniques. Any techniques in your current Attribution selection are added too.
- Click Save profile (stored in your browser), or ⤒ .pir to import a Piranha profile file. Click a saved profile to view/export its JSON.
Compare
- Choose a compare target: your current selection, or the last mapped scan from the Scan → TTP tab.
- Click ◈ Compare. Each profile is scored and ranked by F1.
| Metric | Reads as |
|---|---|
| Precision | Of the techniques in your target, how many appear in the profile. |
| Recall | Of the profile's techniques, how many your target covers. |
| F1 | The harmonic mean — a single balanced match score (1.0 = perfect). |
Each result card highlights matched (green) vs. unmatched profile techniques, so you can see where a scan aligns with — or diverges from — a known adversary pattern.
Active Case spine new
The nine tabs used to be islands. The Active Case bar — the strip directly under the top navigation — is now the spine that ties them together. One case is "active" at a time, and observations from any tab accrue to it: TTPs, IOCs, CVEs, and reports. The bar always shows the running tally (N TTPs · N IOCs · N reports · top candidate).
| Control | What it does |
|---|---|
| + New | Start a fresh, empty case and make it active. (If no case is active, the first thing you add creates one automatically.) |
| switch ▾ | Change which saved case is active. |
| + Selection | Add the current Attribution TTP selection to the active case. |
| ⤓ STIX | Export the whole active case — TTPs, top attributed group, and IOC indicators — as a STIX 2.1 bundle. |
| ⚡ Workflows | Open the guided-workflow launcher (see below). |
IOCs are now first-class
Indicators are no longer just throw-away pivot links inside a feed item. When you expand a report in the Intel Feed and click ◈ Add IOCs+TTPs → case, every indicator (IPv4, domain, URL, MD5/SHA-1/SHA-256, email, CVE) is de-duplicated and stored on the active case with its type. From the Cases tab, the IOCs button dumps them as a plain list, and they are emitted as STIX indicator objects in the case bundle — ready for a TIP.
Send-to bus new
Wherever the console shows an artifact — a technique, an IOC, a CVE, a report, or a group — a small ➤ button opens a Send to… menu. It's the same menu everywhere, so you never have to copy an ID across tabs by hand. Destinations adapt to what you're sending:
| Artifact | Send-to destinations |
|---|---|
| Technique(s) | Attribution (select) · active case · Hunt Plan source · Profile Match target · Navigator layer · Sigma rule |
| IOC | Active case · copy value · external pivots (VirusTotal, Shodan, AbuseIPDB, urlscan…) |
| CVE | Scan → TTP (map it) · active case · NVD · CISA KEV |
| Report | Report Extractor (load its text) · add report to case · open source |
| Group | Attribution (load footprint) · Compare · Hunt Plan · Profile Match builder |
Guided workflows new
Click ⚡ Workflows in the case bar to launch a guided pipeline. A stepper appears under the case bar and walks you tab-by-tab through a complete investigation — each step switches to the right tab and tells you exactly what to do. Your active case and selection carry through automatically, so context is never lost between steps. Click any step to jump, Next → to advance, or ✕ exit to leave the rails at any time.
📄 Report Triage
🛰️ Scan → Hunt
🎯 Actor Assessment
Shortcuts & tips
| Action | How |
|---|---|
| Command palette | Ctrl/Cmd + K — tabs, techniques, groups, actions |
| Switch tabs | 1–9 (when not typing in a field) |
| Focus current tab search | / |
| Shortcut list | ? |
| Move an artifact between tabs | Click its ➤ Send-to button |
| Run a guided investigation | ⚡ Workflows in the active-case bar |
| Close a dialog / drawer | Esc |
| Understand any control | Hover it — nearly everything has an inline tooltip |
| Force fresh ATT&CK data | ↻ Refresh in the top bar |
| Filter techniques fast | Type a keyword or a T-ID in the selection search |
Credits & data sources
FIREWATCH // CTI builds on the MITRE ATT&CK® knowledge base and enriches it with live public feeds:
- MITRE ATT&CK — techniques, groups, software, mitigations, detections, data components.
- NVD (NIST) — CVE records and CVSS; CISA KEV — known-exploited catalog; FIRST EPSS — exploitation probability.
- cve2capec — CVE → CWE → CAPEC → ATT&CK technique mappings (fetched from the Piranha project's database).
- ~24 threat-intel RSS/Atom sources for the reports feed.
Ported capabilities: Barracuda (sentence→T-code mapping, PDF/URL ingest) and Piranha (Nessus/CVE mapping, data-component radar, tactic optimizer, threat-profile builder and F1 matching), both by williamjsmail. Exports are provided as ATT&CK Navigator layers, Sigma rules (candidates to tune), STIX 2.1 bundles, and .pir profiles.