FIREWATCH//CTI — User Guide

A single-file, browser-based Cyber Threat Intelligence operations console. It maps observed tradecraft to MITRE ATT&CK, attributes activity to threat groups, ingests live intel, and turns scans and reports into hunt plans — all client-side, no server.

Observe TTPs / CVEs / reports Map to ATT&CK Attribute & enrich Plan the hunt Export (Navigator / Sigma / STIX)

This build adds four capabilities ported from two sister projects: Barracuda (sentence→technique mapping) and Piranha (Nessus/CVE mapping, tactic optimizer + coverage radar, and profile matching).

Getting started

  1. Open console.html (or the Launch Console button on the landing page) in a modern browser (Chrome, Edge, or Firefox). Everything runs locally in the page.
  2. On first launch it downloads the MITRE ATT&CK Enterprise bundle (~50 MB) and builds a local model. This is cached in your browser (IndexedDB) for 7 days, so subsequent loads are instant.
  3. When the top bar shows ATT&CK: v… · N groups · N techniques, you're ready.
  4. Switch tabs with the top navigation or press 19. Hover almost anything for an inline explanation.
First run after this update: the data model was extended (technique data components, needed for the radar/optimizer), so the console re-downloads the ATT&CK bundle once to rebuild the cache. Use ↻ Refresh in the top bar any time to force a fresh pull.
Network note: live features fetch from public sources (MITRE, NVD, FIRST/EPSS, RSS via CORS proxies, and the cve2capec database on GitHub). If your environment blocks these, those specific features will show a fetch error but the rest of the console keeps working.

Fastest way in — the demo

On first launch a welcome panel offers to load a demo investigation. It drops a fictional intrusion report into the Extractor, auto-extracts the techniques, lights up Attribution, and files everything — TTPs and IOCs — into a ready-made case. It is the quickest way to see the whole pipeline end to end. You can re-run it any time from the empty Attribution screen, the empty Cases screen, or the command palette.

Command palette: press Ctrl/Cmd + K anywhere to jump to a tab, search any technique or group by name or ID, or run an action (new case, ingest, export, load demo). Press / to focus the current tab's search, and ? for the full shortcut list.

Core concepts

TTP
A tactic/technique/procedure, referenced by ATT&CK ID like T1566.001. Your working "selection" of TTPs drives Attribution, recommendations, Hunt Plan and Profile Match.
Rarity (Ng)
Each technique shows how many groups use it. Rare techniques are more diagnostic — they narrow attribution to fewer candidates.
Selection is shared
Techniques you add from any tab (Extractor, Feed, Scan) flow into the same Attribution selection. Most "Load →" buttons target it.
Everything is local
Cases and threat profiles persist in your browser only. Use the export buttons (Navigator, Sigma, STIX, .pir) to share.
The active case new
One case is always the collection point. TTPs, IOCs, CVEs and reports from any tab accrue to it — tracked in the bar under the top navigation.
Send-to & workflows new
A universal menu moves any artifact between tabs, and ⚡ Workflows runs guided, tab-by-tab pipelines.

1 · Attribution core

Select the TTPs you observed in an intrusion and rank the threat groups most likely responsible, using a naive-Bayes posterior over ATT&CK group–technique mappings.

  1. In the left Technique Selection panel, expand a tactic or search (e.g. lsass or T1003) and click techniques to select them.
  2. The center Attribution Probability list ranks groups live as you select. Bars show normalized posterior probability.
  3. Read the confidence banner — it warns about single observables, weak matches, or low separation between candidates, to resist over-attribution.
  4. Click any group to open its full dossier; use the Evidence Matrix to see which candidate uses which of your TTPs.
  5. The right panel suggests mitigations and detections ranked by how many of your techniques they cover — your SOC bridge.
Tip: add at least one rare technique. Common techniques (used by many groups) barely move the posterior; rare ones concentrate it.

2 · Intel Feed core

Three live modes. Reports and vulnerabilities are filtered to your sector; IOC feeds are global. Report sources are curated in js/sources.js — the one file to edit to add feeds — leaning on the community-maintained awesome-threat-intelligence list.

ModeWhat it pulls
Threat ReportsNarrative reports from 30+ credible sources (CISA, Talos, Unit 42, Mandiant, The DFIR Report…), auto-enriched with extracted TTPs and IOCs, and flagged against your Priority Intel Requirements.
VulnerabilitiesLive CVEs from NVD, marked with CISA-KEV (actively exploited) and EPSS (exploitation probability), scored into a composite 0–100 risk and ranked for your sector.
IOC Feeds newMachine-readable indicator blocklists (IPsum, ThreatFox, URLhaus, Feodo Tracker, SSL Blacklist, OpenPhish, CINS Army, Emerging Threats, DigitalSide) fetched client-side, with single-indicator lookup and one-click cross-checking of the active case.
  1. Pick your Sector and time Window.
  2. (Vulnerabilities) set a minimum CVSS, or check Exploited only for KEV.
  3. Click ◈ Ingest. Expand any item for its BLUF, IOCs (with pivot links), and inferred techniques.
  4. Define ⚑ PIRs (actors/keywords) so matching reports float to the top on the next ingest.
  5. After ingest, a bar shows how fresh the results are and how many sources responded — click the failure count to see which feeds were unreachable. Results are cached, so switching tabs and back does not re-fetch.

2b · IOC Feeds new

Switch the Intel Feed to ◈ IOC FEEDS mode to work with open machine-readable blocklists, curated from the awesome-threat-intelligence list. Everything is fetched into browser memory — nothing is sent anywhere.

  1. Click ◈ Ingest to fetch all ten feeds (or fetch feeds individually). Each card shows the live indicator count.
  2. Lookup: paste any indicator — IP, domain, URL, or SSL SHA-1, defanged is fine — and hit ⌕ Check. Hits show which feeds list it (and why, when the feed says, e.g. the malware family from ThreatFox or the number of blocklists from IPsum). One click adds it to the active case.
  3. ◈ Cross-check active case: every IOC accumulated on your active case is checked against every fetched feed at once — instant triage of which of your indicators are already publicly known-bad.
Reading a miss correctly: absence from open blocklists is not innocence — targeted infrastructure is often unlisted. Treat hits as strong corroboration and misses as no-information.

3 · Report Extractor core enhanced — Barracuda

Turn any unstructured threat report into ATT&CK techniques using 4-layer matching: explicit IDs, exact technique names, ~55 curated analyst-phrasing patterns, and TF-IDF semantic sentence matching.

Getting text in — three ways

  1. Paste directly into the box.
  2. ↧ URL — paste a link to a vendor blog or advisory; readable text is scraped via proxy into the box.
  3. ↥ PDF — load a PDF report; text is extracted locally in-browser with pdf.js (nothing is uploaded).

Then click Analyze Report. Toggle the output between two views:

TECHNIQUES
The classic hit list — each technique with its strongest evidence snippet and a confidence tag. Check/uncheck, then Load → Attribution.
SENTENCE MAP new
Barracuda-style drill-down: every technique with all sentences that mapped to it, color-coded by match type.
Sentence-map controls: Drop removes an irrelevant sentence from one technique; Drop all removes it from every technique (e.g. boilerplate or ads); adds that technique to Attribution. Counts update as you prune.

4 · APT Profiles core

A searchable dossier for every tracked group: aliases and G-ID, tactic footprint, associated software, attributed campaigns with date ranges, and the group's most distinctive (rarest) TTPs. Search by name, alias, or G-ID; optionally filter to financially-motivated groups. Each dossier can export a Navigator layer of that group's technique usage.

5 · Compare core

Pick 2–3 groups to see shared vs. unique techniques and a Jaccard similarity score. Useful when two actors are easy to confuse — the "unique" columns show each group's distinctive tradecraft that actually discriminates between them.

6 · Cases core now the spine

A case is a living investigation, not just a TTP snapshot. It accumulates TTPs, IOCs, CVEs and reports from every tab (see Active Case spine). The active case is highlighted with a green marker. For any case you can Set active, Load TTPs back into Attribution, edit its name/notes (), export a 📄 Markdown intelligence report (summary, attribution ranking, TTP table, IOC appendix — the artifact you paste into a ticket or wiki), list its IOCs, or export a STIX 2.1 bundle (attack-patterns + top attributed group + IOC indicators, for MISP/OpenCTI) or a candidate Sigma rule. Cases persist in your browser.

“Save current TTP set” still works the classic way — it folds your current selection into the active case (creating one if needed) and records the top candidate.

7 · Scan → TTP new — Piranha

Translate vulnerability findings into adversary techniques. Import a Nessus scan or paste CVEs; each CVE is mapped to ATT&CK techniques via the cve2capec database, then shown as a CVSS-weighted heatmap.

  1. Nessus: choose a .nessus / .xml export — CVEs, CVSS scores and hosts are parsed locally. Or paste CVE IDs (one per line or comma-separated) into the CVE list.
  2. Click ◈ Map CVEs → Techniques. The relevant year(s) of the cve2capec database are fetched once and cached; every CVE is resolved to techniques.
  3. The right panel lists mapped techniques, sorted by heat. The colored bar and score reflect the highest CVSS of any CVE mapping to that technique. Expand a row to see the contributing CVEs.
  4. Use Load techniques → Attribution to pivot into group attribution, or ⤓ Navigator heatmap to export a scored ATT&CK layer.
Nessus / CVEscve2capecATT&CK techniquesCVSS heatmap
Large scans: a full Nessus export can contain thousands of CVEs spanning many years, so the first map may take a moment while each year's database is downloaded. Results and databases are cached for repeat runs.

8 · Hunt Plan rebuilt

The Hunt Plan turns what you have observed into what to look for next — driven by your selection and automatic attribution.

Source & auto-attribution

Pick where your observed techniques come from — your current selection, the active case, or a specific APT's footprint. FireWatch immediately runs attribution over that set and shows the most likely actor, its posterior confidence, and how much of your set matches — with the same over-attribution caveats as the Attribution tab. (The likely actor also shows live in the active-case bar as you work, across every tab.)

Coverage & kill-chain spread

Two coverage meters show what fraction of your observed techniques have documented ATT&CK detections and mitigations — your defensive readiness at a glance. A kill-chain bar shows how your techniques spread across tactics, so gaps in the chain are obvious.

Hunt hypotheses

This is the core of the rebuilt tab. Given the attributed actor, FireWatch lists the techniques that actor is known to use but you have not observed yet — ranked most-distinctive first — each annotated with its documented detection strategy and mitigation (or flagged as a telemetry gap where none exists). It is a concrete "go look for these next" list. Click any hypothesis to fold it into your working selection.

Detection blind spots

Finally, any observed technique with no documented detection strategy is surfaced as a blind spot — validate that you actually have telemetry for it.

Why it changed: the previous data-component radar depended on a field (x_mitre_data_sources) that MITRE removed from ATT&CK v17 onward, so it read as empty on current data. The rebuilt plan uses detection, mitigation, and group-technique relationships that remain populated — and is far more actionable.

9 · Profile Match new — Piranha

Build reusable threat profiles and score a scan or selection against them with precision / recall / F1.

Build or import a profile

  1. Name the profile, optionally describe it, and select one or more APTs — their combined technique footprint becomes the profile's techniques. Any techniques in your current Attribution selection are added too.
  2. Click Save profile (stored in your browser), or ⤒ .pir to import a Piranha profile file. Click a saved profile to view/export its JSON.

Compare

  1. Choose a compare target: your current selection, or the last mapped scan from the Scan → TTP tab.
  2. Click ◈ Compare. Each profile is scored and ranked by F1.
MetricReads as
PrecisionOf the techniques in your target, how many appear in the profile.
RecallOf the profile's techniques, how many your target covers.
F1The harmonic mean — a single balanced match score (1.0 = perfect).

Each result card highlights matched (green) vs. unmatched profile techniques, so you can see where a scan aligns with — or diverges from — a known adversary pattern.

Active Case spine new

The nine tabs used to be islands. The Active Case bar — the strip directly under the top navigation — is now the spine that ties them together. One case is "active" at a time, and observations from any tab accrue to it: TTPs, IOCs, CVEs, and reports. The bar always shows the running tally (N TTPs · N IOCs · N reports · top candidate).

ControlWhat it does
+ NewStart a fresh, empty case and make it active. (If no case is active, the first thing you add creates one automatically.)
switch ▾Change which saved case is active.
+ SelectionAdd the current Attribution TTP selection to the active case.
⤓ STIXExport the whole active case — TTPs, top attributed group, and IOC indicators — as a STIX 2.1 bundle.
⚡ WorkflowsOpen the guided-workflow launcher (see below).

IOCs are now first-class

Indicators are no longer just throw-away pivot links inside a feed item. When you expand a report in the Intel Feed and click ◈ Add IOCs+TTPs → case, every indicator (IPv4, domain, URL, MD5/SHA-1/SHA-256, email, CVE) is de-duplicated and stored on the active case with its type. From the Cases tab, the IOCs button dumps them as a plain list, and they are emitted as STIX indicator objects in the case bundle — ready for a TIP.

Nothing to configure. You never have to "open" a case first. Add a technique from a report, map a scan, or accept extractor hits, and it lands in the active case automatically — the bar updates live.

Send-to bus new

Wherever the console shows an artifact — a technique, an IOC, a CVE, a report, or a group — a small button opens a Send to… menu. It's the same menu everywhere, so you never have to copy an ID across tabs by hand. Destinations adapt to what you're sending:

ArtifactSend-to destinations
Technique(s)Attribution (select) · active case · Hunt Plan source · Profile Match target · Navigator layer · Sigma rule
IOCActive case · copy value · external pivots (VirusTotal, Shodan, AbuseIPDB, urlscan…)
CVEScan → TTP (map it) · active case · NVD · CISA KEV
ReportReport Extractor (load its text) · add report to case · open source
GroupAttribution (load footprint) · Compare · Hunt Plan · Profile Match builder

Guided workflows new

Click ⚡ Workflows in the case bar to launch a guided pipeline. A stepper appears under the case bar and walks you tab-by-tab through a complete investigation — each step switches to the right tab and tells you exactly what to do. Your active case and selection carry through automatically, so context is never lost between steps. Click any step to jump, Next → to advance, or ✕ exit to leave the rails at any time.

📄 Report Triage

Extract (paste / URL / PDF)Load TTPsAttributeSave to case (+ IOCs)Export STIX / Sigma

🛰️ Scan → Hunt

Map scan (Nessus / CVEs)Load TTPsAttributeHunt Plan: radar + optimizeNavigator heatmap

🎯 Actor Assessment

Build profile from APTsSet target (selection / scan)Compare → F1 rankingRecord to case

Shortcuts & tips

ActionHow
Command paletteCtrl/Cmd + K — tabs, techniques, groups, actions
Switch tabs19 (when not typing in a field)
Focus current tab search/
Shortcut list?
Move an artifact between tabsClick its Send-to button
Run a guided investigation⚡ Workflows in the active-case bar
Close a dialog / drawerEsc
Understand any controlHover it — nearly everything has an inline tooltip
Force fresh ATT&CK data↻ Refresh in the top bar
Filter techniques fastType a keyword or a T-ID in the selection search

Credits & data sources

FIREWATCH // CTI builds on the MITRE ATT&CK® knowledge base and enriches it with live public feeds:

  • MITRE ATT&CK — techniques, groups, software, mitigations, detections, data components.
  • NVD (NIST) — CVE records and CVSS; CISA KEV — known-exploited catalog; FIRST EPSS — exploitation probability.
  • cve2capec — CVE → CWE → CAPEC → ATT&CK technique mappings (fetched from the Piranha project's database).
  • ~24 threat-intel RSS/Atom sources for the reports feed.

Ported capabilities: Barracuda (sentence→T-code mapping, PDF/URL ingest) and Piranha (Nessus/CVE mapping, data-component radar, tactic optimizer, threat-profile builder and F1 matching), both by williamjsmail. Exports are provided as ATT&CK Navigator layers, Sigma rules (candidates to tune), STIX 2.1 bundles, and .pir profiles.

Analyst judgment required. Attribution posteriors, inferred techniques, generated Sigma rules and heatmaps are decision aids, not conclusions. Corroborate with non-TTP evidence before any formal attribution or production deployment.