Current v5.0.0 platform documentation. AdversaryGraph is an analyst-assistance system: AI mappings, similarity scores, IOC enrichment, malware-analysis output, and generated detections require human validation before operational use.
- Visual Evidence
- Core Workflow
- Modules and Abilities
- Module Walkthrough
- Asset Attack Surface Mapping
- Attack Simulation
- Evidence-to-Detection Graph
- Malware Analysis Extension
- Operating Notes
Platform screenshots are stored in
docs/assets/adversarygraph-v4-platform.
That folder name is historical; the screenshots remain representative of the
current v5 platform surfaces unless a newer v5-specific screenshot set is listed
below. The Asset Surface and Discover addendum is stored in
docs/assets/adversarygraph-v4.1-platform.
The malware-analysis screenshot set is stored in
docs/assets/malware-analysis-v4.
Those v4 malware screenshots remain representative for the current v5 Malware
Analysis workflow.
The v5 Attack Simulation screenshot set is stored in
docs/assets/attack-simulation-v5.
The screenshot packs include validation metadata. The platform set records
route load, expected page text, 1920x1200 dimensions, byte size, mean RGB, and
nonblank image checks in
validation.json.
The v4.1 addendum validates the representative Discover launcher layout, Asset Surface analysis output, saved analysis history, and the white Navigator layer created from asset-inventory TTP candidates.
The v5 Attack Simulation set validates the TTP-first simulation matrix, per-TTP configuration page, SIEM forwarding controls, AI scenario library, generated attack-chain graph, explain-attack panel, real-time log view, and saved SIEM destination history.
AdversaryGraph is built around this defensive CTI workflow:
report / IOC / malware sample / feed source
-> extraction and enrichment
-> ATT&CK / ATLAS mapping candidates
-> analyst validation
-> actor, campaign, sector, and IOC pivots
-> comparison and detection-gap review
-> evidence-to-detection reasoning graph
-> investigation report, exports, and operational handoff
The platform keeps the source of each conclusion visible. A technique selected from an uploaded report, an actor profile, an IOC feed, a malware sample, or an AI assistant should remain traceable back to evidence.
| Module | Primary abilities |
|---|---|
| Discover | Start workspace, monitor platform state, open common CTI workflows, inspect selected TTP counts, actor context, and recent intelligence entry points. |
| Navigator | Explore Enterprise, Mobile, ICS ATT&CK and ATLAS matrices; select TTPs; review technique detail; overlay actors; track coverage; export Navigator JSON and backlog data. |
| ATT&CK Group Library | Search actor profiles, aliases, campaigns, techniques, reports, source-backed IOCs, and push actor TTPs into Navigator or comparisons. |
| AI Analysis | Paste text or upload PDF/DOCX/TXT; choose Claude, OpenAI, Gemini, MiniMax, or local OpenAI-compatible LLM; extract mapping candidates; review evidence and add accepted TTPs. |
| Compare | Compare current TTP layers, reports, groups, and campaigns; inspect overlap, matrix diff, tactic breakdown, and gap analysis. |
| Group vs Group | Select multiple actor profiles; compare shared and exclusive techniques; view overlap matrix, combined matrix, and technique table. |
| Sector Intel | Rank actors by sector, geography, technology, recency, campaign evidence, and MISP Galaxy context. |
| Asset Surface | Upload or paste asset inventories; normalize assets, exposure, ports, technologies, and owners; create saved attack-surface cases; build an AI-assisted matrix with risk levels, entry points, ATT&CK candidates, priority actions, validation gaps, and cross-asset findings. |
| Attack Simulation | Select ATT&CK TTPs, run safe lab simulations, view real-time attacked-server logs, forward telemetry to SIEM collectors, save recent destinations, generate AI-assisted multi-phase attack stories, review attack-chain graphs, and explain validation logic. |
| Evidence Graph | Preserve evidence-to-detection reasoning paths: Evidence, Claim, Behavior, ATT&CK Technique, Required Telemetry, Detection Candidate, Detection Rule, Validation Scenario, SIEM Result, and Analyst Decision. |
| RetroHunt | Search historical local intelligence, reports, indicators, techniques, and evidence for repeated patterns. |
| Knowledge Library | Browse stored reports, references, entities, and investigation source material. |
| IOC Library | Search observables, source attribution, freshness, enrichment fields, mapped TTPs, and actor links. |
| IOC Investigation | Pivot on IPs, domains, URLs, hashes, and observables; collect reputation, DNS, urlscan, VirusTotal, GreyNoise, Shodan, AbuseIPDB, Censys, and relationship data where configured. |
| VirusTotal Lookup | Run on-demand VT enrichment for hashes, IPs, domains, and URLs; add TTP and actor context into AdversaryGraph workflows. |
| Feeds Management | Sync ATT&CK/ATLAS, ThreatFox, Malpedia, OTX, OpenCTI, STIX/TAXII, MISP JSON, custom CSV/JSON/TXT, Sigma/YARA, and sandbox behavior feeds. |
| Investigation Report | Build analyst handoff reports from selected TTPs, evidence, investigation notes, actor context, and exports. |
| Operations | Manage investigation workspaces, tracked actors, detection lifecycle records, and team operational tasks. |
| Pipeline | Register and import external intelligence sources, STIX/TAXII collections, MISP exports, sandbox behavior, and detection-content feeds. |
| DFIR Examples | Use public DFIR examples and sample workflows to demonstrate report-to-ATT&CK analysis without private data. |
| Troubleshooting | Run and review deployment self-tests, API health checks, database/Redis checks, provider status, and recovery guidance. |
| Sector Packs | Package sector-specific threat context, actors, techniques, and reusable intelligence bundles. |
| IOC Node Detail | Inspect one observable as a graph node with enrichment, linked TTPs, relationship context, and actions. |
| Malware Analysis | Analyze Windows samples in the isolated MalwareGraph workflow: static triage, hashes, strings, unpacking, decompilation, debug workspaces, AI summaries, and gated dynamic analysis. |
The Evidence Graph page connects AdversaryGraph modules into one operational reasoning model:
Evidence -> Claim -> Behavior -> ATT&CK Technique -> Required Telemetry
-> Detection Candidate -> Detection Rule -> Validation Scenario
-> SIEM Result -> Analyst Decision
Use it when a report, IOC, malware finding, asset exposure, attack simulation, or SIEM result needs to become a reviewed detection-engineering outcome. The graph separates confirmed evidence, analyst claims, inferred behavior, ATT&CK mapping, detection hypothesis, validation result, and final analyst decision.
AI-generated nodes and edges are saved as drafts. Analysts can approve, reject,
request more evidence, create next-step nodes, review gaps, and export JSON,
Markdown, CSV, or an Evidence Pack. See
docs/evidence-to-detection-graph.md.
The Discover page is the command surface for starting analyst work. It links to Navigator, AI Analysis, actor comparison, sector intelligence, IOC workflows, malware analysis, operations, and troubleshooting.
Navigator is the matrix review surface. Analysts select techniques, inspect evidence, expand sub-techniques, overlay actors or comparison layers, track coverage, and export matrix-compatible layers.
The group library connects actor profiles to aliases, techniques, campaigns, reports, source-backed IOCs, and Navigator actions. Actor links are investigation leads, not attribution proof.
AI Analysis ingests report text or uploaded documents and extracts ATT&CK/ATLAS mapping candidates. The page keeps provider choice, source text, extracted evidence, accepted TTPs, and saved report sessions separate.
Compare uses the current TTP layer or saved reports to rank overlap with groups and campaigns. It supports group comparison, campaign comparison, report comparison, tactic distribution, matrix diff, and detection-gap review.
Group vs Group compares multiple actor profiles directly. It highlights shared techniques, actor-exclusive techniques, tactic coverage, and combined matrix patterns.
Sector Intel ranks actor relevance for a client context. Inputs include sector, region, technology/environment keywords, activity window, campaign recency, and MISP Galaxy evidence.
RetroHunt searches local historical intelligence for repeated indicators, techniques, tool names, actor references, and evidence fragments.
The Knowledge Library stores and browses reports, references, entities, and saved intelligence material used by investigations and exports.
The IOC Library is the searchable observable store. It shows freshness, source attribution, enrichment values, mapped TTPs, actor links, and pivot actions.
IOC Investigation performs a pivot workflow for a single observable. It can collect reputation, DNS, relationship graph data, external provider context, and timeline evidence depending on configured keys.
VirusTotal Lookup provides on-demand enrichment for hashes, IPs, domains, and URLs. Results can feed mapped TTPs and actor context back into Navigator and IOC workflows.
Feeds Management controls platform data synchronization: ATT&CK/ATLAS, IOC sources, MISP/custom feeds, OpenCTI, STIX/TAXII, detection-content feeds, and sandbox behavior imports.
The report workspace prepares analyst handoff material from selected techniques, evidence, IOC pivots, actor context, detection gaps, and investigation notes.
Operations manages investigation workspaces, tracked actors, detection lifecycle items, report intake, evidence records, and operational task context.
Pipeline connects external intelligence sources and detection-content sources to the local platform. It supports source registration, import review, and mapping imported behavior to matrix techniques.
DFIR Examples provides public sample workflows and report material for demos, training, validation, and regression checking without private data.
Troubleshooting shows deployment health, self-test results, Docker/API checks, provider configuration state, and recovery guidance.
Sector Packs package reusable client or industry context: relevant actors, techniques, intelligence notes, and recommended review paths.
IOC Node Detail treats an observable as a graph entity and exposes enrichment, linked TTPs, source evidence, relationship context, and actions.
Asset Surface maps CMDB exports, scanner output, cloud asset lists, and plain host/IP inventories into a defensive attack surface matrix. The workflow normalizes owners, environments, IPs, domains, ports, technologies, exposure, and criticality, then produces risk levels, likely entry points, ATT&CK technique candidates, priority actions, assumptions, validation gaps, and optional AI-enriched executive findings. Each completed run creates a saved case so analysts can reopen the exact matrix, compare inventory changes, export JSON evidence, and send the same TTP set back to Navigator later.
The module is useful when the starting point is infrastructure rather than a report, IOC, actor, or malware sample. It helps answer:
- Which assets appear internet-facing, internal, third-party, or unknown?
- Which assets combine high business criticality with exposed administration, web/API, database, identity, container, or remote-access surfaces?
- Which likely ATT&CK techniques should be reviewed in Navigator and detection planning?
- Which facts must be validated with scanner, cloud firewall, WAF, CMDB, and telemetry data before operational action?
See the dedicated Asset Attack Surface Mapping guide for accepted inventory fields and output semantics.
Representative screenshots:
| Workflow | Screenshot |
|---|---|
| Updated Discover launchers | ![]() |
| Asset Surface analysis result | ![]() |
| Saved Asset Surface history | ![]() |
| White asset-surface Navigator layer | ![]() |
Attack Simulation is the v5 detection-validation workspace. Analysts select an
ATT&CK technique first, open a dedicated simulation page, run approved lab
scenarios, inspect real-time target-side logs, and forward telemetry to a SIEM
collector. Web scenarios use the Docker attack-lab-web target, which receives
real HTTP requests and writes target-side NGINX access, security/WAF-style,
error, auth, and structured JSONL logs.
The AI Attack Assistant adds a second workflow for detection engineering drills. It can generate source-shaped telemetry for selected TTPs, actor-oriented stories, or Challenge Me scenarios. Complicated mode builds longer coherent kill chains across web, WAF, DNS, proxy, firewall, Windows Security, Sysmon, and EDR-style sources. The generated attack-chain graph shows phase order, technique, event source, event format, event count, and detection purpose.
Use this module to answer:
- Which ATT&CK behaviors already have runnable validation scenarios?
- Does the lab target emit the telemetry needed by the detection rule?
- Can the SIEM parser ingest raw web, auth, endpoint, WAF, and source-shaped events correctly?
- Does correlation logic detect a coherent attack chain rather than one atomic indicator?
- Which assumptions and validation gaps must an analyst document before marking coverage as passed?
See the dedicated Attack Simulation guide for the full workflow, safety model, log locations, SIEM forwarding modes, AI assistant behavior, and scenario catalog.
Representative screenshots:
| Workflow | Screenshot |
|---|---|
| TTP-first simulation matrix | ![]() |
| Per-TTP configuration | ![]() |
| SIEM forwarding controls | ![]() |
| AI scenario library | ![]() |
| Attack-chain graph | ![]() |
| Explain attack panel | ![]() |
| Real-time logs | ![]() |
| SIEM destination history | ![]() |
The malware workflow has its own detailed documentation:
- Malware Analysis Guide
- Malware Analysis Module
- Malware Analysis Architecture
- v4 Malware Analysis release article draft
Representative screenshots:
| Workflow | Screenshot |
|---|---|
| Malware Analysis dashboard | ![]() |
| Hash-check feed results | ![]() |
| String Analyzer smart IOC/TTP leads | ![]() |
| Unpacker packed sample | ![]() |
| Debugger CPU view | ![]() |
| Dynamic function workflow | ![]() |
- Public demos are for exploration only. Do not upload private reports, client data, or malware samples to shared public instances.
- Docker/self-hosted mode is the private workflow for configured LLM providers, local LLM gateways, private reports, local IOC feeds, and malware-analysis labs.
- ATT&CK mapping, actor overlap, IOC enrichment, generated detections, and malware-analysis output are evidence organization aids. They are not final attribution, detection, or verdict decisions.
- Dynamic malware analysis is disabled by default and must run only in an explicitly isolated disposable runtime profile.





































