Search | RSS Feed | Subscribe

• 

  TTPs Are Missing the P: Lets Fix That

  research February 23, 2026

  Most ATT&CK programs model tactics and techniques, but not procedures. This post explains why that gap matters, where Attack Flow helps, and how STIX could model the missing layer.
• 

  Using Known ATT&CK Techniques to Predict What Came Before and What Happens Next

  research February 16, 2026

  Known ATT&CK techniques are not just for labeling incidents. This post shows how to use them as anchors to infer likely predecessor and successor behavior in a realistic adversary sequence, and how MITRE TIE can support that workflow.
• 

  Detection Isn’t Defence: Linking ATT&CK to D3FEND

  research February 09, 2026

  D3FEND becomes far more useful when it is not isolated. This post shows how D3FEND links to ATT&CK and CWE through artefacts, so you can traverse from offensive technique or weakness to concrete defensive mitigations.
• 

  Stop Wasting Agent Tokens on ATT&CK Lookups

  product-update February 02, 2026

  Most AI CTI workflows waste tokens rediscovering ATT&CK, CWE, CAPEC, and other CTI knowledgebases from scratch. CTI Butler fixes that by giving agents a structured retrieval layer. In this post I show how to turn it into a Claude Code skill that recommends likely mappings from raw analyst input.
• 

  Stop Reinventing STIX Objects: A Practical Way to Build and Share Extensions

  tutorial January 19, 2026

  Learn how to avoid ad-hoc custom objects by generating schemas and Extension Definitions automatically with stix2extensions, keeping STIX extensions interoperable by default.
• 

  We Made D3FEND Work in STIX

  announcement December 15, 2025

  D3FEND was not built for STIX, but most CTI tooling depends on it. This post walks through how we model D3FEND as STIX 2.1 so defensive knowledge can finally behave like first-class CTI data.
• 

  OpenCTI Is Not a STIX Database

  opinion December 01, 2025

  Why STIX 2.1 bundles don’t ingest the way you expect, and what we learned building production OpenCTI pipelines.
• 

  D3FEND for People Who Already Know ATT&CK

  tutorial November 17, 2025

  An ATT&CK-native introduction to MITRE D3FEND: how defensive tactics, techniques, artefacts, and relationships mirror attacker behavior and complete the picture.
• 

  Modelling NOVA Rules as Structured CTI

  tutorial October 31, 2025

  This proof of concept shows how adversarial prompts from PromptIntel can be transformed into structured STIX intelligence by treating prompts as observables and NOVA rules as behavioural Indicator logic.
• 

  Using the ATT&CK Navigator with non-ATT&CK frameworks

  tutorial October 20, 2025

  The ATT&CK Navigator isn’t limited to ATT&CK. In this post, we break down the STIX properties the Navigator actually uses and show how to build a custom MITRE ATLAS matrix that renders cleanly inside it.