txt2stix + stix2arango + arango_taxii_server = a robust and flexible setup for storing and distributing the cyber threat intelligence you've produced.

If you're a cyber threat intelligence analyst you probably use txt2stix, but do you know everything it's currently capable of?

MITRE ATT&CK techniques are useful, but they don’t capture the sequence of an attack. Enter Attack Flows.

In this post I walk you through the database queries we use to compare Sigma Rules releases. We use these to identify the detail of what has changed before we push any updates internally.

After becoming ever-more frustrated by intelligence producers naming the same ransomware slightly differently, and with ATT&CK missing lots of ransomware types, I finally got around to trying to solve the problem.

The STIX 2.1 Indicator SDO specification is flexible enough to allow for a range of detection languages. In this post I will show you how to use the STIX pattern language to write detections using cyber threat intelligence data.

Sometimes the default STIX 2.1 objects will not be broad enough for your needs. This post describes how you can extend the STIX specification when required.

A short post with code examples that show how to use TLPv2 with STIX 2.1.

A post full of code examples that will give you everything you need to start creating STIX objects to make it simple to share your threat research.

STIX 2.1 allows you to tell stories by connecting objects together to form the story-line of cyber actors, campaigns, incidents, and much more. In this post I explain how.