Updates

Learn how the Cyber Threat Exchange helps researchers publish structured CTI in STIX 2.1 and lets defenders operationalise specialist intelligence through TAXII, APIs, and existing CTI tooling.

Most AI CTI workflows waste tokens rediscovering ATT&CK, CWE, CAPEC, and other CTI knowledgebases from scratch. CTI Butler fixes that by giving agents a structured retrieval layer. In this post I show how to turn it into a Claude Code skill that recommends likely mappings from raw analyst input.

D3FEND was not built for STIX, but most CTI tooling depends on it. This post walks through how we model D3FEND as STIX 2.1 so defensive knowledge can finally behave like first-class CTI data.

RSS and ATOM feeds are problematic (for our use-cases) for two reasons; 1) lack of history, 2) contain limited post content. We built some open-source software to fix that.

CTI Butler links many common knowledge bases, for example linking MITRE ATT&CK to CAPEC objects, to improve the context of our research. This post describes the logic CTI Butler employs behind the scenes to do this.

Here is a quick-start guide to CTI Butler showing you how much easier it makes working with these frameworks.