tutorial

Stop Reinventing STIX Objects: A Practical Way to Build and Share Extensions

tutorial January 19, 2026

Learn how to avoid ad-hoc custom objects by generating schemas and Extension Definitions automatically with stix2extensions, keeping STIX extensions interoperable by default.

D3FEND for People Who Already Know ATT&CK

tutorial November 17, 2025

An ATT&CK-native introduction to MITRE D3FEND: how defensive tactics, techniques, artefacts, and relationships mirror attacker behavior and complete the picture.

Modelling NOVA Rules as Structured CTI

tutorial October 31, 2025

This proof of concept shows how adversarial prompts from PromptIntel can be transformed into structured STIX intelligence by treating prompts as observables and NOVA rules as behavioural Indicator logic.

Using the ATT&CK Navigator with non-ATT&CK frameworks

tutorial October 20, 2025

The ATT&CK Navigator isn’t limited to ATT&CK. In this post, we break down the STIX properties the Navigator actually uses and show how to build a custom MITRE ATLAS matrix that renders cleanly inside it.

Turn any Blog Post into Structured Threat Intelligence

tutorial June 16, 2025

Obstracts is the blog feed reader used by the worlds most targetted cyber-security teams. Let me show you why.

Beyond the ATT&CK Matrix: How to Build Dynamic Attack Flows with STIX

tutorial March 17, 2025

MITRE ATT&CK techniques are useful, but they don’t capture the sequence of an attack. Enter Attack Flows.

An Introduction pySigma: Converting Sigma Rules to Work with Your SIEM

tutorial February 10, 2025

Learn how to seamlessly convert Sigma Rules into queries for your SIEM. Follow along with real examples.

Writing Advanced Sigma Detection Rules: Using Correlation Rules

tutorial January 13, 2025

Correlation Rules allow you to detect threats by linking multiple events together based on a meaningful relationship.

Writing Effective Sigma Detection Rules: A Guide for Novice Detection Engineers

tutorial December 16, 2024

Sigma Rules are becoming more widely adopted as the standard detection language. Learning how to write them is not difficult. Let me show you.

Enriching Vulnerabilities to Create an Intelligence Graph

tutorial October 14, 2024

We do a lot of our research into vulnerabilities. To aid this, we enrich CVEs using many remote sources of intelligence. Here is a walk-through showing how we connect CVEs to EPSS scores, CISA KEVs, MITRE ATT&CK, CWEs, and CAPECs.

Writing Detection Rules to Identify if Products in my Stack are Vulnerable

tutorial September 16, 2024

Developing on last weeks post, I show you how to construct STIX Patterns to automatically flag which products are affected by published CVEs.

Fighting Disinformation: Classifying Your Research Using Standardised Disinformation Tactics and Techniques

tutorial May 13, 2024

Our intel team is increasingly using the DISARM framework to classify parts of our research as disinformation campaigns continue increase. In this post I will introduce the DISARM data structure.

The Problems with Modelling Countries as STIX Objects (and How to Fix Them)

tutorial April 15, 2024

Take the list of recognised countries and regions. Create STIX objects for them. Make them available to everyone so that the CTI world has a single way of representing them.

Getting Started with the MITRE ATT&CK Navigator

tutorial January 15, 2024

The MITRE ATT&CK Navigator is a very useful tool to explore the MITRE ATT&CK (and other similar frameworks). In this post I take a look what you can do with Navigator and how it works under the hood so that you can use it to model your own ATT&CK-like frameworks.