ATT&CK® already gives us the what of adversary behaviour. Attack Flow adds the how.
Attack Flow adds the how, showing the exact sequence, branching options, and dependencies an attacker follows to reach their objective. MITRE’s Center for Threat‑Informed Defense created the Attack Flow language so defenders can track multi‑phase campaigns instead of isolated techniques, spot choke points, and prioritise counter‑measures more effectively.
Traditional incident write‑ups or Navigator layers capture individual events but don’t capture the bigger picture. By modelling a chain of tactics, initial access, privilege escalation, lateral movement, impact, security operations center (SOC) analysts can:
The web based Attack Flow Builder is MITRE’s canvas for turning raw cyber‑attack data into an interactive storyline. Inside the browser you drag‑and‑drop ATT&CK techniques, assets, malware, vulnerabilities, and indicators onto a blank board, then draw arrows to show the exact order, or parallel paths, in which those elements unfold during a real intrusion. Each node stores full metadata, so a single click can reveal discovery timestamps, references, or detection logic.
From there you can overlay the finished diagram on the classic ATT&CK matrix to see defensive coverage at a glance, or export the model in multiple formats, STIX for automation pipelines, a standalone .afb file for sharing, PNG for slide decks, or even Markdown‑friendly Mermaid code for wikis. Because every element in the flow is machine‑readable, teams can version‑control their diagrams and attach them to post‑incident reports without re‑formatting.
In short, the Builder transforms a static list of tactics, techniques and procedures (TTPs) into a living map that SOC analysts, threat hunters, and CISOs can all read, refine, and act on.
Thread already maps free‑text reporting to ATT&CK TTPs, dates, IOCs, and victims. Our new “Export Attack Flow .afb” button turns that structured output into a ready‑made Attack Flow file you can open in the Builder. No manual re‑typing, no copy‑paste from PDFs.
For this first iteration of integrating Thread with Attack Flow, we didn’t want to recreate the functionality that already exists in Flow Builder to order your flow. We’ve also only added support for some of the basic data types, like TTPs, malware, and IoCs. However, Thread is open source and continues to evolve. More improvements are coming, follow along with us on GitHub as we continue to develop Thread, and you can always make community contributions!
Flows are also great for threat hunting. Let’s take a closer look…
Threat hunting succeeds or fails on the quality of its hypotheses. Seasoned hunters begin by asking a structured question, “Could adversary X reach asset Y by chaining techniques A, B, and C?”, and then seek telemetry to prove or disprove it. Industry playbooks all outline the same core loop:
Thread helps with the hardest, and most crucial part of that loop, hypothesis generation, by delivering cyber threat intelligence already mapped to ATT&CK. Each finished Thread report has real‑world context, such as timestamps, artifacts, and links to the original source. Instead of inventing scenarios from scratch, that may or may not be relevant, hunters start with evidence‑backed chains that adversaries have actually used.
Attack Flow then takes those ATT&CK‑tagged gems and arranges them in a machine‑readable storyline. Seeing that a phishing email (T1566) led to template injection (T1221), which cascaded into LSASS credential dumping (T1003.001), tells the hunter where to look next if the first query hits. Flows expose decision branches (“if privilege escalation fails, attacker falls back to Kerberoasting”), ensuring hunts follow every plausible path, not just the obvious or easy ones. They also help teams avoid the classic “rabbit‑hole” problem of chasing an endless number of possible but irrelevant scenarios.
The result is a repeatable, evidence‑driven methodology:
In short, flows give hunters a roadmap. They keep every query tied to a real adversary behaviour, eliminate guesswork, and let teams measure coverage by ticking off techniques. This provides the structure SOC analysts crave and the accountability IT security managers need.
For those that want to learn more about Attack Flows and Thread, the below resources have you covered:
Attack Flow turns static cyber threat intelligence into an interactive map of attacker behaviour. By integrating Thread with the Flow Builder, Arachne Digital removes the busywork of diagramming and empowers SOC teams to see, share, and counter multi‑stage campaigns faster than ever.
Ready to try it? Log in to Thread, process a report, and hit Export Flow AFB. If you don’t want to go through the hassle of gathering cyber threat intelligence and mapping it to MITRE ATT&CK all by yourself, reach out to us about our API offering.
“Arachne Digital’s team works closely with us in integrating our tool, Speculo, with their data. Speculo is designed to help organisations get a full picture of their cyber risk with reliable analytics and a streamlined risk assessment process. The integration of Arachne Digital’s threat intelligence into Speculo provides evidence-based insights into cyber risks, making the tool more relevant to our customers. Arachne facilitated multiple face-to-face meetings and video calls, provided technical resources, comprehensive documentation, and example reports. This collaboration ensured that we could seamlessly integrate and utilize their data, significantly enriching the value we deliver to our clients.
Arachne Digital’s commitment to excellence and their proactive approach in supporting our needs have made them an indispensable partner. We highly recommend their services to any organisation looking to strengthen their threat intelligence capabilities.”
Arachne Digital is proud to partner with the DISARM Foundation as the inaugural member of their Partner Programme, launched at the beginning of 2024.
This partnership is crucial in supporting the DISARM Foundation’s mission to maintain and enhance the DISARM Framework, ensuring it remains a free and continuously updated resource in the fight against disinformation.
Through our collaboration, Arachne Digital provides valuable feedback, promotes the integration of the framework into our operations, and encourages wider adoption within the defender community. This partnership highlights our commitment to combating evolving threats and fostering a secure digital environment.