From Reports to Routes: Visualising Adversary Paths with Thread and MITRE Attack Flow Builder

The web based Attack Flow Builder is MITRE’s canvas for turning raw cyber‑attack data into an interactive storyline. Inside the browser you drag‑and‑drop ATT&CK techniques, assets, malware, vulnerabilities, and indicators onto a blank board, then draw arrows to show the exact order, or parallel paths, in which those elements unfold during a real intrusion. Each node stores full metadata, so a single click can reveal discovery timestamps, references, or detection logic.

From there you can overlay the finished diagram on the classic ATT&CK matrix to see defensive coverage at a glance, or export the model in multiple formats, STIX for automation pipelines, a standalone .afb file for sharing, PNG for slide decks, or even Markdown‑friendly Mermaid code for wikis. Because every element in the flow is machine‑readable, teams can version‑control their diagrams and attach them to post‑incident reports without re‑formatting.

In short, the Builder transforms a static list of tactics, techniques and procedures (TTPs) into a living map that SOC analysts, threat hunters, and CISOs can all read, refine, and act on.

Thread already maps free‑text reporting to ATT&CK TTPs, dates, IOCs, and victims. Our new “Export Attack Flow .afb” button turns that structured output into a ready‑made Attack Flow file you can open in the Builder. No manual re‑typing, no copy‑paste from PDFs.

• Thread uses machine learning to map free text to ATT&CK TTPs
• A human analyst accepts or rejects the TTPs, and adds any that Thread might have missed. They also add a time frame, aggressor and victim information, and tag any indicators of compromise (IoCS).
• Once the report is processed in Thread, the analyst clicks Export Attack Flow AFB, Thread serialises the TTPs and IoCs into the Attack Flow v3 schema, bundles them as incident-name.afb, and delivers it straight to your browser.
• Open the incident-name.afb file in Attack Flow Builder, and your TTPs and IoCs are all there. Use the Builder to structure your flow.

For this first iteration of integrating Thread with Attack Flow, we didn’t want to recreate the functionality that already exists in Flow Builder to order your flow. We’ve also only added support for some of the basic data types, like TTPs, malware, and IoCs. However, Thread is open source and continues to evolve. More improvements are coming, follow along with us on GitHub as we continue to develop Thread, and you can always make community contributions!

• Detection gap analysis — Overlay flow on ATT&CK Navigator to see which stages lack telemetry. You can create both the Navigator and the Flow Builder output from Thread.
• Post‑incident reviews — Replace static slide decks with clickable flows that link directly to log evidence.
• Adversary emulation — Feed exported STIX into tools like Caldera to replay an attacker’s exact sequence.
• Executive reporting — One diagram communicates campaign scope better than ten bullet points.

Flows are also great for threat hunting. Let’s take a closer look…

Threat hunting succeeds or fails on the quality of its hypotheses. Seasoned hunters begin by asking a structured question, “Could adversary X reach asset Y by chaining techniques A, B, and C?”, and then seek telemetry to prove or disprove it. Industry playbooks all outline the same core loop:

• Generate a hypothesis
• Assemble the right data
• Investigate
• Validate
• Feed lessons back into detections

Thread helps with the hardest, and most crucial part of that loop, hypothesis generation, by delivering cyber threat intelligence already mapped to ATT&CK. Each finished Thread report has real‑world context, such as timestamps, artifacts, and links to the original source. Instead of inventing scenarios from scratch, that may or may not be relevant, hunters start with evidence‑backed chains that adversaries have actually used.

Attack Flow then takes those ATT&CK‑tagged gems and arranges them in a machine‑readable storyline. Seeing that a phishing email (T1566) led to template injection (T1221), which cascaded into LSASS credential dumping (T1003.001), tells the hunter where to look next if the first query hits. Flows expose decision branches (“if privilege escalation fails, attacker falls back to Kerberoasting”), ensuring hunts follow every plausible path, not just the obvious or easy ones. They also help teams avoid the classic “rabbit‑hole” problem of chasing an endless number of possible but irrelevant scenarios.

The result is a repeatable, evidence‑driven methodology:

• Scope and Objective — Import the Thread‑generated .afb into Builder, and choose the branch that threatens your crown‑jewel asset. You can see that a cyber threat actor, that recently targeted an industry peer in the same geography as you, used Ingress Tool Transfer to deploy tools to a company device, and then immediately pulled up a command prompt to start gathering data.
• Hypothesis — “If any host shows the Technique Command and Scripting Interpreter (T1059) within five minutes of Ingress Tool Transfer (T1105), we may have an intrusion in progress.”
• Data Collection & Hunt — Pull endpoint and network logs keyed to those technique IDs. ATT&CK gives guidance around this under the Detections section of each TTP.
• Investigation & Validation — Follow the flow’s arrows to pivot from one TTP to the next.
• Detection Engineering — Convert successful queries into permanent analytics, and update the flow if new intelligence shifts the sequence.

In short, flows give hunters a roadmap. They keep every query tied to a real adversary behaviour, eliminate guesswork, and let teams measure coverage by ticking off techniques. This provides the structure SOC analysts crave and the accountability IT security managers need.

For those that want to learn more about Attack Flows and Thread, the below resources have you covered:

• The Attack Flow V3 page
• Attack Flow on GitHub
• Attack Flow Builder
• Attack Flow Training
• Thread
• Thread on GitHub
• How to use Thread

Attack Flow turns static cyber threat intelligence into an interactive map of attacker behaviour. By integrating Thread with the Flow Builder, Arachne Digital removes the busywork of diagramming and empowers SOC teams to see, share, and counter multi‑stage campaigns faster than ever.

Ready to try it? Log in to Thread, process a report, and hit Export Flow AFB. If you don’t want to go through the hassle of gathering cyber threat intelligence and mapping it to MITRE ATT&CK all by yourself, reach out to us about our API offering.