Cookies Policy
We use strictly necessary cookies whilst you are here. These are to enable the website to work and cannot be disabled. To read more about what this means, please see our Privacy Policy.

From Reports to Routes: Visualising Adversary Paths with Thread and MITRE Attack Flow Builder

July 30, 2025
Attack Flow shows an attack sequence. Read about how you can use it with your Thread data.

by Kade Morton (CEO)
Introduction

Why 
“flows” 
are 
the 
next 
leap 
for 
threat‑informed 
defence

ATT&CK® already gives us the what of adversary behaviour. Attack Flow adds the how.

Attack Flow adds the how, showing the exact sequence, branching options, and dependencies an attacker follows to reach their objective. MITRE’s Center for Threat‑Informed Defense created the Attack Flow language so defenders can track multi‑phase campaigns instead of isolated techniques, spot choke points, and prioritise counter‑measures more effectively.

Traditional incident write‑ups or Navigator layers capture individual events but don’t capture the bigger picture. By modelling a chain of tactics, initial access, privilege escalation, lateral movement, impact, security operations center (SOC) analysts can:

  • Surface weak links an attacker must traverse.
  • Map detections to every step, avoiding gaps between stages.
  • Share machine‑readable flows across blue‑team tools (the format is STIX‑compatible).
Attack Flow Builder

The web based Attack Flow Builder is MITRE’s canvas for turning raw cyber‑attack data into an interactive storyline. Inside the browser you drag‑and‑drop ATT&CK techniques, assets, malware, vulnerabilities, and indicators onto a blank board, then draw arrows to show the exact order, or parallel paths, in which those elements unfold during a real intrusion. Each node stores full metadata, so a single click can reveal discovery timestamps, references, or detection logic.

From there you can overlay the finished diagram on the classic ATT&CK matrix to see defensive coverage at a glance, or export the model in multiple formats, STIX for automation pipelines, a standalone .afb file for sharing, PNG for slide decks, or even Markdown‑friendly Mermaid code for wikis. Because every element in the flow is machine‑readable, teams can version‑control their diagrams and attach them to post‑incident reports without re‑formatting.

In short, the Builder transforms a static list of tactics, techniques and procedures (TTPs) into a living map that SOC analysts, threat hunters, and CISOs can all read, refine, and act on.

Thread to Attack Flow: closing the loop between cyber threat intelligence and action

Thread already maps free‑text reporting to ATT&CK TTPs, dates, IOCs, and victims. Our new “Export Attack Flow .afb” button turns that structured output into a ready‑made Attack Flow file you can open in the Builder. No manual re‑typing, no copy‑paste from PDFs.

How this works in practice
  • Thread uses machine learning to map free text to ATT&CK TTPs
  • A human analyst accepts or rejects the TTPs, and adds any that Thread might have missed. They also add a time frame, aggressor and victim information, and tag any indicators of compromise (IoCS).
  • Once the report is processed in Thread, the analyst clicks Export Attack Flow AFB, Thread serialises the TTPs and IoCs into the Attack Flow v3 schema, bundles them as incident-name.afb, and delivers it straight to your browser.
  • Open the incident-name.afb file in Attack Flow Builder, and your TTPs and IoCs are all there. Use the Builder to structure your flow.

For this first iteration of integrating Thread with Attack Flow, we didn’t want to recreate the functionality that already exists in Flow Builder to order your flow. We’ve also only added support for some of the basic data types, like TTPs, malware, and IoCs. However, Thread is open source and continues to evolve. More improvements are coming, follow along with us on GitHub as we continue to develop Thread, and you can always make community contributions!

Where attack flows shine in day‑to‑day operations
  • Detection gap analysis — Overlay flow on ATT&CK Navigator to see which stages lack telemetry. You can create both the Navigator and the Flow Builder output from Thread.
  • Post‑incident reviews — Replace static slide decks with clickable flows that link directly to log evidence.
  • Adversary emulation — Feed exported STIX into tools like Caldera to replay an attacker’s exact sequence.
  • Executive reporting — One diagram communicates campaign scope better than ten bullet points.

Flows are also great for threat hunting. Let’s take a closer look…

Using Attack Flows to Supercharge Threat Hunting

Threat hunting succeeds or fails on the quality of its hypotheses. Seasoned hunters begin by asking a structured question, “Could adversary X reach asset Y by chaining techniques A, B, and C?”, and then seek telemetry to prove or disprove it. Industry playbooks all outline the same core loop:

  • Generate a hypothesis
  • Assemble the right data
  • Investigate
  • Validate
  • Feed lessons back into detections

Thread helps with the hardest, and most crucial part of that loop, hypothesis generation, by delivering cyber threat intelligence already mapped to ATT&CK. Each finished Thread report has real‑world context, such as timestamps, artifacts, and links to the original source. Instead of inventing scenarios from scratch, that may or may not be relevant, hunters start with evidence‑backed chains that adversaries have actually used.

Attack Flow then takes those ATT&CK‑tagged gems and arranges them in a machine‑readable storyline. Seeing that a phishing email (T1566) led to template injection (T1221), which cascaded into LSASS credential dumping (T1003.001), tells the hunter where to look next if the first query hits. Flows expose decision branches (“if privilege escalation fails, attacker falls back to Kerberoasting”), ensuring hunts follow every plausible path, not just the obvious or easy ones. They also help teams avoid the classic “rabbit‑hole” problem of chasing an endless number of possible but irrelevant scenarios.

The result is a repeatable, evidence‑driven methodology:

  • Scope and Objective — Import the Thread‑generated .afb into Builder, and choose the branch that threatens your crown‑jewel asset. You can see that a cyber threat actor, that recently targeted an industry peer in the same geography as you, used Ingress Tool Transfer to deploy tools to a company device, and then immediately pulled up a command prompt to start gathering data.
  • Hypothesis — “If any host shows the Technique Command and Scripting Interpreter (T1059) within five minutes of Ingress Tool Transfer (T1105), we may have an intrusion in progress.”
  • Data Collection & Hunt — Pull endpoint and network logs keyed to those technique IDs. ATT&CK gives guidance around this under the Detections section of each TTP.
  • Investigation & Validation — Follow the flow’s arrows to pivot from one TTP to the next.
  • Detection Engineering — Convert successful queries into permanent analytics, and update the flow if new intelligence shifts the sequence.

In short, flows give hunters a roadmap. They keep every query tied to a real adversary behaviour, eliminate guesswork, and let teams measure coverage by ticking off techniques. This provides the structure SOC analysts crave and the accountability IT security managers need.

Resources

For those that want to learn more about Attack Flows and Thread, the below resources have you covered:

Start building Attack Flows

Attack Flow turns static cyber threat intelligence into an interactive map of attacker behaviour. By integrating Thread with the Flow Builder, Arachne Digital removes the busywork of diagramming and empowers SOC teams to see, share, and counter multi‑stage campaigns faster than ever.

Ready to try it? Log in to Thread, process a report, and hit Export Flow AFB. If you don’t want to go through the hassle of gathering cyber threat intelligence and mapping it to MITRE ATT&CK all by yourself, reach out to us about our API offering.

Benefits

Why 
select 
Arachne?

Do you want to maximise your security within your budget? Arachne Digital is the logical choice.

Our platform searches the internet for information on threat actors, gathers reports, and categorises the findings by region, industry, and threat actor. Our process automatically maps TTPs to MITRE ATT&CK®, slashing research time and saving you money.

Threat Mitigation Experts

Connect with a way to see and neutralise potential attacks before they impact your organisation. Arachne Digital empowers organisations to anticipate and avoid cyber threats by delivering actionable intelligence.

Optimised Security Posture

By integrating the precise threat intelligence provided by our reports, you can evolve, prioritise and implement effective and continually updated security controls relevant to your organisation.

Streamlined Compliance

Comprehensive, insightful threat intelligence reports support audit preparations. Demonstrate a proactive approach to cybersecurity and achieve and maintain compliance more easily.

Testimonials 
& 
Partnerships

“Arachne Digital’s team works closely with us in integrating our tool, Speculo, with their data. Speculo is designed to help organisations get a full picture of their cyber risk with reliable analytics and a streamlined risk assessment process. The integration of Arachne Digital’s threat intelligence into Speculo provides evidence-based insights into cyber risks, making the tool more relevant to our customers. Arachne facilitated multiple face-to-face meetings and video calls, provided technical resources, comprehensive documentation, and example reports. This collaboration ensured that we could seamlessly integrate and utilize their data, significantly enriching the value we deliver to our clients.

Arachne Digital’s commitment to excellence and their proactive approach in supporting our needs have made them an indispensable partner. We highly recommend their services to any organisation looking to strengthen their threat intelligence capabilities.”

Partnership

We 
are 
partnered 
with 
DISARM 
Foundation.

Arachne Digital is proud to partner with the DISARM Foundation as the inaugural member of their Partner Programme, launched at the beginning of 2024.

This partnership is crucial in supporting the DISARM Foundation’s mission to maintain and enhance the DISARM Framework, ensuring it remains a free and continuously updated resource in the fight against disinformation.

Through our collaboration, Arachne Digital provides valuable feedback, promotes the integration of the framework into our operations, and encourages wider adoption within the defender community. This partnership highlights our commitment to combating evolving threats and fostering a secure digital environment.


Empower. 
Defend. 
Prevail.

Newsletter
Stay in the loop with our latest updates, exclusive offers, and content by subscribing to our newsletter.

© 2025 Arachne Digital, ALL RIGHTS RESERVED
Built by