In cybersecurity, context is everything.
Knowing what happened is only half the battle. Understanding how it happened, and how to stop it, is where the real value lies. This is where frameworks like MITRE ATT&CK® come into play, giving defenders a shared language to describe adversary behaviour.
But how do you map unstructured threat intelligence, like blog posts, reports, or news articles, to ATT&CK techniques without spending hours doing it manually?
That’s where Thread comes in.
Thread is an open-source tool developed by Arachne Digital that automates and simplifies the process of mapping threat reporting to frameworks like MITRE ATT&CK. Built for analysts, researchers, and defenders, Thread helps turn raw intelligence into structured insights that can inform everything from threat hunting to purple teaming.
This post is your guide to understanding what Thread does, how to use it, and why this kind of mapping matters across different areas of cybersecurity.
Thread helps you:
You can apply structured intelligence to use cases like:
The key advantage: it saves time and produces actionable output that works across multiple teams.
Access the App
You can use the hosted version of Thread at:
🔗 https://app.arachne.digital/thread
Alternatively, you can clone the GitHub repository and run it locally.
Ingest a Report
Start on the homepage and paste the URL of a threat intelligence report, blog post, or article you want to analyse.
✅ Pro Tip: You can also upload plain text manually if the site doesn’t scrape properly.
Highlight and Map TTPs
Once the report is ingested, Thread highlights suggested sentences that contain potential TTPs.
This step helps Thread learn. The more feedback it gets, the better its suggestions become.
Tag Metadata
You can tag the following key elements:
✅ These tags are optional but recommended. They make the data more powerful when integrated into threat intelligence platforms.
Set Dates
🕒 If no dates are available in the report, you can use the published date.
Generate Report
Once you’re done:
The report can be viewed as a PDF or can be downloaded as JSON. If you run Thread locally, you can also build your own threat intelligence database.
Thread isn’t just a tool. It’s a gateway to more intelligent cybersecurity.
Mapping threats to ATT&CK gives you a framework for answering key questions:
As Thread evolves, it will also support additional frameworks like:
This will unlock even broader applications, from analysing botnets targeting phones, to evaluating threats to AI systems, to countering online influence operations.
Cybersecurity professionals need tools that make intelligence usable, not just readable. Thread does exactly that, turning reports into structured insights that can drive better decisions across security operations.
Whether you’re leading a threat-informed defense program, building adversary emulation scenarios, or just trying to make sense of the noise, Thread is built to help.
Start using it today at https://app.arachne.digital/thread, or contribute on GitHub to shape its future.
“Arachne Digital’s team works closely with us in integrating our tool, Speculo, with their data. Speculo is designed to help organisations get a full picture of their cyber risk with reliable analytics and a streamlined risk assessment process. The integration of Arachne Digital’s threat intelligence into Speculo provides evidence-based insights into cyber risks, making the tool more relevant to our customers. Arachne facilitated multiple face-to-face meetings and video calls, provided technical resources, comprehensive documentation, and example reports. This collaboration ensured that we could seamlessly integrate and utilize their data, significantly enriching the value we deliver to our clients.
Arachne Digital’s commitment to excellence and their proactive approach in supporting our needs have made them an indispensable partner. We highly recommend their services to any organisation looking to strengthen their threat intelligence capabilities.”
Arachne Digital is proud to partner with the DISARM Foundation as the inaugural member of their Partner Programme, launched at the beginning of 2024.
This partnership is crucial in supporting the DISARM Foundation’s mission to maintain and enhance the DISARM Framework, ensuring it remains a free and continuously updated resource in the fight against disinformation.
Through our collaboration, Arachne Digital provides valuable feedback, promotes the integration of the framework into our operations, and encourages wider adoption within the defender community. This partnership highlights our commitment to combating evolving threats and fostering a secure digital environment.