Cookies Policy
We use strictly necessary cookies whilst you are here. These are to enable the website to work and cannot be disabled. To read more about what this means, please see our Privacy Policy.

Mapping Threats with Thread: A Practical Guide to Unlocking Insight with MITRE ATT&CK®

April 4, 2025
Learn about Arachne Digital's open-sourced threat-mapping tool — Thread.

by Kade Morton (CEO)
Introduction

Built 
for 
analysts, 
researchers, 
and 
defenders...

In cybersecurity, context is everything.

Knowing what happened is only half the battle. Understanding how it happened, and how to stop it, is where the real value lies. This is where frameworks like MITRE ATT&CK® come into play, giving defenders a shared language to describe adversary behaviour.

But how do you map unstructured threat intelligence, like blog posts, reports, or news articles, to ATT&CK techniques without spending hours doing it manually?

That’s where Thread comes in.

Thread is an open-source tool developed by Arachne Digital that automates and simplifies the process of mapping threat reporting to frameworks like MITRE ATT&CK. Built for analysts, researchers, and defenders, Thread helps turn raw intelligence into structured insights that can inform everything from threat hunting to purple teaming.

This post is your guide to understanding what Thread does, how to use it, and why this kind of mapping matters across different areas of cybersecurity.

Why Use Thread?

Thread helps you:

  • Identify tactics, techniques, and procedures (TTPs) in free-text reports
  • Map them to MITRE ATT&CK with high accuracy
  • Tag threat actors, industries, geographies, and indicators of compromise (IOCs)
  • Export reports to your own system or database

You can apply structured intelligence to use cases like:

  • Threat informed defense
  • Adversary emulation
  • Detection engineering
  • Threat hunting
  • SOC triage and enrichment

The key advantage: it saves time and produces actionable output that works across multiple teams.

How to Use Thread: Step-by-Step Guide

Access the App

You can use the hosted version of Thread at:

🔗 https://app.arachne.digital/thread

Alternatively, you can clone the GitHub repository and run it locally.

Ingest a Report

Start on the homepage and paste the URL of a threat intelligence report, blog post, or article you want to analyse.

  • Thread will automatically scrape the page’s text content.
  • It cleans and formats the text for analysis.

✅ Pro Tip: You can also upload plain text manually if the site doesn’t scrape properly.

Highlight and Map TTPs

Once the report is ingested, Thread highlights suggested sentences that contain potential TTPs.

  • You can select these suggestions or manually highlight other sentences.
  • Click “Add TTP” and choose the appropriate technique from the MITRE ATT&CK matrix.
  • You can also add tactics, sub-techniques, and any relevant metadata.

This step helps Thread learn. The more feedback it gets, the better its suggestions become.

Tag Metadata

You can tag the following key elements:

  • Threat Actor: Choose from a dropdown of known actors (populated via Arachne Digital’s open-source Spindle project).
  • Country Attribution: Tag the country (if known) that the actor is affiliated with.
  • Industries Impacted: Select which industries the attack targeted.
  • Geographies Impacted: Indicate where the victims were located.
  • IOCs: Paste or tag indicators of compromise (hashes, IPs, domains, etc.).

✅ These tags are optional but recommended. They make the data more powerful when integrated into threat intelligence platforms.

Set Dates

  • First Seen Date and Last Seen Date can be set based on what the report says.
  • These are useful for understanding the timing and duration of a threat campaign.

🕒 If no dates are available in the report, you can use the published date.

Generate Report

Once you’re done:

  • Click “Generate Report” to view a structured output.
  • This includes all tagged TTPs, actors, metadata, and timestamps.

The report can be viewed as a PDF or can be downloaded as JSON. If you run Thread locally, you can also build your own threat intelligence database.

Why Mapping Matters: Beyond the Tool

Thread isn’t just a tool. It’s a gateway to more intelligent cybersecurity.

Mapping threats to ATT&CK gives you a framework for answering key questions:

  • What techniques are trending?
  • Which threat actors are using them?
  • Are we covered in our detections and mitigations?
  • How can we simulate these attacks for purple team exercises?

As Thread evolves, it will also support additional frameworks like:

  • MITRE ATT&CK for Mobile
  • MITRE ATT&CK for ICS
  • MITRE ATLAS (AI threats)
  • DISARM (Disinformation tactics)

This will unlock even broader applications, from analysing botnets targeting phones, to evaluating threats to AI systems, to countering online influence operations.

Final Thoughts

Cybersecurity professionals need tools that make intelligence usable, not just readable. Thread does exactly that, turning reports into structured insights that can drive better decisions across security operations.

Whether you’re leading a threat-informed defense program, building adversary emulation scenarios, or just trying to make sense of the noise, Thread is built to help.

Start using it today at https://app.arachne.digital/thread, or contribute on GitHub to shape its future.

Benefits

Why 
select 
Arachne?

Do you want to maximise your security within your budget? Arachne Digital is the logical choice.

Our platform searches the internet for information on threat actors, gathers reports, and categorises the findings by region, industry, and threat actor. Our process automatically maps TTPs to MITRE ATT&CK®, slashing research time and saving you money.

Threat Mitigation Experts

Connect with a way to see and neutralise potential attacks before they impact your organisation. Arachne Digital empowers organisations to anticipate and avoid cyber threats by delivering actionable intelligence.

Optimised Security Posture

By integrating the precise threat intelligence provided by our reports, you can evolve, prioritise and implement effective and continually updated security controls relevant to your organisation.

Streamlined Compliance

Comprehensive, insightful threat intelligence reports support audit preparations. Demonstrate a proactive approach to cybersecurity and achieve and maintain compliance more easily.

Testimonials 
& 
Partnerships

“Arachne Digital’s team works closely with us in integrating our tool, Speculo, with their data. Speculo is designed to help organisations get a full picture of their cyber risk with reliable analytics and a streamlined risk assessment process. The integration of Arachne Digital’s threat intelligence into Speculo provides evidence-based insights into cyber risks, making the tool more relevant to our customers. Arachne facilitated multiple face-to-face meetings and video calls, provided technical resources, comprehensive documentation, and example reports. This collaboration ensured that we could seamlessly integrate and utilize their data, significantly enriching the value we deliver to our clients.

Arachne Digital’s commitment to excellence and their proactive approach in supporting our needs have made them an indispensable partner. We highly recommend their services to any organisation looking to strengthen their threat intelligence capabilities.”

Partnership

We 
are 
partnered 
with 
DISARM 
Foundation.

Arachne Digital is proud to partner with the DISARM Foundation as the inaugural member of their Partner Programme, launched at the beginning of 2024.

This partnership is crucial in supporting the DISARM Foundation’s mission to maintain and enhance the DISARM Framework, ensuring it remains a free and continuously updated resource in the fight against disinformation.

Through our collaboration, Arachne Digital provides valuable feedback, promotes the integration of the framework into our operations, and encourages wider adoption within the defender community. This partnership highlights our commitment to combating evolving threats and fostering a secure digital environment.


Empower. 
Defend. 
Prevail.

Newsletter
Stay in the loop with our latest updates, exclusive offers, and content by subscribing to our newsletter.

© 2025 Arachne Digital, ALL RIGHTS RESERVED
Built by