Mapping Threats with Thread: A Practical Guide to Unlocking Insight with MITRE ATT&CK®

Thread helps you:

• Identify tactics, techniques, and procedures (TTPs) in free-text reports
• Map them to MITRE ATT&CK with high accuracy
• Tag threat actors, industries, geographies, and indicators of compromise (IOCs)
• Export reports to your own system or database

You can apply structured intelligence to use cases like:

• Threat informed defense
• Adversary emulation
• Detection engineering
• Threat hunting
• SOC triage and enrichment

The key advantage: it saves time and produces actionable output that works across multiple teams.

Access the App

You can use the hosted version of Thread at:

🔗 https://app.arachne.digital/thread

Alternatively, you can clone the GitHub repository and run it locally.

Ingest a Report

Start on the homepage and paste the URL of a threat intelligence report, blog post, or article you want to analyse.

• Thread will automatically scrape the page’s text content.
• It cleans and formats the text for analysis.

✅ Pro Tip: You can also upload plain text manually if the site doesn’t scrape properly.

Highlight and Map TTPs

Once the report is ingested, Thread highlights suggested sentences that contain potential TTPs.

• You can select these suggestions or manually highlight other sentences.
• Click “Add TTP” and choose the appropriate technique from the MITRE ATT&CK matrix.
• You can also add tactics, sub-techniques, and any relevant metadata.

This step helps Thread learn. The more feedback it gets, the better its suggestions become.

Tag Metadata

You can tag the following key elements:

• Threat Actor: Choose from a dropdown of known actors (populated via Arachne Digital’s open-source Spindle project).
• Country Attribution: Tag the country (if known) that the actor is affiliated with.
• Industries Impacted: Select which industries the attack targeted.
• Geographies Impacted: Indicate where the victims were located.
• IOCs: Paste or tag indicators of compromise (hashes, IPs, domains, etc.).

✅ These tags are optional but recommended. They make the data more powerful when integrated into threat intelligence platforms.

Set Dates

• First Seen Date and Last Seen Date can be set based on what the report says.
• These are useful for understanding the timing and duration of a threat campaign.

🕒 If no dates are available in the report, you can use the published date.

Generate Report

Once you’re done:

• Click “Generate Report” to view a structured output.
• This includes all tagged TTPs, actors, metadata, and timestamps.

The report can be viewed as a PDF or can be downloaded as JSON. If you run Thread locally, you can also build your own threat intelligence database.

Thread isn’t just a tool. It’s a gateway to more intelligent cybersecurity.

Mapping threats to ATT&CK gives you a framework for answering key questions:

• What techniques are trending?
• Which threat actors are using them?
• Are we covered in our detections and mitigations?
• How can we simulate these attacks for purple team exercises?

As Thread evolves, it will also support additional frameworks like:

• MITRE ATT&CK for Mobile
• MITRE ATT&CK for ICS
• MITRE ATLAS (AI threats)
• DISARM (Disinformation tactics)

This will unlock even broader applications, from analysing botnets targeting phones, to evaluating threats to AI systems, to countering online influence operations.

Cybersecurity professionals need tools that make intelligence usable, not just readable. Thread does exactly that, turning reports into structured insights that can drive better decisions across security operations.

Whether you’re leading a threat-informed defense program, building adversary emulation scenarios, or just trying to make sense of the noise, Thread is built to help.

Start using it today at https://app.arachne.digital/thread, or contribute on GitHub to shape its future.