Skip to content

Getting Started

TI Mindmap HUB processes publicly available threat intelligence reports and transforms them into structured, machine-readable outputs. This page explains what the platform does, what it produces, and how to use it.

What It Does

The platform continuously monitors curated OSINT (Open-Source Intelligence) sources — security vendor blogs, government advisories, and research publications. When a new report is detected, it is automatically processed through a multi-stage AI pipeline that produces:

  1. Technical summaries — concise overviews of the original report
  2. Visual mindmaps — Mermaid-format diagrams of key relationships
  3. IOC lists — extracted Indicators of Compromise (IPs, domains, hashes, CVEs, emails)
  4. TTP tables — MITRE ATT&CK technique mappings
  5. STIX 2.1 bundles — standardized packages for SIEM/SOAR/TIP integration
  6. Weekly briefings — trend-focused summaries generated by a multi-agent AI system

For details on how the pipeline works, see Processing Methodology.

Supported Input Types

The platform ingests content from:

  • Security vendor blogs (e.g., Mandiant, CrowdStrike, Recorded Future)
  • Government advisories (e.g., CISA, NCSC)
  • Security research publications
  • Industry reports
  • User-submitted URLs (via the MCP submit_article tool or the web interface)

What Outputs Look Like

IOC Extraction

Extracted indicators are returned as structured JSON. Example types:

IOC Type Example
IPv4 198.51.100.42
Domain malicious-example-domain.com
SHA-256 a1b2c3d4e5f6...
CVE CVE-2024-12345

STIX 2.1 Bundle

Each report generates a STIX 2.1 bundle containing SDOs (threat actors, malware, indicators, attack patterns, vulnerabilities) and SROs (relationships). See the example bundle for a complete sample.

Weekly Briefing

A weekly briefing includes: executive summary, top TTPs observed, most targeted sectors, emerging threats, and deep dives into notable campaigns.

Constraints and Known Limitations

All outputs are AI-generated and require human verification before operational use:

  • Hallucinations — LLMs may fabricate IOCs or misattribute threat actors
  • False positives — Automated extraction may include benign indicators
  • Context loss — Nuanced context from original reports may not be fully captured
  • Training cutoff — Very recent threats may not be recognized

For a comprehensive list, see Known Limitations.

Verify Before Acting

Never use platform outputs for critical security decisions without independent verification against original sources.

Accessing the Platform

Web Interface

Visit ti-mindmap-hub.com to browse reports, view analyses, and download STIX bundles.

MCP Integration

Connect your AI assistant (VS Code + GitHub Copilot, Claude Desktop) to query threat intelligence data directly. See the MCP Integration guide.

API

STIX bundles and report content can be retrieved programmatically. Authentication requires an API key obtained from your account settings.

Next Steps

  • Concepts — Understand the processing pipeline and data model
  • Outputs — Explore each output type in detail
  • Integrations — Connect to your existing tools
  • Tutorials — Walk through common workflows