Skip to content

Getting Started

Threat intelligence does not fail because of a lack of data. It fails because turning reports into actionable intelligence does not scale.

Every week, analysts read dozens of threat reports, extract IOCs, map behaviors to frameworks, and manually reconstruct context that should already be machine-readable. Most of the analytical value is lost somewhere between the PDF and the detection rule.

TI Mindmap HUB is an open, research-driven platform designed to close that gap. It applies AI to transform raw OSINT cyber threat reports into visual threat models, structured STIX 2.1 intelligence, and reusable outputs for real security workflows — without black boxes and without sacrificing analytical rigor.

The Problem

A typical threat intelligence workflow still looks like this:

  • Dozens of long-form reports read manually every week
  • Indicators of Compromise scattered across PDFs, blogs, and advisories
  • Manual mapping to MITRE ATT&CK
  • Fragmented correlation across sources
  • High cognitive load and limited reuse

This process is slow, error-prone, and difficult to scale. Even when automation is introduced, it often relies on opaque models or shallow extraction that strips away analytical context.

The result is a paradox: more threat intelligence is produced, but less of it becomes operational.

What TI Mindmap HUB Does

The platform continuously monitors curated OSINT sources — security vendor blogs, government advisories, and research publications. When a new report is detected, it is automatically processed through a multi-stage AI pipeline that produces:

  1. Interactive mindmaps — visual threat models representing threat actors, campaigns, malware, TTPs, IOCs, and targeted sectors as a connected graph
  2. Technical summaries — concise overviews of the original report
  3. IOC extraction — normalized Indicators of Compromise (IPs, domains, hashes, emails) with attribution and context
  4. CVE intelligence — extracted and enriched vulnerability identifiers with cross-report correlation
  5. MITRE ATT&CK mapping — behavioral TTP mapping based on report content, not keyword matching
  6. STIX 2.1 bundles — standardized packages with semantic relationship graphs for SIEM/SOAR/TIP integration
  7. Weekly briefings — trend-focused summaries generated by a multi-agent AI system processing 50–60 reports per week

For details on how the pipeline works, see Processing Methodology.

Supported Input Types

The platform ingests content from:

  • Security vendor blogs (e.g., Mandiant, CrowdStrike, Recorded Future)
  • Government advisories (e.g., CISA, NCSC)
  • Security research publications
  • Industry reports
  • User-submitted URLs (via the MCP submit_article tool or the web interface)

A Research-First Philosophy

TI Mindmap HUB is an independent research project. It is not a commercial threat intelligence platform and is not affiliated with any vendor, organization, or employer.

Its design is guided by non-negotiable principles:

  • Transparency — Analytical decisions must be explainable
  • Structured output — Intelligence must be reusable beyond the UI
  • Human-in-the-loop — AI supports analysis, it does not replace judgment
  • Open research — Methods, findings, and limitations are shared openly

The project benefits from early academic collaboration and is designed to support further research into AI-assisted threat intelligence workflows.

Constraints and Known Limitations

All outputs are AI-generated and require human verification before operational use:

  • Hallucinations — LLMs may fabricate IOCs or misattribute threat actors
  • False positives — Automated extraction may include benign indicators
  • Context loss — Nuanced context from original reports may not be fully captured
  • Training cutoff — Very recent threats may not be recognized

For a comprehensive list, see Known Limitations.

Verify Before Acting

Never use platform outputs for critical security decisions without independent verification against original sources.

Accessing the Platform

Web Interface

Visit ti-mindmap-hub.com to browse reports, view analyses, and download STIX bundles.

MCP Integration

Connect your AI assistant (VS Code + GitHub Copilot, Claude, Microsoft Copilot Studio) to query threat intelligence data directly from your working environment. See the MCP section.

API

STIX bundles and report content can be retrieved programmatically. Authentication requires an API key obtained from your account settings.

Next Steps

  • Concepts — Understand the processing pipeline and data model
  • Outputs — Explore each output type in detail
  • MCP — Integrate with AI assistants and build agents
  • Integrations — Connect to STIX platforms and security tools
  • Tutorials — Walk through common workflows