Threat Spectrograph

Three Frameworks, One Workflow

This tool integrates three foundational CTI frameworks into a single analytical workflow, following the approach used by Cisco Talos, DFIR Report, and Kraven Security:

Cyber Kill Chain (Lockheed Martin) — 7 phases from Reconnaissance through Actions on Objectives structure the investigation timeline. Each phase represents a stage of adversary operations.

Diamond Model (Caltagirone, Pendergast, Betz) — At each Kill Chain phase, a diamond captures four facets: Adversary (who), Infrastructure (how/where), Capability (what tools), and Victim (who was targeted).

MITRE ATT&CK (Enterprise Matrix) — ATT&CK techniques feed into the Capability facet of each diamond. The 14 ATT&CK tactics are mapped to Kill Chain phases, with suggested techniques shown by default and all 14 tactics available via toggle.

How to use this tool

Simple example: Create a new investigation, expand the "Delivery" phase (KC3), click "Select ATT&CK Techniques" in the Capability facet, search for T1566 (Phishing), then fill in the other diamond facets — e.g., Adversary Name: "Unknown", Infrastructure: "Compromised email account".

Complex example: Work through all 7 Kill Chain phases, filling in diamond facets and selecting ATT&CK techniques where you have evidence. Add analyst notes per phase for narrative context. Use custom capability fields for malware names, CVEs, or IOCs. Export as JSON for sharing with your team.

Comparing investigations: Click Compare to select 2–3 investigations for cross-intrusion analysis. The picker highlights which investigations share IOC-level indicators (ATT&CK technique overlaps are excluded by default). After comparing, use the overlap matrix and filters to identify shared infrastructure, capabilities, and adversary patterns across cases.

Encryption & Sharing

This tool supports optional AES-256-GCM encryption for sensitive investigations using the Web Crypto API built into your browser. Here is how it works:

Encrypting in storage: Enable the "Encrypt with passphrase" toggle in the investigation manager and enter a passphrase. Your investigation's phase data (diamond model fields, ATT&CK selections, analyst notes) is encrypted with AES-256-GCM before being stored in your browser's IndexedDB. The passphrase is used to derive a 256-bit key via PBKDF2 with 600,000 iterations and a random salt. A new random IV is generated for each save. The passphrase itself is never stored.

Sharing encrypted exports: Click Export Encrypted to export your investigation as an encrypted .enc.json file. You will be prompted for a passphrase. Share the file with a colleague — they can import it using the Import button and will be prompted for the passphrase to decrypt it. The exported file contains only ciphertext; without the passphrase, the phase data is unreadable.

Plain exports: Click Export to download an unencrypted JSON file containing the full investigation in plain text. Use this for archival or when encryption is not needed.

Important: If you forget your passphrase, there is no recovery mechanism. The data is encrypted client-side and we have no access to your passphrase or data.