AdversaryGraph v2.2.0

AdversaryGraph v2.2.0 Release Notes

Release date: 2026-06-18

AdversaryGraph v2.2.0 is the operational troubleshooting and startup validation
release. It focuses on making Docker deployment failures visible, actionable,
and easy to recheck from inside the UI.

Major Changes

• Added an internal troubleshooting page at /troubleshooting.
• Added contextual troubleshooting links to API error and startup self-test
  popups.
• Added a Recheck button to API error popups.
• When recheck passes, the error popup turns green and shows All correct..
• Added /api/system/selftest for runtime validation of:
  • database connectivity
  • ATT&CK/ATLAS ingested versions and data counts
  • Redis connectivity
• Added a Docker selftest service that can be run after docker compose up.
• Improved matrix startup resilience with longer query retries.
• Refreshed matrix, discover, and sync queries after self-test passes.

Troubleshooting Page

The new /troubleshooting page is served by the Docker frontend and includes:

• self-test command
• direct API health check
• frontend proxy health check
• ATT&CK tactic and technique count probes
• service log commands
• restart-without-data-loss command
• common failure explanations
• recovery order for startup and data-ingestion issues

Error popups link to this page with context parameters such as HTTP status,
request path, and message.

Recheck Workflow

When an API request fails, the global error popup now shows:

• clear status and URL context
• Recheck
• Open troubleshooting

The Recheck action runs /api/system/selftest.

If all checks pass, the popup changes to a green success state:

All correct.

If checks fail, the popup remains red and displays the failed self-test details.

Verification

Validation performed for this release:

• Frontend production build: npm run build passed.
• Docker self-test: docker compose run --rm selftest passed.
• /api/system/selftest returned ok.
• /troubleshooting route was served by the Docker frontend.
• Live Vite module served the updated Recheck and All correct. logic.

Upgrade Notes

Pull the latest code and rebuild/restart:

git pull
docker compose up -d --build
docker compose run --rm selftest

Open:

http://localhost:3000/troubleshooting

Use this page when an API popup reports HTTP 500, connection reset, empty
matrix data, or startup validation failure.

AdversaryGraph v2.1.1

AdversaryGraph v2.1.1 Release Summary

AdversaryGraph v2.1.1 is the rename and deployment validation release.

The project is now published under the canonical AdversaryGraph name. The
release includes the complete v2.1 sector relevance and IOC intelligence feature
set, plus the repository/docs/site rename, legacy link compatibility, ecosystem
link updates, and a clean Docker deployment test from a fresh GitHub clone.

What Changed Since v2.1.0

• Product name changed to AdversaryGraph across the application, docs,
  repository metadata, Docker defaults, release material, screenshots, and
  ecosystem links.
• Main repository moved to:
  https://github.com/anpa1200/adversarygraph
• Docs repository moved to:
  https://github.com/anpa1200/adversarygraph-docs
• Old public URLs on 1200km.com now have compatibility redirects or retained
  legacy asset paths.
• Connected 1200km ecosystem projects now link to the AdversaryGraph hub, docs,
  article, and repository.
• Embedded ATLAS docs nginx fallback was fixed to prevent startup redirect-loop
  errors before the reference book build is written.

Feature Set In This Release

Sector Intelligence

• Actor relevance ranking by sector, region, technology/environment, and
  activity window.
• MISP Galaxy-backed evidence for sectors, origins, motivations, regions, and
  aliases.
• Searchable A-Z multi-select filters.
• Direct actions to actor profile, TTP information, IOC view, and Navigator
  overlay.

IOC Intelligence

• ThreatFox sync.
• AlienVault OTX actor pulse enrichment.
• Custom/personal JSON, CSV, and TXT IOC feeds.
• Manual IOC import.
• Uploaded report IOC extraction.
• Actor IOC tabs with counts, source evidence, confidence, freshness, and CSV
  export.
• Centralized IOC sync controls in Reference Sync.

Core v2 Workflows

• ATT&CK Enterprise, Mobile, ICS, and MITRE ATLAS sync.
• AI-assisted ATT&CK/ATLAS mapping with analyst review.
• Local LLM support via OpenAI-compatible endpoints.
• Analysis session history with delete support.
• Review status colors for suggested, accepted, rejected, and needs-evidence.
• Group, campaign, report, and Navigator TTP comparison.
• STIX 2.1 export for OpenCTI report/TTP workflows.
• PDF and JSON analyst report export.

Verification

• Main app CI: passed.
• Frontend build: passed.
• Backend tests: 97 passed.
• Docs build: passed.
• Website link check: passed.
• Fresh clone Docker deployment: passed.
• Runtime probes: API, frontend, and embedded ATLAS docs returned HTTP 200.

Release Links

• GitHub release: https://github.com/anpa1200/adversarygraph/releases/tag/v2.1.1
• Repository: https://github.com/anpa1200/adversarygraph
• Documentation: https://1200km.com/adversarygraph-docs/
• Project hub: https://1200km.com/adversarygraph/
• Full guide: docs/full-guide-v2.md
• Detailed notes: docs/release-notes/v2.1.1.md

AdversaryGraph v2.1.0

AdversaryGraph v2.1.0 Release Summary

AdversaryGraph v2.1.0 is the sector relevance and IOC intelligence release.

The release keeps AdversaryGraph's core position as a self-hosted
CTI-to-detection workbench: reports are mapped to ATT&CK or ATLAS, analysts
review the evidence, and selected TTPs are compared against actor, campaign,
report, and Navigator views. v2.1 adds two daily-use CTI workflows on top of
that foundation.

What Changed

Sector Intelligence

Sector Intelligence ranks actors against a client context:

• sector or industry
• optional geography or region
• technology/environment filters such as cloud, Kubernetes, Microsoft 365, VPN,
  OT, and other local keywords
• activity window: quarter, year, or two years
• ATT&CK technique depth and campaign recency
• MISP Galaxy-backed evidence and references

The page explains why an actor was ranked and provides direct actions to open
actor information, TTPs, IOCs, and a Navigator overlay for relevant techniques.

IOC Intelligence

IOC Intelligence adds a local observable layer without turning AdversaryGraph into
a MISP replacement. IOCs are source-backed, actor-linked only when evidence
exists, and stored separately from ATT&CK data.

Supported inputs:

• abuse.ch ThreatFox sync
• AlienVault OTX actor pulse enrichment
• custom/personal JSON, CSV, and TXT feeds
• manual IOC import
• uploaded report IOC extraction for PDF, DOCX, TXT, JSON, and CSV style inputs

Actor profiles now include an IOCs tab with count, source, freshness,
confidence, evidence, and CSV export.

Reference Sync

Reference Sync now covers both framework/reference data and IOC feeds:

• MITRE ATT&CK Enterprise, Mobile, ICS
• MITRE ATLAS
• ThreatFox
• OTX enrichment
• registered custom IOC feeds

Operator Notes

Optional IOC providers need local .env configuration:

THREATFOX_AUTH_KEY=
OTX_API_KEY=

Keep feed credentials out of commits and screenshots.

Verification

Release preparation verification:

• Frontend production build: npm run build
• Backend pytest suite: 97 passed

Release Links

• GitHub release: https://github.com/anpa1200/adversarygraph/releases/tag/v2.1.0
• Full guide: docs/full-guide-v2.md
• Release notes: docs/release-notes/v2.1.0.md

AdversaryGraph v2.0.0

ThreatMapper v2.0.0 Release Notes

Release date: 2026-06-16

ThreatMapper v2.0.0 turns the project from a mature ATT&CK mapping workbench
into a stronger CTI ecosystem tool. The release focuses on self-hosted AI
analysis, local LLM operation, OpenCTI-compatible STIX export, DFIR example
workflows, enriched actor context, and practical reviewer-facing documentation.

Major Changes

• Local LLM provider support for OpenAI-compatible endpoints.
• STIX 2.1 export for OpenCTI import from completed analysis sessions.
• DFIR Examples page with indexed public report metadata and TTP/actor mapping.
• Reference Sync page and API for MITRE ATT&CK synchronization status.
• Enriched ATT&CK Group Library with tactic/platform coverage, aliases, external
  references, technique evidence, and source context.
• Cached ATT&CK bundle fallback for more reliable startup and sync behavior.
• Demo video, GIF, and poster for the DFIR report to AI analysis to comparison
  workflow.
• Full v2 guide covering deployment, every page, APIs, exports, and validation
  rules.

OpenCTI / STIX Export

Completed analyses can now be exported from:

GET /api/export/analysis/{session_id}/stix

The generated STIX 2.1 bundle contains:

• report for the ThreatMapper analysis session
• attack-pattern objects for extracted ATT&CK techniques
• optional intrusion-set objects for group-similarity leads
• x_threatmapper_* metadata for confidence, review status, provider, model,
  domain, similarity score, and evidence source

This export is not IOC-centric. Similarity leads are investigation leads based
on TTP overlap and are not attribution claims.

Verification

• Backend tests: 76 passed
• Frontend build: npm run build passed

Upgrade Notes

Use the normal Docker workflow:

git pull
cp .env.example .env
docker compose up -d --build

Existing development databases may need a rebuild if schema changes were tested
against older local volumes:

docker compose down -v
docker compose up -d --build

Only use the volume reset path when local data can be discarded.

Known Limitations

• LLM output requires analyst review.
• Group/campaign similarity is not attribution.
• Public DFIR report examples are metadata-only; ThreatMapper does not mirror
  third-party report content.
• STIX export uses custom x_threatmapper_* fields for analysis metadata.

AdversaryGraph v0.9.0

ThreatMapper v0.9.0 Release Notes

Release date: 2026-06-15

Summary

ThreatMapper v0.9.0 is a maturity-evidence release for external review. It
keeps the project clearly pre-v1.0, but makes the repository easier to assess
for maintainers, CTI analysts, detection engineers, and curated security lists.

What Changed

• Added a complete documentation package for quickstart, user workflow, admin
  operation, security model, limitations, comparisons, validation, and
  production readiness.
• Added demo dataset and sample outputs for reviewer-safe evaluation.
• Added GitHub issue templates, pull request template, maintainers file,
  contribution guide, and public roadmap.
• Added CI workflow covering backend tests and frontend production build.
• Documented analyst review-state and evidence-binding progress.
• Replaced placeholder screenshot references with actual screenshot evidence.

Reviewer Evidence

• README.md: maturity evidence table, screenshots, architecture, quickstart.
• docs/quickstart.md: clean Docker evaluation path.
• docs/demo-dataset/: public report excerpt and expected mappings.
• docs/sample-outputs/: JSON, Navigator layer, CSV, and Markdown examples.
• docs/validation/: evaluation plan and mapping review rubric.
• docs/production-readiness.md: implemented gates and production blockers.

Verification

cd backend && PYTHONPATH=. python -m pytest -q
cd frontend && npm run build

Expected backend test result for this release: 63 passed.

Known Limits

• ThreatMapper is not an attribution engine; TTP overlap is an investigation
  lead only.
• LLM-assisted mappings require analyst review.
• The default Docker Compose deployment is for controlled environments, not an
  internet-facing SaaS deployment.
• The project should wait for more release history and external usage evidence
  before strict curated-list resubmission.