Skip to content

Releases: anpa1200/threatmapper

ThreatMapper v2.0.0

16 Jun 15:39
@anpa1200 anpa1200
v2.0.0
005ba8f

Choose a tag to compare

View all tags
ThreatMapper v2.0.0 Latest
Latest

ThreatMapper v2.0.0 Release Notes

Release date: 2026-06-16

ThreatMapper v2.0.0 turns the project from a mature ATT&CK mapping workbench
into a stronger CTI ecosystem tool. The release focuses on self-hosted AI
analysis, local LLM operation, OpenCTI-compatible STIX export, DFIR example
workflows, enriched actor context, and practical reviewer-facing documentation.

Major Changes

  • Local LLM provider support for OpenAI-compatible endpoints.
  • STIX 2.1 export for OpenCTI import from completed analysis sessions.
  • DFIR Examples page with indexed public report metadata and TTP/actor mapping.
  • Reference Sync page and API for MITRE ATT&CK synchronization status.
  • Enriched ATT&CK Group Library with tactic/platform coverage, aliases, external
    references, technique evidence, and source context.
  • Cached ATT&CK bundle fallback for more reliable startup and sync behavior.
  • Demo video, GIF, and poster for the DFIR report to AI analysis to comparison
    workflow.
  • Full v2 guide covering deployment, every page, APIs, exports, and validation
    rules.

OpenCTI / STIX Export

Completed analyses can now be exported from:

GET /api/export/analysis/{session_id}/stix

The generated STIX 2.1 bundle contains:

  • report for the ThreatMapper analysis session
  • attack-pattern objects for extracted ATT&CK techniques
  • optional intrusion-set objects for group-similarity leads
  • x_threatmapper_* metadata for confidence, review status, provider, model,
    domain, similarity score, and evidence source

This export is not IOC-centric. Similarity leads are investigation leads based
on TTP overlap and are not attribution claims.

Verification

  • Backend tests: 76 passed
  • Frontend build: npm run build passed

Upgrade Notes

Use the normal Docker workflow:

git pull
cp .env.example .env
docker compose up -d --build

Existing development databases may need a rebuild if schema changes were tested
against older local volumes:

docker compose down -v
docker compose up -d --build

Only use the volume reset path when local data can be discarded.

Known Limitations

  • LLM output requires analyst review.
  • Group/campaign similarity is not attribution.
  • Public DFIR report examples are metadata-only; ThreatMapper does not mirror
    third-party report content.
  • STIX export uses custom x_threatmapper_* fields for analysis metadata.
Assets 2
Loading

ThreatMapper v0.9.0

15 Jun 17:41
@anpa1200 anpa1200
v0.9.0
e1af613

Choose a tag to compare

View all tags
ThreatMapper v0.9.0

ThreatMapper v0.9.0 Release Notes

Release date: 2026-06-15

Summary

ThreatMapper v0.9.0 is a maturity-evidence release for external review. It
keeps the project clearly pre-v1.0, but makes the repository easier to assess
for maintainers, CTI analysts, detection engineers, and curated security lists.

What Changed

  • Added a complete documentation package for quickstart, user workflow, admin
    operation, security model, limitations, comparisons, validation, and
    production readiness.
  • Added demo dataset and sample outputs for reviewer-safe evaluation.
  • Added GitHub issue templates, pull request template, maintainers file,
    contribution guide, and public roadmap.
  • Added CI workflow covering backend tests and frontend production build.
  • Documented analyst review-state and evidence-binding progress.
  • Replaced placeholder screenshot references with actual screenshot evidence.

Reviewer Evidence

  • README.md: maturity evidence table, screenshots, architecture, quickstart.
  • docs/quickstart.md: clean Docker evaluation path.
  • docs/demo-dataset/: public report excerpt and expected mappings.
  • docs/sample-outputs/: JSON, Navigator layer, CSV, and Markdown examples.
  • docs/validation/: evaluation plan and mapping review rubric.
  • docs/production-readiness.md: implemented gates and production blockers.

Verification

cd backend && PYTHONPATH=. python -m pytest -q
cd frontend && npm run build

Expected backend test result for this release: 63 passed.

Known Limits

  • ThreatMapper is not an attribution engine; TTP overlap is an investigation
    lead only.
  • LLM-assisted mappings require analyst review.
  • The default Docker Compose deployment is for controlled environments, not an
    internet-facing SaaS deployment.
  • The project should wait for more release history and external usage evidence
    before strict curated-list resubmission.
Loading