Skip to content

ThreatMapper v2.0.0

Latest
Latest

Choose a tag to compare

View all tags
@anpa1200 anpa1200 released this 16 Jun 15:39
· 8 commits to main since this release
v2.0.0
005ba8f

ThreatMapper v2.0.0 Release Notes

Release date: 2026-06-16

ThreatMapper v2.0.0 turns the project from a mature ATT&CK mapping workbench
into a stronger CTI ecosystem tool. The release focuses on self-hosted AI
analysis, local LLM operation, OpenCTI-compatible STIX export, DFIR example
workflows, enriched actor context, and practical reviewer-facing documentation.

Major Changes

  • Local LLM provider support for OpenAI-compatible endpoints.
  • STIX 2.1 export for OpenCTI import from completed analysis sessions.
  • DFIR Examples page with indexed public report metadata and TTP/actor mapping.
  • Reference Sync page and API for MITRE ATT&CK synchronization status.
  • Enriched ATT&CK Group Library with tactic/platform coverage, aliases, external
    references, technique evidence, and source context.
  • Cached ATT&CK bundle fallback for more reliable startup and sync behavior.
  • Demo video, GIF, and poster for the DFIR report to AI analysis to comparison
    workflow.
  • Full v2 guide covering deployment, every page, APIs, exports, and validation
    rules.

OpenCTI / STIX Export

Completed analyses can now be exported from:

GET /api/export/analysis/{session_id}/stix

The generated STIX 2.1 bundle contains:

  • report for the ThreatMapper analysis session
  • attack-pattern objects for extracted ATT&CK techniques
  • optional intrusion-set objects for group-similarity leads
  • x_threatmapper_* metadata for confidence, review status, provider, model,
    domain, similarity score, and evidence source

This export is not IOC-centric. Similarity leads are investigation leads based
on TTP overlap and are not attribution claims.

Verification

  • Backend tests: 76 passed
  • Frontend build: npm run build passed

Upgrade Notes

Use the normal Docker workflow:

git pull
cp .env.example .env
docker compose up -d --build

Existing development databases may need a rebuild if schema changes were tested
against older local volumes:

docker compose down -v
docker compose up -d --build

Only use the volume reset path when local data can be discarded.

Known Limitations

  • LLM output requires analyst review.
  • Group/campaign similarity is not attribution.
  • Public DFIR report examples are metadata-only; ThreatMapper does not mirror
    third-party report content.
  • STIX export uses custom x_threatmapper_* fields for analysis metadata.
Assets 2
Loading