SCOUT is a unified, Obsidian-powered knowledge system designed to serve as the cockpit for Security Analysts working inside modern Security Cyber Operations Centers.
Unlike flat note-taking tools like OneNote, SCOUT brings together:
- Atomic notetaking 🧩
- Artifact storage 📁
- Graph-based relationships 🔗
- Cross-entity navigation 🗺️
This enables analysts to think and work the way investigations unfold—through relationships, pivots, and interconnected context.
SCOUT is the parent framework for two integrated subsystems:
- CIPHER – Cyber Threat Intelligence
- ITID – Incident Type Identification Digits (taxonomy)
Together, they form a cohesive, durable, analyst-centric knowledge architecture.
SCOUT exists to:
- Provide analysts with a central cockpit for SOC activity
- Replace static note silos with relational knowledge structures
- Preserve operational knowledge as it accumulates
- Enable rapid pivoting between related entities
- Support consistent, structured documentation across the SOC
SCOUT is:
- A security analyst cockpit for SOC workflows
- A unified knowledge system for operational cyber activity
- A graph-enabled explorer of SOC entity relationships
- A repository for atomic notes and artifacts
- A structured environment for documenting:
- Incidents
- Alerts
- Observations
- Detections
- Procedures
- TTPs
- Telemetry references
- An extensible Obsidian-based framework
- The overarching ecosystem for CIPHER and ITID
SCOUT is not:
- A SIEM
- A ticketing or case management system
- An automation or orchestration platform
- A detection engine
- Multi-tenant out of the box
SCOUT is built for:
- SOC Analysts
- Incident Responders
- Threat Hunters
- CTI Analysts
- Security Engineers needing structured documentation
Especially those transitioning away from tools like OneNote who require:
- Better structure
- Better relationships
- Better long-term retention
- Knowledge loss from flat, siloed tools
- Lack of pivot capability between related SOC data
- Tribal knowledge accumulation
- No atomic documentation model for SOC work
- No cockpit-style visibility into SOC activities
- No relational structure linking incidents → alerts → entities → artifacts
- Inconsistent analyst documentation
- Difficult onboarding due to scattered information
- Poor continuity across shifts and investigations
- Notes that cannot scale from individual to team
- Difficulty performing cross-entity analysis
SCOUT manages entities such as:
- Incidents
- Alerts
- Observations
- TTPs
- Assets & Users
- IOCs
- Vulnerabilities
- Procedures & Playbooks
- Detection analytics
- Investigation journals
- Telemetry references
- Knowledge references
Through CIPHER:
- Threat actors
- Malware
- Campaigns
CIPHER is a subset module of SCOUT, fully dedicated to:
- Threat actor tracking
- Malware profiling
- Campaign analysis
- Intelligence-driven TTP mapping
SCOUT = operational breadth
CIPHER = adversary depth
ITID is the taxonomic backbone of the SCOUT ecosystem:
- Classifies incidents
- Normalizes SOC data
- Structures relationships across entities
- Atomic note design
- Rich graph relationship mapping
- Unified artifact storage
- Template-driven workflows
- Obsidian plugin ecosystem support
- Integration with CIPHER and ITID subsystems
- Clean and extensible folder structure
- Everything is an entity
- Every entity is atomic
- Atomic entities form networks
- Analysts navigate via pivots, not folders
- Structure creates consistency
- Relationships create insight
01_Alerts/
02_Observations/
03_Response_Actions/
04_Incidents/
05_Playbooks/
06_Runbooks/
07_Procedures/
08_Artifacts/
09_Journals/
10_Meetings/
11_Service_Level_Agreements/
12_Metrics_Definitions/
13_Watchlists/
1. Create an Entity – generate an atomic note
2. Capture Atomic Information – keep it scoped and precise
3. Attach Artifacts – logs, screenshots, configs, evidence
4. Link Relationships – incidents, alerts, IOCs, TTPs
5. Explore the Graph – visualize context
6. Build the Cockpit – SCOUT grows stronger with every note
- Investigation documentation
- Alert enrichment and triage
- Detection engineering context
- SOC knowledge transfer
- Analyst onboarding
- Historical SOC analysis
- CTI-to-SOC linkage (via CIPHER)
- Incident normalization (via ITID)
-
Obsidian
-
Recommended Plugins:
- Dataview
- Templater
- Journals
- Pixel Banner
- File Explorer Note Count
- Charts
- Metabind
- IOC Lens
- Advanced Tables
- Tasks
- Commander
- Editing Toolbar
- Chronos Timeline
- Heatmap Tracker
-
Python Dependencies
- feedparser
- requests
- readability-lxml
- beautifulsoup4
- python-pptx
- tkinterdnd2
- Install Obsidian
- Clone this repository
- Import SCOUT templates
- Create your first entity
- Link related notes
- Explore the graph
- Expanded template packs
- Advanced graph styling profiles
- CIPHER module enhancement
- ITID integration examples
- Investigation scenario bundles
Stay Tuned... in the meantime, don't sell my stuff.
See the LICENSE file for details.