Skip to main content

CTI as a Code

Version-controlled CTI methodology. Evidence-traced analysis. Deployable detections.

Start TrainingSet Up the Lab
CTI as a Code — version-controlled workflow from evidence collection to Sigma rule

What is CTI as a Code?

CTI as a Code treats threat intelligence investigations like software engineering projects: version-controlled, template-driven, evidence-traced, and reproducible. Every claim maps to a source. Every detection candidate ships as a Sigma rule. Every exercise produces a compliance-grade audit trail.

This project provides two things: a Docker Compose lab stack (OpenCTI, TheHive, Cortex, Elastic SIEM) for hands-on investigation practice, and 8 structured training assignments covering all three CTI operational modes — reactive, proactive, and full-cycle — plus adversary emulation for detection validation.

For the underlying analytic tradecraft, see the CTI Analyst Field Manual. For the Israeli government threat context behind A05–A08, see Israel Government Threat Actors CTI.

8 Training Assignments

Assignments 1–4 are set in the Israeli private sector. Assignments 5–8 form a connected government narrative arc: a breach (A05) → pre-launch threat (A06) → program build (A07) → detection validation (A08). Each assignment contains a project brief, synthetic evidence data, distributed analytical files, and a worked solution.

Reactive

A01LifeTech Pharma — Targeted Intrusion

Reconstruct a 52-hour Iranian-nexus kill chain from zero coverage. DCSync, AiTM session bypass, 2.4 GB R&D exfiltration. Write four Sigma rules from scratch.

Open assignment →
Proactive

A02CelltronX — Nation-State Telecom Targeting

Four threat triggers converge on the same contractor access path. Build crown jewels analysis, attack scenarios, and a detection backlog before anything happens.

Open assignment →
Full Cycle

A03TechPay — CTI Program from Scratch

Near-miss incident, departing CTI lead, lapsed CERT-IL MOU, BoI-CD 362 compliance gap. Build the PIR framework, collection plan, and governance from zero.

Open assignment →
Emulation

A04TechPay — Operation Desert Cipher Validation

Extract TTPs from an Iranian-nexus campaign report, write an 11-module emulation plan, execute, score PASS/PARTIAL/FAIL, and produce a BoI-CD 362 compliance report.

Open assignment →
Reactive (Gov)

A05NDSA — Contractor Breach, 340K Biometric Records

36-hour government breach via AiTM phishing and contractor VPN abuse. Regulatory notifications to INCD and the Biometric Database Authority. Five Sigma rules derived from the 16-event timeline.

Open assignment →
Proactive (Gov)

A06GovID 2.0 — National Auth System Pre-Launch

Active adversary probing 72 hours before a national biometric system goes live. Four converging triggers. Go / no-go recommendation for the CISO and Director General.

Open assignment →
Full Cycle (Gov)

A07NDSA — Post-Breach CTI Program Under INCD Mandate

INCD Remediation Directive requires a formal program in 12 months. Build PIRs, a CERT-IL MOU, a collection plan with 7 gaps, and 8 measurable INCD compliance milestones.

Open assignment →
Emulation (Gov)

A08NDSA — INCD Section 8 Detection Validation

15 TTPs from the A05 breach and A06 threat assessment. 11-module exercise: 6 PASS, 2 PARTIAL, 3 FAIL. Compliance report with HavayaIT vendor security requirements notice.

Open assignment →

Lab Stack

A self-contained CTI lab on a single Linux host. One docker compose up -d starts the full stack. 16 GB RAM recommended.

ServiceRoleDefault Port
OpenCTIThreat intelligence platform — STIX2 actors, TTPs, IOC graphhttp://localhost:8080
TheHive 5Incident response case management — alerts, cases, observableshttp://localhost:9100
CortexAutomated enrichment — analyzers and responders on observableshttp://localhost:9002
Kibana / SIEMDetection dashboards, alert triage, timeline investigationhttp://localhost:5601
Elasticsearch 8Shared data store for all serviceshttp://localhost:9200
LogstashLog ingestion pipeline — Beats, syslog, custom inputshttp://localhost:5044

Ecosystem

CTI as a Code is part of a practitioner ecosystem. Each project has a distinct role. They are designed to be used together.

CTI Analyst Field Manual

Tradecraft standard. Evidence discipline, analytic judgment, attribution, infrastructure pivoting, CTI-to-detection foundations, and templates. Use this for the reasoning methodology behind every assignment.

Open project →

Customer-Driven AI CTI Project

Delivery methodology. AI-assisted project phases, quality gates, customer outcomes, and acceptance criteria. Use this when CTI work must become a managed customer engagement.

Open project →

Israel Government Threat Actors CTI

Sector knowledge base. Israeli public-sector threat model, actors, TTPs, detections, and evidence registers. Directly underpins the NDSA narrative arc in A05–A08.

Open project →

HexStrike AI

AI-powered offensive security platform. MCP agent orchestration, 150+ security tools, adversarial validation. Use this to validate detection coverage built in A04 and A08.

Open project →

Full ecosystem guide with cross-project workflows →

Defensive Use

All material is public, defensive, and TLP:CLEAR. Adversary behavior is described at the level needed for detection engineering, threat hunting, and investigation — not for exploitation. The project excludes malware source code, exploit instructions, real credentials, and operational attack guidance.

Synthetic data uses RFC 5737 documentation IP ranges (203.0.113.0/24, 198.51.100.0/24). Do not block these in production systems.