FIREWATCH//CTIOPERATIONS CONSOLE

FIREWATCH//CTI
One console for the whole intel cycle.

A browser-based CTI operations console for analysts. Map observed tradecraft to MITRE ATT&CK, attribute activity to threat groups, ingest live reporting and indicator feeds, turn scans into hunt plans, and ship STIX / Sigma / Navigator artifacts — entirely client-side. No server, no account, no data leaves your browser.

Observe TTPs / CVEs / reports Map to ATT&CK Attribute & enrich Plan the hunt Export STIX · Sigma · Navigator
9
Analysis tabs
30+
Report feeds
10
IOC blocklists
100%
Client-side
0
Accounts needed

Attribute

From raw observables to a defensible assessment of who is behind them.

Attribution Engine

Select observed techniques and rank threat groups by naive-Bayes posterior over ATT&CK group–technique mappings — with confidence banners that push back against over-attribution.

EVIDENCE MATRIX · MITIGATIONS · DETECTIONS

APT Profiles

A dossier for every tracked group: aliases, tactic footprint, associated software, attributed campaigns, and its rarest — most diagnostic — techniques.

SEARCH BY NAME · ALIAS · G-ID

Compare Actors

Jaccard overlap analysis for 2–3 groups. See shared tradecraft versus the unique techniques that actually tell confusable actors apart.

SHARED VS UNIQUE TTPs

Ingest

Live collection from public reporting, vulnerability data, and open indicator feeds — sources curated with the awesome-threat-intelligence list.

Intel Feed

30+ credible RSS sources (CISA, Talos, Unit 42, Mandiant, DFIR Report, Trend Micro, JPCERT…) auto-enriched with extracted TTPs and IOCs, filtered to your sector, flagged against your PIRs.

SECTOR FILTERS · PRIORITY INTEL REQUIREMENTS

Vulnerability Radar

Live CVEs from NVD scored into a composite 0–100 risk using CVSS, CISA-KEV exploitation status, EPSS probability, and sector relevance.

NVD · KEV · EPSS

IOC Feeds

Fetch open blocklists — IPsum, ThreatFox, URLhaus, Feodo Tracker, SSL Blacklist, OpenPhish, CINS, Emerging Threats — then look up any indicator or cross-check your whole case against them in one click.

10 OPEN BLOCKLISTS · CASE CROSS-CHECK

Extract & Map

Turn unstructured reporting and raw scan output into structured ATT&CK data.

📄

Report Extractor

Paste text, fetch a URL, or load a PDF. Four extraction layers — explicit IDs, technique names, ~55 analyst-phrasing patterns, TF-IDF semantics — with a sentence-level evidence map.

PASTE · URL · PDF (LOCAL)
🛰

Scan → TTP

Import a Nessus export or paste CVEs; every CVE resolves to ATT&CK techniques via the cve2capec database and renders as a CVSS-weighted heatmap.

NESSUS · CVE2CAPEC · NAVIGATOR HEATMAP

Hunt Plan

A data-component radar shows how your technique set maps to host collection, interrogation, network, and memory telemetry — and an optimizer picks the tactic mix closest to the ideal hunt profile.

COVERAGE RADAR · TACTIC OPTIMIZER

Operate

The connective tissue that turns nine tabs into one workflow.

Active Case Spineworkflow

One live case collects everything you touch — TTPs, IOCs, CVEs, reports — from every tab, automatically. IOCs are first-class: typed, deduplicated, and exported as STIX indicators.

ALWAYS-ON CASE BAR · STIX 2.1 EXPORT

Guided Workflowsworkflow

Steppers that walk an investigation end-to-end — Report Triage, Scan → Hunt, Actor Assessment — switching tabs for you and carrying context between steps.

TRIAGE · SCAN→HUNT · ACTOR ASSESSMENT

Send-to Busworkflow

Every artifact — technique, IOC, CVE, report, group — carries one consistent menu that routes it anywhere: Attribution, case, Hunt Plan, Profile Match, Compare, or straight to an export.

NO COPY-PASTE BETWEEN TABS

Match & Ship

Score hypotheses and hand results to the rest of the stack.

🎯

Profile Match

Build reusable threat profiles from APT footprints (or import .pir files) and score any selection or scan against them with precision, recall, and F1.

F1 SCORING · .PIR IMPORT

Detection Handoff

Generate candidate Sigma rules from any TTP set, with process-image and command-line heuristics per technique family — starting points to tune, not black boxes.

SIGMA YAML

Standards Exports

STIX 2.1 bundles for MISP/OpenCTI, ATT&CK Navigator layers (including CVSS-weighted scan heatmaps), IOC lists, and shareable profiles.

STIX 2.1 · NAVIGATOR · IOC DUMPS
Analyst judgment required. Attribution posteriors, inferred techniques, generated rules, and blocklist hits are decision aids, not conclusions. Corroborate with non-TTP evidence before formal attribution or production deployment.