Skip to content
/ TTPMapper Public

TTPMapper is an AI-driven threat intelligence parser that converts unstructured reports whether from web URLs or PDF files into structured intelligence. Using the DeepSeek LLM, it extracts MITRE ATT&CK techniques, IOCs, threat actors, and generates contextual summaries.

License

GPL-3.0 license
32 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

infosecn1nja/TTPMapper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
assets
assets
 
 
core
core
 
 
data
data
 
 
output
output
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.py
main.py
 
 
pyproject.toml
pyproject.toml
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

TTPMapper Logo

TTPMapper

Python License: GNU

TTPMapper is an AI-driven threat intelligence parser that converts unstructured reports whether from web URLs or PDF files into structured intelligence. Using the DeepSeek LLM, it extracts MITRE ATT&CK techniques, IOCs, threat actors, and generates contextual summaries. Results can be exported in JSON or STIX 2.1 formats for analysis or integration.

Key Features

  1. MITRE ATT&CK techniques
    Full mapping with:

    • technique_id
    • technique_name
    • tactics
    • procedure_description
    • url

  2. Indicators of Compromise (IOCs)
    Real observed:

    • IP addresses
    • Domains
    • URLs (C2, malware hosting, etc.)
    • Hashes (MD5, SHA1, SHA256)
    • CVEs

  3. Threat actor names
    Extracts the actors behind the activity (e.g., APT28, LockBit, etc.)

  4. Auto-generated summary
    Auto-generated summaries highlighting threat context, attacker methods, and key findings from the report.

Output Formats

Format Description
json Default format with extracted structure
stix21 STIX 2.1 Bundle (for CTI platforms)

Setup

Before running TTPMapper, make sure you have a valid DeepSeek API key and set it as an environment variable:

export DEEPSEEK_API_KEY=your_api_key_here

Sample Usage

# Analyze PDF threat report and get output in JSON format
python3 main.py --pdf "lockbit-report.pdf" --output json --verbose

# Analyze a web-based threat report and export as STIX 2.1
python3 main.py --url https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/ --output stix21

# Minimal command (default output is JSON)
python3 main.py --pdf "sample.pdf"

License

This project is licensed under the GNU General Public License. For more details, please refer to the LICENSE file.

About

TTPMapper is an AI-driven threat intelligence parser that converts unstructured reports whether from web URLs or PDF files into structured intelligence. Using the DeepSeek LLM, it extracts MITRE ATT&CK techniques, IOCs, threat actors, and generates contextual summaries.

Topics

cybersecurity blueteam threat-intelligence mitre-attack deepseek-chat

Resources

Readme

License

GPL-3.0 license
Activity

Stars

32 stars

Watchers

0 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages