What it is

Attack Knowledge provides an interactive graph view where every node represents a security entity and every edge represents a meaningful relationship. The layout is force-directed, so related entities naturally cluster, making patterns and dependencies easy to spot. The graph is built from your structured knowledge sources and the tables configured in Merlino (for example, CTI collections, ATT&CK mappings, indicators, detections, and asset inventories).

What you can model

• CTI entities: threat actors, campaigns, malware families, tools, TTP notes, reports, and references.
• ATT&CK mapping: tactics, techniques, sub-techniques, and cross-links to supporting evidence.
• Vulnerabilities: CVEs and related software, platforms, and exploit conditions.
• Indicators: domains, IPs, hashes, URLs, email artifacts, certificates, and other observable evidence.
• Defensive controls: detections, analytics rules, correlation logic, alerting, response actions, and playbooks.
• Telemetry and data sources: log sources, sensors, event types, and collection points used by detections.
• Environment context: business services, critical systems, identities, endpoints, servers, cloud resources, and applications.

How it works

The graph is created by connecting entities using relationship keys and shared identifiers (for example technique IDs, IOC values, CVE IDs, product names, or curated mapping tables). This allows Merlino to produce a unified view without requiring you to move data into a new platform. The intent is to keep the workflow tool-agnostic: you can map detections from any SIEM/XDR, correlate indicators from any CTI source, and represent assets from any inventory.

Interaction and navigation

• Pivoting: select a node to expand its neighborhood and follow relationships across layers (CTI → TTP → detection → telemetry).
• Focus mode: isolate relevant subgraphs to reduce noise while keeping the full context available.
• Depth control: limit expansion depth to keep analysis fast and targeted.
• Relationship strength: adjust how aggressively the layout clusters entities based on connection density.
• Quick reset: clear focus and pivots to return to the full model instantly.

Why it matters

Attack Knowledge reduces fragmentation by keeping CTI, threat modeling, and detection engineering connected in one place. Instead of working with isolated lists and spreadsheets, you can see how evidence links to techniques, how techniques relate to expected telemetry, and where detection coverage is present or missing. This supports faster prioritization and more defensible reporting because every decision can be traced back through relationships and evidence.

Typical outcomes

• Faster analysis: move from a single entity (a technique, IOC, actor, or CVE) to full context in seconds.
• Clearer prioritization: identify high-centrality nodes and clusters that represent concentrated risk or dependency.
• Coverage validation: confirm which techniques are mapped to detections and which require new logic or data sources.
• Evidence traceability: maintain a connected chain from intelligence to defensive action and measurement.

Note: Attack Knowledge is methodology-driven and tool-agnostic. It does not replace existing CTI platforms or SIEM/XDR tools; it connects the knowledge you already have into a single operational view to support consistent validation and reporting.