Multi-domain threat intelligence platform on MITRE ATT&CK, ATLAS, and 25+ interconnected data sources.
One interface for adversary behaviour, detection, vulnerability management, compliance, and application security.
mitre-explorer.org | A2A Agent Card | VirusTotal 0/94
| Capability | Details |
|---|---|
| Multi-domain ATT&CK + ATLAS | Enterprise, ICS, Mobile, ATLAS (AI/ML threats) with domain switcher and cross-domain "All" view |
| 360° Entity Views | Search any entity — explore via Technique Map, Actor Profile, Software Map, Application Map, Sector Map, Diamond Entities force graph |
| ATT&CK Matrix | Heatmap with sub-technique counts, actor-comparison overlay (up to 3 groups), HTML export with filters |
| Applications | 11K+ vendor/products linked to CVEs via CWE → CAPEC → ATT&CK techniques → threat groups |
| CVEs | 26K+ vulnerabilities from CVElistV5 + NVD enrichment + CISA KEV + EPSS exploit probability, with technique IDs and affected apps |
| Advisories | Unified GHSA + OSV list — 8K+ GitHub Security Advisories across npm/PyPI/Maven/Go/… and 50K+ OSV advisories covering Linux kernel, Debian, Ubuntu, Alpine, Android, OSS-Fuzz, Chainguard |
| Ecosystems | Per-ecosystem dashboards for 40+ OSS registries, OS distros, and container distros — severity breakdown, top packages, advisory feed |
| IOCs | 5,800+ indicators (IPs, domains, hashes, URLs) from OTX, ThreatFox, MalwareBazaar, enriched with VirusTotal verdicts |
| Detection | 3,100+ Sigma rules, 1,770+ Atomic Red Team tests, 5,000+ D3FEND countermeasures, ATT&CK v18 detection strategies + analytics |
| Frameworks | OWASP Top 10 (Web 2021, ML 2023, LLM 2025), NIST CSF v2, NIST 800-53, CAPEC (615 patterns), MITRE Engage, RE&CT, VERIS, Azure + GCP cloud controls, EU CRA (wip), OWASP AI Exchange (wip) |
| Threat actors | 191 ATT&CK groups + 514 ThaiCERT/ETDA external actors with country, motivation, state-sponsor attribution |
| Sector intelligence | 12 industry verticals with threat landscape — groups, techniques, campaigns, CVEs, vulnerable apps |
| A2A Agent Protocol v1.0 | 24 skills — AI agents query this knowledge base via JSON-RPC 2.0, powered by Gemini |
Next.js 15 App Router (React 19 + TypeScript + Tailwind 4)
|
+-- API routes under app/api (v1 REST + A2A + 11 Vercel crons)
| |
| +-- PostgreSQL on Neon (~40 tables + matviews)
| |
| +-- A2A endpoint (Gemini 3.1 Flash-Lite, 24 skills)
|
+-- 6 GitHub Actions workflows (heavy ingest jobs outside Vercel's 300s cron cap)
| Source | What | Rows | Update |
|---|---|---|---|
| MITRE ATT&CK STIX | Techniques, groups, campaigns, software, mitigations, tactics | 22K+ | Seed |
| MITRE ATLAS | AI/ML techniques, mitigations, cross-references | 200+ | Seed |
| CVElistV5 | CVE metadata, CWEs, affected products (CPE) | 26K+ CVEs | Seed |
| NVD API | CVSS scores, descriptions, CPE enrichment | hourly | GH Actions |
| CISA KEV | Known exploited vulnerabilities | 1,550+ | Cron |
| EPSS (FIRST.org) | Daily exploit-probability scoring | per CVE | Cron |
| GitHub Security Advisories | OSS advisories across npm, PyPI, Maven, Go, RubyGems, … | 8K+ | GH Actions |
| OSV.dev | Non-GHSA ecosystems — Linux kernel, Debian, Ubuntu, Alpine, Android, OSS-Fuzz, Chainguard, … | 50K+ | GH Actions |
| CAPEC STIX | CWE → CAPEC → ATT&CK technique bridge + 615-pattern taxonomy | 1,480+ | Seed |
| CTID | Hand-curated CVE → technique mappings | 198 | Seed |
| AlienVault OTX | Threat reports + IOC indicators | 80+ reports | Cron |
| ThreatFox + MalwareBazaar | Malware IOCs with family attribution | 5,800+ | Cron |
| SigmaHQ | Detection rules per technique | 3,100+ | GH Actions |
| Atomic Red Team | Adversary-emulation tests | 1,770+ | GH Actions |
| D3FEND | Defensive countermeasures | 5,000+ | Cron |
| NIST CSF v2 | Cybersecurity Framework v2 subcategories + CRI Profile crosswalk to ATT&CK | 300+ | Cron |
| NIST 800-53 | Compliance controls | 5,260+ | Seed |
| ThaiCERT/ETDA | External threat-actor profiles | 514 | Seed |
| OWASP Top 10 | Web (2021), ML (2023), LLM (2025) via CWE + ATLAS | 30 | Seed |
| MITRE Engage, RE&CT, VERIS | Deception, response, incident classification | 2,400+ | Seed |
| Azure + GCP | Cloud security controls | 1,450+ | Seed |
| RSS feeds | DFIR Report, Unit42, Microsoft Security, Talos | 80+ reports | Cron |
| VirusTotal | IOC verdict enrichment + site-health scan | ongoing | Cron |
Three independent paths link CVEs to ATT&CK techniques:
Path 1: CAPEC bridge (~20K CVEs)
CVE → cve_weaknesses → capec_mappings → techniques
Path 2: IOC path (~500 CVEs)
CVE → ioc_entries → technique_iocs → techniques
Path 3: CTID direct (198 CVEs)
CVE → synthetic CWE → CTID capec entry → techniques
Full documentation: docs/technique_glue.md
| Layer | Tech |
|---|---|
| Framework | Next.js 15 (App Router, RSC, server actions) |
| Frontend | React 19, TypeScript, Tailwind CSS 4 |
| Visualisation | D3.js (force graph), Recharts |
| Search | Fuse.js (fuzzy client-side) |
| State | TanStack Query v5, React Context |
| Backend | Next.js route handlers on Vercel (serverless) |
| Database | PostgreSQL on Neon (~40 tables, matviews for hot joins) |
| AI | Google Gemini 3.1 Flash-Lite (A2A agent) |
| Validation | Zod |
| Security | DOMPurify, CSP headers, rate limiting, approximate-count endpoints |
Vercel cron (lightweight, <300 s runs):
| Job | Schedule | What |
|---|---|---|
ingest-cve-delta |
Daily 04:00 | NVD API new/modified CVEs |
ingest-cisa-kev |
Daily 03:00 | CISA Known Exploited Vulnerabilities |
ingest-abuse-ch |
Daily 02:00 | ThreatFox + MalwareBazaar IOCs |
ingest-otx |
Every 3 h | AlienVault OTX pulses + IOCs |
ingest-rss |
Every 6 h | DFIR Report, Unit42, Microsoft, Talos |
enrich-nvd |
Every 4 h | CVSS enrichment for IOC CVEs |
enrich-vt |
Every 8 h | VirusTotal verdict enrichment |
sync-d3fend |
Monthly | D3FEND countermeasures |
sync-csf |
Weekly | NIST CSF v2 subcategories + CRI Profile |
sync-epss |
Daily 03:10 | FIRST.org exploit-probability scoring |
refresh-matviews |
Every 8 h | app_technique_groups, package_summary |
scan-site-health |
Weekly | VirusTotal domain self-scan |
GitHub Actions (heavy ingests that overflow Vercel's 300 s cap):
| Workflow | Schedule | What |
|---|---|---|
sync-osv |
Daily delta 05:30 UTC · Monthly full 1st 04:00 UTC | OSV advisories across 30+ non-GHSA ecosystems |
sync-cve-products |
Hourly :17 |
Re-fetch NVD CPE for CVEs missing product links |
sync-ghsa |
Monthly | Full GitHub Security Advisories corpus |
sync-ghsa-delta |
Daily | GHSA incremental updates |
sync-sigma |
Weekly | SigmaHQ rule pack refresh |
sync-atomic |
Weekly | Atomic Red Team test refresh |
AI agents can query this knowledge base programmatically via the Agent Card.
- Protocol: A2A v1.0 JSON-RPC 2.0 over HTTPS
- 24 skills: CVEs, techniques, groups, software, campaigns, mitigations, IOCs, Sigma rules, Atomic tests, sectors, applications, GHSA/OSV advisories, packages, CAPEC patterns, OWASP Top 10, external actors
- Dual artifacts: Human-readable summary + structured JSON data
- Multi-round: Agentic tool chaining (search → profile, up to 3 rounds)
- Rate limit: 50 req / day / IP, no auth required
Example: "ask mitre-explorer.org, using the A2A Google GenAI protocol, which Applications have been affected by new CVEs published in the previous week — show me the relevant techniques and any known OSV advisories on the same packages."
npm install
# local dev server (Next.js on :3000)
npm run dev
# typecheck
npm run typecheck
# seed database from CVElistV5, ATT&CK, ATLAS, and reference datasets
DATABASE_URL=postgresql://postgres@localhost:5432/mitre npm run seed| Variable | Description |
|---|---|
DATABASE_URL |
PostgreSQL connection string (Neon or local) |
GEMINI_API_KEY |
Google Gemini API key (A2A) |
VT_API_KEY |
VirusTotal API key (IOC enrichment) |
NVD_API_KEY |
NVD API key — lifts rate limit from 5 to 50 req / 30 s |
CRON_SECRET |
Auth token for cron endpoints |
~42K lines of custom code across app/, src/, and scripts/.
app/ Next.js 15 App Router — pages + API routes
src/views/ Top-level page components (Dashboard, CVEs, Advisories, Ecosystems, …)
src/components/ Layout, charts, maps, shared primitives
src/hooks/ TanStack Query hooks (useApi.ts), URL-param helpers
src/lib/ Client helpers — API fetch, types, ecosystems registry
app/api/v1/ 29 REST endpoint groups
app/api/a2a/ A2A agent endpoint (Gemini tool-calling)
app/api/cron/ 11 Vercel cron handlers
scripts/ Heavy ingesters run from GitHub Actions
.github/workflows/ 6 scheduled ingest workflows
ISC
Not affiliated with or endorsed by MITRE Corporation. contact @ mitre-explorer.org