CINDRCINDR
software/ttp-mapper
Free Community Edition Available

TTP Mapper

Paste T-codes from your engagement. Get a ranked list of threat actors by overlap confidence — in under a second.

700+ threat actors correlated
Techniques & sub-techniques
Export results as JSON
No account required
Start Mapping — FreeSee sample output Pro Edition

The Problem It Solves

Attribution takes hours.
TTP Mapper takes seconds.

During an active incident, you've identified the techniques the adversary is using. Leadership wants to know who. Manually cross-referencing T-codes against ATT&CK threat actor profiles takes hours of analyst time — if it gets done at all.

TTP Mapper automates that correlation. Paste your T-codes, run correlation, and get a ranked list of matching threat actors — scored by overlap confidence so you can brief a hypothesis immediately.

Without TTP Mapper
Open ATT&CK Navigator manually
Search each T-code across actor profiles
Manually track overlap in a spreadsheet
No confidence scoring — just gut feel
Hours of analyst time for partial coverage
With TTP Mapper
Paste T-codes — one per line
Correlation runs against 700+ actors instantly
Ranked results with confidence scores
Export JSON for your case management platform
Attribution hypothesis in under a second

Sample Output

What you get back.

Each correlation run returns a ranked list of threat actors — not just names, but nation-state attribution, sponsoring intelligence agency, known campaigns, and a breakdown of which exact techniques matched and which didn't.

The JSON export includes full ATT&CK metadata so you can pipe results directly into your case management platform, SIEM, or brief deck.

  • Actor name, nation, and sponsoring agency
  • Confidence score + matched/total TTP count
  • Known campaigns and historical activity
  • Per-technique match breakdown
  • Unmatched techniques listed separately
MATCH #1 — HIGHEST CONFIDENCE94%
APT29 (Cozy Bear)
RussiaSVR (Foreign Intelligence Service)
11/14
Techniques matched
94%
Confidence score
3
Known campaigns
MATCHED TECHNIQUES
T1566.001Spearphishing AttachmentInitial Access
T1078Valid AccountsPersistence
T1021.001Remote Desktop ProtocolLateral Movement
T1059.001PowerShellExecution
T1003.001LSASS MemoryCredential Access
KNOWN CAMPAIGNS
SolarWinds (2020)USAID Phishing (2021)TeamCity Exploitation (2023)

Under the Hood

What's powering
the correlation.

Not a fuzzy keyword search. A structured overlap engine operating on the full ATT&CK corpus — techniques, sub-techniques, actor profiles, and campaign history.

ATT&CK Coverage
700+

Threat actors, software groups, and malware families from the full MITRE ATT&CK enterprise dataset.

Technique Support
T + Sub

Both top-level techniques (T1078) and sub-techniques (T1566.001) are fully supported and independently weighted.

Confidence Scoring
Ranked

Overlap percentage calculated per actor — not binary match/no-match. You see gradations, not just a hit list.

Update Cadence
Live

Correlation database tracks MITRE ATT&CK releases. New actors and technique mappings are incorporated automatically.

Export Format
JSON

Full structured export: actor profiles, technique breakdowns, confidence scores, unmatched techniques, and metadata.

Pro: API Access
REST

Pipe T-codes in programmatically from your SIEM, SOAR, or IR platform. Results returned as structured JSON.

Editions

Free for analysts.
Powerful for teams.

Community is open, no account needed. Pro adds team infrastructure, API access, and private intelligence integration.

Feature
Community
Free
Pro
Licensed
T-code input & parsing
Correlation against 700+ ATT&CK actors
Ranked results with confidence scores
Sub-technique support
JSON export
No account required
Historical campaign tracking
Custom threat actor library
Confidence weighting customization
REST API for SOAR/SIEM integration
Batch T-code processing
Team history & audit logs
Private intelligence feed integration
Priority support
Start Mapping
Request License

Know who you're
dealing with.

The community edition is free and requires no account. Start mapping T-codes now, or contact us about Pro for your team.

Start Mapping — FreeRequest Pro License