CINDR Tools

TTP Mapper

Input MITRE ATT&CK T-codes observed during an incident response engagement to identify the threat actors and software most likely responsible, ranked by TTP overlap.

⬆

Drop MITRE ATT&CK Navigator layer JSON here

or click to browse — export from ATT&CK Navigator

ENTERPRISE · ICS · MOBILE · LAYER JSON

Export from Navigator

Map observed TTPs in the MITRE ATT&CK Navigator, then export as a layer JSON file.

Upload or Paste

Drop the JSON layer here, or paste raw IR notes and let the tool auto-extract T-codes.

Run Attribution

The tool scores every known threat group and malware family by TTP overlap and ranks them.

Review Results

Expand any actor card to see their full technique set with your observed TTPs highlighted by tactic.

Example output — APT28 (Fancy Bear)

Preview only

APT28APT GroupRussia

aka Fancy Bear, STRONTIUM, Sofacy, Pawn Storm

76%

25 / 33 techniques

Known Techniques by Tactic (33 total)● 25 matched

Initial Access

3 matched

Phishing

T1566

Exploit Public-Facing App

T1190

External Remote Services

T1133

Execution

2 matched

Command & Scripting

T1059

WMI

T1047

Scheduled Task

T1053

Stealth

3 matched

Obfuscated Files

T1027

Masquerading

T1036

Indicator Removal

T1070

Deobfuscate/Decode

T1140

Credential Access

2 matched

OS Cred Dumping

T1003

Input Capture

T1056

Steal Kerberos Tickets

T1558

Exfiltration

1 matched

Exfil Over C2

T1041

Exfil Alt Protocol

T1048

+8 more
tactics

Matched techniques are highlighted — upload your Navigator layer to see real results across all 20 tracked actors.