Product presentation

SATRAP-DL for intelligence-driven threat analysis and automated incident handling

SATRAP-DL unifies a logic-based CTI knowledge platform (SATRAP) and a real-time alert analysis service (DECIPHER) in a suite of open-source tools. SATRAP reasons over STIX 2.1 data to answer complex threat queries with explainable results; DECIPHER automates alert triage, severity scoring, and incident case creation building on an interoperable open-source stack.

Open repository Browse user manual

SATRAP + DECIPHER Dual-package CTI analysis suite

Explainable analysis Inference steps shown alongside analysis results

PyFlowintel Python library for interacting with Flowintel for case management

Automated pipelines Incident handling workflows automated through DECIPHER and PyFlowintel

Core capabilities

From raw CTI to prioritized incidents

CTI knowledge base

TypeDB-backed knowledge representation system with formal STIX 2.1 semantics, predefined inference rules, and direct TypeQL query access.

TypeDB STIX 2.1 TypeQL

Logic-based reasoning

Inference engine derives new threat relationships from stored CTI. Answers include the derivation steps, keeping analysis traceable and explainable.

Inference rules Explainable Traceable

ETL pipeline

Ingest STIX 2.1 bundles from MITRE ATT&CK and MISP; transform and load into the knowledge base with a single command.

ETL MITRE ATT&CK MISP

DECIPHER analysis service

Extensible FastAPI REST service for real-time alert triage. New threat scenarios are added as self-registering analyzer plugins with zero changes to routing code.

FastAPI Plugin registry REST API

Threat scoring engine

Configurable severity-confidence scoring based on MISP sightings, admiralty scale ratings, event threat level, and MITRE ATT&CK tag relevance.

Severity score Confidence MISP enrichment

Automated case management

Prioritized incident cases created in Flowintel automatically, with score breakdowns and formatted analysis reports attached to each case.

Flowintel PyFlowintel Case creation

Product screenshot gallery

Click any screenshot to zoom

Jupyter notebook querying mitigations for a threat group using SATRAP's CTI analysis toolbox.

TypeDB Studio visualisation of a TypeQL query result — TypeDB Studio visualization of a SATRAP analysis result for technique usage by intrusion sets.

SATRAP CLI help screen showing available subcommands — SATRAP CLI entry point showing available subcommands for setup, ETL, analysis, and search.

PyFlowintel library for interacting with Flowintel — PyFlowintel: Python library for interacting with Flowintel.

High-level context diagram showing DECIPHER actors and external systems — High-level context diagram showing DECIPHER’s actors, external systems, and interaction flows.

Sequence diagram of the full incident handling pipeline from RADAR detection to analyst recovery.

DECIPHER REST service API documentation endpoint.

Flowintel case showing prioritized incidents created by DECIPHER — Flowintel case showing a prioritized incident created automatically by DECIPHER.

MISP event view showing an IOC attribute found during DECIPHER alert enrichment.

Flowintel case created by DECIPHER for a suspicious login alert with full score breakdown and priority tag.

Typical value flow

From detection to recovery

1. Deploy

Set up the full SATRAP-DL stack — DECIPHER service, MISP, and Flowintel — with the provided Docker Compose scripts.

2. Detect & enrich

RADAR triggers DECIPHER on a security alert; IOCs are searched in MISP to retrieve CTI events, sightings, and threat context.

3. Correlate & score

DECIPHER computes a severity‑confidence score from enriched alert data and risk factors for automated priority assignment.

4. Escalate & Investigate

The incident is escalated with a priority. An analyst reviews the Flowintel case and runs SATRAP playbooks for deeper CTI reasoning and explainable threat queries.

5. Recover

Recovery actions are informed by the score breakdown and analyst reasoning outcomes.