We are happy to announce the release of SATRAP-DL v1.0, a suite for intelligence-driven security operations.
What started as an Alpha release focused on knowledge representation has evolved into a suite of tools combining automated CTI analysis with real-time incident analysis, supporting detection, enrichment, and response orchestration workflows.
SATRAP-DL is built entirely on open-source foundations and designed to integrate seamlessly into existing open-source security ecosystems: TypeDB for a knowledge base, STIX 2.1 for threat data representation, MISP as a threat intelligence platform, Flowintel for incident management and IDPS-ESCAPE for SOAR operations.
From Alpha to v1.0
With the release of SATRAP in March 2025, we made available for the open-source community a cyber threat intelligence analysis system built on a sound threat derivation approach: a knowledge representation system built on TypeDB underpins explainable, logic-based reasoning over STIX 2.1 threat data, accessible via a Python library of CTI functions.
By the Beta release in March 2026, we added DECIPHER, extending SATRAP-DL to the operational boundary where security alerts meet intelligence-driven decision making relying on the integration with other open-source cybersecurity tools (MISP and Flowintel).
Today, SATRAP-DL v1.0 introduces a stable and extensible core, ready to support tailored customization and varied organizational use cases. Beyond bugfixes, code quality improvements, testing, and documentation updates (technical and user oriented), this release integrates the use of the Flowintel’s central repository of templates, a recently added feature in the case management tool.
What’s New in v1.0
Flowintel Template Repository Integration
A dedicated repository of templates (supported from Flowintel v3.1.0) acts now as a centralized CyFORT incident templates library. This architectural refinement allows organizations to maintain a single source of truth directly in Flowintel, the dedicated incident management system, relieving DECIPHER from template management, thus, keeping a cleaner separation of concerns.
Comprehensive Testing & Documentation
Expanded unit and integration tests covering the new Flowintel integration points, complete user manuals for both SATRAP and DECIPHER and updated technical specifications accessible via our traceability website.
The SATRAP-DL synergy
SATRAP-DL assists you with automation of CTI at different layers:
SATRAP remains your platform for offline, strategic threat understanding and in-depth CTI analysis:
- Query a knowledge base of threat intelligence using expressive TypeQL
- Use CTI search functions programmatically and receive explainable answers
- Apply custom inference rules to discover threat actor relationships, tool usage patterns, and mitigation strategies
- Explore interactive playbooks via Jupyter Notebooks for collaborative investigations
DECIPHER is your operational partner for tactical real-time intelligence in live security operations:
- Analyze security alerts from detection systems like Wazuh-RADAR
- Automatically search MISP for related threat intelligence
- Compute a transparent severity-confidence score based on event threat levels, sighting frequencies, and ATT&CK threat tagging
- Create prioritized cases in Flowintel with full incident context
Get Started
We invite you to try SATRAP-DL v1.0 and discover how intelligence-driven automation can strengthen your security operations.
End-users and security analysts
Developers and contributors
Get in touch
We welcome feedback, feature requests, and contributions. Reach out at info@abstractionslab.lu.