Alpha Release of SATRAP-DL on 30 March 2025

/ CyFORT, SATRAP-DL / By

We have released the Alpha version of SATRAP on GitHub!

Logo-SATRAP
SATRAP on GitHub

What is SATRAP?

Developed in the context of the SATRAP-DL subproject of CyFORT, SATRAP (Semi-Automated Threat Reconnaissance and Analysis Platform) is an open-source, cross-platform software for computer-aided analysis of Cyber Threat Intelligence (CTI) through automated reasoning.

key features

Knowledge Representation System for Cyber Threat Intelligence implemented on top of TypeDB.
Automated Reasoning: Apply predefined deduction rules to derive new knowledge from existing CTI data.
STIX 2.1 Data Model: Leverage a widely adopted standard for representing and dealing with CTI information.
ETL Mechanism: Ingest STIX 2.1-compliant data from CTI sources into the knowledge base.
Predefined Analytic Functions: Perform automated CTI analysis tasks, such as inferring techniques used by threat actors.
Extensibility: Add custom inference rules and queries to tailor SATRAP to your specific needs.

How does SATRAP Automate Analytic Tasks?

At the core, SATRAP relies on a Knowledge Representation System (KRS) to introduce semantics into the storage, processing, and analysis of cyber threat intelligence. This approach allows SATRAP to automate analytic tasks on large volumes of threat information and CTI via the logical derivation of knowledge.

The KRS consists of:

  • A knowledge base of cyber threat intelligence (CTI SKB). This KB captures concepts and facts in the CTI domain, such as threat scenarios or attack techniques.
  • An inference engine, which draws logical conclusions from the information in the knowledge base following deduction rules.

The KRS of SATRAP is implemented using TypeDB, a polymorphic database with a native symbolic reasoning engine. The use of TypeDB allows SATRAP to implement analytic functions in the domain of CTI on top of an integrated core, where the knowledge base and the reasoning engine are natively coupled, typically allowing for an efficient execution of inference tasks.

The analytic functions of SATRAP run CTI-related queries on the KRS and get explainable answers, showing the steps that led to the answer. Unlike with regular databases, these answers might include not only actual information in the CTI knowledge base but also relationships inferred from this information.

How can We use SATRAP?

The Alpha version of SATRAP features two native user interfaces and integration with other open-source tools for carrying out structured CTI investigations.

SATRAP Python CTI Analysis Toolbox: A Python library providing a set of functions that perform automated reasoning streamlining specific CTI analysis questions. For instance, the Toolbox exposes a function to find out the set of courses of action that mitigate any of the techniques used by a given group. The function returns explicit mitigations and logically derived ones, along with a trace of the deductive steps that lead to adding a course of action to the answer set.

SATRAP command-line interface: The SATRAP CLI allows to set up a CTI knowledge base with datasets in STIX 2.1 format.

Jupyter Notebooks: Explore, analyze, document and visualize cyber threat intelligence using Jupyter Notebooks, importing the Python Toolbox of SATRAP in a flexible, interactive environment to create playbooks and to carry out step-by-step investigations.

Learn more about how to use SATRAP through the user manual and examples available in the GitHub repository.

Get Started

We invite you to try out the software and explore details in the GitHub repository. The technical specifications and project documentation of SATRAP-DL including requirements, architectural and software diagrams, test case specifications, and test reports, are accessible via our traceability web page.

We will be happy to receive your feedback at info@abstractionslab.lu.

Scroll to Top