Obstracts Logo
Enrich IoCs and TTPs with Public Threat Intelligence

Enrich IoCs and TTPs with Public Threat Intelligence

Look up extracted IoCs and TTPs, find related reporting across trusted sources, and push structured intelligence into the tools your team already uses.

Overview

An indicator or technique on its own is rarely enough. An IP address, domain, hash, malware family, or ATT&CK technique only becomes useful when you can quickly understand where else it appears, what it connects to, and how it fits into the wider threat picture.

That is the core value of enrichment. Defenders do not just need more data. They need faster ways to add context to the data they already have.

Obstracts helps by turning public reporting into structured threat intelligence that can be searched, pivoted on, and moved into other systems. Analysts can start with an IoC or TTP, find related reporting discussing the same thing, and use those relationships to build a richer view of the activity they are investigating.

This is useful whether the starting point comes from an alert, an investigation, a case, an internal detection, a sandbox result, or an external intelligence lead. If you have a thing of interest, Obstracts helps you connect it to the surrounding public intelligence.

What this solves

Most teams already collect IoCs and TTPs from many places. The challenge is not getting the first data point. The challenge is enriching it quickly enough to make it useful.

Common problems include:

  • An analyst has an IoC, but needs to know which public reports mention it.
  • A team sees a technique internally, but needs more context on where else it has been observed.
  • Related reporting exists across multiple trusted sources, but it is time-consuming to find and compare manually.
  • Valuable external intelligence stays isolated from the internal tools where analysts already work.
  • Existing intel graphs remain incomplete because public reporting is not being added in a structured way.

Obstracts addresses these issues by making extracted public intelligence searchable and portable.

Start with an IoC or TTP and work outward

One of the most useful enrichment workflows begins with a single object.

That object might be an IP address from an alert, a domain from a phishing investigation, a malware family from a sandbox run, or an ATT&CK technique seen during hunting. On its own, that starting point often tells you very little. The next question is always the same: where else does this appear, and what else is connected to it?

Obstracts makes that question easier to answer.

Because reporting is converted into structured STIX 2.1 objects, analysts can look up extracted IoCs and TTPs directly and pivot from them into the reports and related intelligence where they appear. That changes enrichment from a manual reading exercise into a structured search workflow.

With that in place, teams can:

  • Search for a specific observable or ATT&CK technique.
  • Find all reports that reference the same extracted object.
  • Review the surrounding context in each source.
  • Compare how different publishers describe the same activity.
  • Use one object as the starting point for a wider investigation.

This is especially valuable when an object has been reported multiple times over weeks or months. A single blog post may only show part of the picture. Looking across related reporting can reveal recurring infrastructure, overlapping techniques, reused malware, or stronger confidence in what the object actually represents.

Public reporting becomes much more useful when analysts can move beyond one post at a time.

Security blogs often cover overlapping activity. Different researchers may describe the same cluster of infrastructure, the same malware family, the same intrusion set, or the same technique chain from different angles. One post may have stronger technical depth, another may provide attribution context, and another may contain new indicators that were not available in earlier reporting.

If that material is not connected, analysts have to discover the overlap manually. That takes time and often means useful links are missed.

Obstracts helps by letting teams pivot from extracted IoCs and TTPs into other posts that discuss the same thing or related activity. This makes public reporting more valuable in several ways:

  • It helps validate whether an IoC or behaviour is isolated or widely observed.
  • It reveals overlap between sources that might otherwise look unrelated.
  • It gives analysts a faster way to build broader context around a case or lead.
  • It reduces the need to manually search dozens of sites for matching references.
  • It turns separate reports into a more connected body of intelligence.

This matters because enrichment is often about confidence as much as detail. Seeing the same infrastructure, malware, or technique pattern appear across multiple trusted sources can make triage decisions easier and strengthen the rationale for defensive action.

The same workflow also helps analysts move from a single object into wider campaign context, including similar posts, grouped topics, and broader activity patterns across reporting.

Enrichment that improves analysis quality

The value of enrichment is not limited to collecting more references. Good enrichment improves the quality of analysis.

When teams can look up an IoC or TTP and immediately see related reporting, they gain a better basis for interpretation. They can distinguish between one-off artefacts and recurring patterns. They can see whether a technique is appearing as part of a wider intrusion path. They can identify whether the same malware family is linked to different infrastructure over time. They can compare how researchers describe the same activity and spot where details align or differ.

This supports better analyst workflows:

  • Triage becomes more informed because suspicious artefacts can be checked against known public reporting quickly.
  • Investigations move faster because analysts can pivot to related context without leaving the platform.
  • Threat hunting improves because one technique or object can be expanded into a fuller set of associated behaviours.
  • CTI production becomes easier because supporting references and connections are already available.

In short, enrichment helps analysts spend less time finding context and more time using it.

Push enriched data into the rest of your stack

Enrichment becomes much more powerful when it does not stop inside one product.

Obstracts stores extracted intelligence as structured STIX 2.1 objects and supports workflows that make it easier to move that intelligence into the tools your team already relies on. That includes platforms such as TIPs, CTI repositories, internal graph stores, TAXII consumers, and other systems designed to operationalise threat intelligence.

This is a key part of the value. Public reporting often contains useful intelligence, but if it never leaves the browser or analyst notes, it does not improve the rest of the environment. Once that same intelligence is structured and made portable, it can enrich existing work across the stack.

That can include:

  • Adding newly extracted observables into a TIP for correlation with existing holdings.
  • Expanding an internal intelligence graph with objects and relationships derived from public reporting.
  • Enriching ongoing investigations with external references tied to the same IoCs or TTPs.
  • Feeding structured context into downstream CTI, SOC, or automation workflows.
  • Making public reporting available in the same systems where internal intelligence is already stored and queried.

This is where enrichment stops being a point-in-time analyst task and starts becoming part of the organisation’s wider intelligence capability.

Expand and improve the intel graph

Many teams already maintain an intelligence graph of some kind, whether through a dedicated TIP, a CTI platform, OpenCTI, an internal datastore, or another knowledge layer. The quality of that graph depends on the quality and breadth of the data that enters it.

Obstracts can strengthen that graph by contributing structured intelligence from trusted public reporting.

That matters for two reasons. First, it expands the graph by adding more observables, techniques, malware references, threat actors, and relationships. Second, it improves the graph by adding links between objects that might otherwise remain disconnected.

This helps teams answer more useful questions over time:

  • Have we seen this infrastructure before in external reporting?
  • Which techniques are most often associated with this malware family?
  • What other reports connect to this actor or campaign?
  • Are multiple external sources reinforcing the same relationships?
  • How does this new object fit into what we already know?

The more structured data that enters the graph, the more valuable graph-based enrichment becomes. Obstracts gives teams a way to add public intelligence to that process without relying on repeated manual extraction.

Better support for CTI, SOC, and investigation workflows

This kind of enrichment supports multiple teams, not just one use case.

For CTI teams, it provides a faster way to connect external reporting to existing intelligence holdings. For SOC teams, it adds context to alerts, incidents, and suspicious artefacts. For threat hunters, it makes it easier to pivot from one observed behaviour to related public intelligence. For investigations, it provides a route from a single object to a wider set of supporting evidence and related reporting.

It is also useful for organisations that already have mature tooling but need better external enrichment inputs. If the existing workflow is strong but public reporting is still being handled manually, Obstracts can help close that gap.

Why this approach is effective

The strength of this workflow comes from combining three things that are often fragmented:

  • Lookup of extracted IoCs and TTPs as structured objects
  • Pivoting across related public reporting that discusses the same or similar activity
  • Export and integration into the tools where existing intelligence work already happens

Each part matters on its own, but the combination is what makes the workflow operational. Analysts can find context faster, compare sources more effectively, and ensure the results improve the broader intelligence environment instead of staying trapped in isolated research.

Turn single data points into connected intelligence

If your team is already collecting IoCs and TTPs, the next step is making them more useful. That means being able to look them up quickly, connect them to related public reporting, and move the resulting intelligence into the systems where it can support action.

Obstracts helps make that possible. It turns public reporting into searchable structured intelligence, makes it easier to find related blogs discussing the same activity, and supports adding that data into other tools to enrich existing work and expand the intelligence graph.

That gives analysts more than a list of indicators or techniques. It gives them context, connections, and a clearer understanding of how individual data points fit into the wider threat picture.

Explore next