An editor for creating enriched Cyber Kill Chain assessments by mapping MITRE ATT&CK, CAPEC & CWE to the Unified Kill Chain framework and enriching phase parts with additonal data. Visualize and assess complex attack scenarios easily by combining flexible TTPs with atomic IOCs and forensic data.
- Vanilla JavaScript — No external dependencies, runs in any browser
- Unified Kill Chain — Map entities to IN → THROUGH → OUT phases
- Multi-Domain ATT&CK — 898 techniques across Enterprise, Mobile, and ICS
- CAPEC/CWE Integration — Link attack patterns and weaknesses
- Drag & Drop — Intuitive assignment of entities to phases
- Rich Metadata — Comments, hyperlinks, observables, CVE/CVSS references
- Score & Confidence — Rate items by severity and assessment confidence
- Visual Indicators — Color-coded ribbons, CVE badges, and metadata icons
- Relationship Explorer — Browse ATT&CK ↔ CAPEC ↔ CWE ↔ Mitigations in a dedicated view
- Hide Empty Phases — Focus on active phases by hiding empty ones
- Import/Export — Lightweight JSON sharing and CSV exports with metadata
- Navigator Layers — Import ATT&CK Navigator JSON exports
The Relationship Explorer is a second main view that lets you investigate ATT&CK ↔ CAPEC ↔ CWE ↔ Mitigations without assigning items first. Use the header navigation to switch views, click any node to load its details in the right panel, and open mitigation links to explore cross‑framework relationships in context.
- Clone or download this repository
- Open
index.htmlin a browser, or deploy to a web server - Browse techniques in the left sidebar
- Drag items onto kill chain phases
- Click items in the diagram to add metadata
- Use the header navigation to switch to Relationship Explorer
- Export your attack chain as JSON or CSV
- Demo kill chain: Import tests/demo.json to exercise all metadata fields (CVE/CVSS, observables, links, confidence) and multi-phase coverage.
- Import validation suite: Open tests/import-validation/test-runner.html in a browser to run validation, sanitization, and feature checks (includes the demo file).
├── index.html # Main application
├── explorer.html # Relationship Explorer view
├── config.js # Centralized configuration (paths, colors, settings)
├── kill-chain-visualizer.js # Core visualization component
├── scripts/
│ ├── extract-attack.py # ATT&CK STIX bundle parser
│ ├── extract-data.py # CAPEC/CWE XML parser
│ └── sanitize-json.py # Remove markup from data files
├── frameworks/ # Source data (configure paths in config.js)
│ ├── ATTCK/
│ │ ├── ENTERPRISE.json # Enterprise ATT&CK STIX bundle
│ │ ├── MOBILE.json # Mobile ATT&CK STIX bundle
│ │ └── ICS.json # ICS ATT&CK STIX bundle
│ ├── CAPEC/
│ │ ├── DOMAINS.xml # CAPEC domains view
│ │ └── MECHANISMS.xml # CAPEC mechanisms view
│ └── CWE/
│ ├── HARDWARE.xml # CWE hardware design weaknesses
│ └── SOFTWARE.xml # CWE software development weaknesses
└── resources/ # Generated data (do not edit directly)
├── attack-techniques.json # ATT&CK library (898 techniques)
├── capec-full.json # CAPEC attack patterns
├── cwe-full.json # CWE weaknesses
├── capec-to-technique.json # CAPEC → ATT&CK mappings
├── cwe-to-capec.json # CWE → CAPEC mappings
├── Nav_Layer_ENTERPRISE.json # Enterprise Navigator layer
├── Nav_Layer_MOBILE.json # Mobile Navigator layer
└── Nav_Layer_ICS.json # ICS Navigator layer
| Phase | Stages |
|---|---|
| IN (Initial Foothold) | Reconnaissance, Resource Development, Delivery, Social Engineering, Exploitation, Persistence, Defense Evasion, Command & Control |
| THROUGH (Network Propagation) | Pivoting, Discovery, Privilege Escalation, Execution, Credential Access, Lateral Movement |
| OUT (Action on Objectives) | Collection, Exfiltration, Impact, Objectives |
Each assigned item supports:
| Field | Description |
|---|---|
| Score | Severity rating: Unclassified, Low, Medium, High, Critical |
| Confidence | Assessment confidence: 0% (Unknown) to 100% (High) |
| CVE-ID | Vulnerability reference (e.g., CVE-2024-12345) |
| CVSS Vector | CVSS 3.1 vector string |
| Comments | Free-text notes |
| Hyperlinks | External references with labels |
| Observables | Threat indicators (IPs, hashes, domains, etc.) |
- MITRE ATT&CK — Adversarial tactics and techniques
- CAPEC — Common Attack Pattern Enumeration
- CWE — Common Weakness Enumeration
- Unified Kill Chain — Attack phase framework
AttackFlow implements defense-in-depth protections and adheres to security by design principles. (Note: Application NOT production ready yet - may still contain vulnerable components) Please do not hesitate to create an issue / pull request or contact me directly if you find any security related issues or have suggestions for further improving application security and mitigating exploitation scenarios.
- Input Blocking — Dangerous characters (
< > [ ] { } " ' ; -- `) blocked at input level - Output Encoding — All user-supplied values HTML-encoded before rendering
- DOM-Safe Rendering — Uses
textContentand DOM APIs instead ofinnerHTML - Import Validation — File size, item count, and pattern validation on imports
- Sanitized Data — Source data cleaned of embedded markup during extraction
- XXE Protection — Secure XML parsing with entity expansion disabled
- CSV Safety — Formula injection protection on exports
- No execution of untrusted content from local or upstream data (MITRE JSON/XML, user-imported layers).
- Defensive rendering: all UI output is treated as untrusted until sanitized & encoded.
- Safe file import/export with integrity and injection-resistant outputs.
- Resilient parsing of large/hostile XML/JSON inputs.
- Predictable standalone, offline operation No CDN requests, remote resource retrievals or third party dependencies to protect against upstream supply-chain compromises.
Download the latest framework data and run the extraction scripts:
# Download ATT&CK STIX bundles from https://github.com/mitre-attack/attack-stix-data
# Place in frameworks/ATTCK/ as ENTERPRISE.json, MOBILE.json, ICS.json
# Download CAPEC XML views from https://capec.mitre.org/data/
# Place in frameworks/CAPEC/ as DOMAINS.xml, MECHANISMS.xml
# Download CWE XML views from https://cwe.mitre.org/data/
# Place in frameworks/CWE/ as SOFTWARE.xml, HARDWARE.xml
# Run extraction scripts
python3 scripts/extract-attack.py # Parse ATT&CK techniques
python3 scripts/extract-data.py # Parse CAPEC/CWE
# File paths are configurable in config.js under sources.*
# JSON sanitization paths are configurable in config.js under sanitize.paths
# Sanitization runs before and after parsing to keep source and generated files cleanApache License 2.0 — See LICENSE for details.