📄 工具详情 ⚙️ 安装教程 📚 使用教程
能力标签
🤖 Agent🔄 工作流🐳 Docker💻 CLI🔗 REST API🧠 Claude✨ GPT🖥 本地 LLM
⚙️
Agent工作流

对手图谱

基于 HTML · 无代码搭建完整 AI 自动化流程
英文名:adversarygraph
⭐ 8 Stars 🍴 2 Forks 💻 HTML 📄 NOASSERTION 🏷 AI 8.5分
8.5AI 综合评分
ai-securityatt-ck-navigatorattack-mapping
⚙️ 配置说明 📺 TG 频道
✦ AI Skill Hub 推荐

AI Skill Hub 强烈推荐:对手图谱 是一款优质的Agent工作流。AI 综合评分 8.5 分,在同类工具中表现稳健。如果你正在寻找可靠的Agent工作流解决方案,这是一个值得深入了解的选择。

📚 深度解析

对手图谱 是一套完整的 AI Agent 自动化工作流方案。随着 AI 能力的不断提升,基于 Agent 的自动化工作流正在成为提升个人和团队效率的核心方式。区别于传统的 RPA 自动化(模拟鼠标键盘操作),AI Agent 工作流通过理解任务意图、动态规划执行路径,能够处理更复杂的非结构化任务。

对手图谱 工作流的设计遵循"最小配置,最大复用"原则:核心逻辑已经封装好,用户只需配置自己的 API Key 和业务参数即可快速上手。工作流内置错误处理和重试机制,在网络波动或 API 限速等情况下仍能稳定运行,适合作为生产环境的自动化基础设施。

在实际部署时,建议先在测试环境中运行 3-5 次,验证各个环节的输出结果符合预期,再部署到生产环境。AI Skill Hub 评分 8.5 分,是同类 Agent 工作流中的精选推荐。

📋 工具概览

AI驱动的MITRE ATT&CK威胁情报平台

对手图谱 是一套完整的 AI Agent 自动化工作流方案。通过可视化的节点编排,将复杂的多步骤任务拆解为清晰的自动化流程,实现全程无人值守的智能处理。支持与数百种外部服务和 API 无缝集成,适合构建数据处理管线、业务自动化和 AI 辅助决策系统。

GitHub Stars
⭐ 8
开发语言
HTML
支持平台
Windows / macOS / Linux
维护状态
轻量级项目,按需更新
开源协议
NOASSERTION
AI 综合评分
8.5 分
工具类型
Agent工作流
Forks
2

📖 中文文档

以下内容由 AI Skill Hub 根据项目信息自动整理,如需查看完整原始文档请访问底部「原始来源」。

AI驱动的MITRE ATT&CK威胁情报平台

对手图谱 是一套完整的 AI Agent 自动化工作流方案。通过可视化的节点编排,将复杂的多步骤任务拆解为清晰的自动化流程,实现全程无人值守的智能处理。支持与数百种外部服务和 API 无缝集成,适合构建数据处理管线、业务自动化和 AI 辅助决策系统。

📌 核心特色
  • 可视化 Agent 工作流编排,无需编写复杂代码
  • 支持多步骤自动化任务链,实现全流程无人值守
  • 与外部 API、数据库和第三方服务无缝集成
  • 内置错误处理与自动重试机制,保障稳定运行
  • 提供可复用的自动化模板,快速在同类场景部署
🎯 主要使用场景
  • 自动化日常重复性工作,将精力集中于创造性任务
  • 构建数据采集 → 处理 → 输出的完整自动化管线
  • 实现跨平台、跨系统的数据流转和业务协同
以下安装命令基于项目开发语言和类型自动生成,实际以官方 README 为准。
安装命令
# 克隆仓库
git clone https://github.com/anpa1200/adversarygraph
cd adversarygraph

# 查看安装说明
cat README.md

# 按 README 完成环境依赖安装后即可使用
📋 安装步骤说明
  1. 访问 GitHub 仓库获取工作流文件
  2. 在对应平台(Dify / Flowise / Make 等)中找到「导入工作流」功能
  3. 上传工作流文件
  4. 按照提示配置必要的环境变量和 API Key
  5. 运行测试确认流程正常后投入使用
以下用法示例由 AI Skill Hub 整理,涵盖最常见的使用场景。
常用命令 / 代码示例
# 查看帮助
adversarygraph --help

# 基本运行
adversarygraph [options] <input>

# 详细使用说明请查阅文档
# https://github.com/anpa1200/adversarygraph
以下配置示例基于典型使用场景生成,具体参数请参照官方文档调整。
配置示例
# adversarygraph 配置说明
# 查看配置选项
adversarygraph --config-example > config.yml

# 常见配置项
# output_dir: ./output
# log_level: info
# workers: 4

# 环境变量(覆盖配置文件)
export ADVERSARYGRAPH_CONFIG="/path/to/config.yml"
📑 README 深度解析 真实文档 完整度 84/100 查看 GitHub 原文 →
以下内容由系统直接从 GitHub README 解析整理,保留代码块、表格与列表结构。

AdversaryGraph

AI-assisted CTI-to-detection workbench for MITRE ATT&CK mapping and detection-gap analysis.

CI Release License Security policy Roadmap External submissions Accepted upstream Awesome Threat Intelligence Threat Hunting

Current release: v2.5.0 · Release Summary · Live Intelligence Workspace · Documentation & Usage Guide · Full v2 Guide · 1200km Article · Medium Archive

AdversaryGraph AI is a self-hosted CTI-to-detection workbench for mapping threat reports to MITRE ATT&CK, comparing TTP overlap with known groups and campaigns, identifying detection gaps, and exporting analyst-ready outputs.

Rename note: AdversaryGraph is the canonical product name. Legacy public URLs are preserved as static redirect pages where possible.

Live Web Workspace: https://1200km.com/threat-matrix/

Project Hub: https://1200km.com/adversarygraph/

Documentation: https://1200km.com/adversarygraph-docs/

1200km Article: https://1200km.com/articles/adversarygraph-v2-self-hosted-ai-cti-platform.html

Medium Archive: https://medium.com/@1200km

Validation and attribution limitation: AdversaryGraph assists analysts but does not replace analyst validation. LLM-generated mappings may contain false positives, false negatives, or ambiguous technique assignments. Group/campaign similarity is based on TTP overlap and is an investigation lead, not attribution proof.

Features

ModuleCapability
**Navigator**Full ATT&CK/ATLAS matrix support (Enterprise, Mobile, ICS, ATLAS) with D3.js zoom/pan, sub-technique expansion, dual-layer colouring
**Threat Actor Library**Currently ingested MITRE ATT&CK group profiles, aliases, techniques, and named campaign relationships
**AI Analysis**Upload PDF/DOCX/TXT or paste text → streamed LLM extraction of ATT&CK or ATLAS mapping candidates via Claude, OpenAI, Gemini, or a local OpenAI-compatible LLM; results saved to Reports Library (DB 2)
**Compare — Groups**Jaccard similarity ranking of your TTPs vs currently ingested group profiles; visual matrix diff, tactic breakdown, gap analysis
**Compare — Campaigns**Jaccard similarity ranking of your TTPs vs every named MITRE campaign (e.g. SolarWinds C0024, Operation Ghost C0023)
**Compare — Reports**Browse stored AI analyses (DB 2); re-run group-similarity comparison without re-calling the LLM
**Sector Intelligence**Local actor relevance scoring by client sector, geography, environment keywords, activity window, ATT&CK campaign recency, and MISP Galaxy evidence
**IOC Intelligence**Local source-backed IOC storage with ThreatFox/OTX/Malpedia sync, global IOC Library search, MISP/custom feed connection, actor IOC tabs, IOC-to-TTP mapping, freshness filtering, confidence, source links, VT check, and CSV export
**VirusTotal Lookup**On-demand IOC reputation lookup for IPs, domains, URLs, and hashes with clean verdicts, extracted ATT&CK TTPs, local actor matches, and matrix/My TTP actions
**DFIR Examples**Indexed public DFIR Report examples with TTP/actor metadata and a local PDF workflow for private AI analysis
**Export**ATT&CK Navigator JSON layers, PDF reports, plain JSON, and STIX 2.1 bundles for OpenCTI import
**Reference Sync**Manual and scheduled MITRE ATT&CK and MITRE ATLAS sync for Enterprise, Mobile, ICS, and ATLAS with status reporting and stale-data indicators
**Anomaly Detection Reference Book**Docker-served, autonomously synchronized reference catalogs with exact paragraph-level links from every mapped matrix TTP
**Intelligence Pipeline**Scheduled reviewed RSS intake, STIX/TAXII, MISP and ATLAS imports, normalized observables, public enrichment, team audit trail
**Detection Studio**Versioned Sigma, KQL, SPL and EQL skeleton generation with structural validation and explicit analyst-review placeholders
**Operations**Investigations, evidence graphs, report intake, tracked actor changes, and detection engineering lifecycle

---

Prerequisites

  • Docker + Docker Compose (v2)
  • API key for at least one cloud LLM provider, or a local OpenAI-compatible LLM endpoint

Deployment

Quick Start

Usage Guide

Public Demo Privacy Note

The public Web workspace is intended for exploration. Do not upload confidential, customer-sensitive, classified, or internal reports into public demos or third-party environments. Use the self-hosted Docker deployment for private analysis.

Screenshots And Visual Evidence

Screenshot evidence is preserved in docs/screenshots/. The set covers the public ATT&CK matrix workspace, group overlay workflows, analysis views, report/evidence review, and ecosystem navigation from the companion walkthrough.

Demo workflow video: DFIR report download to AI analysis and comparison shows the end-to-end flow from indexed public report examples to local PDF upload, streamed ATT&CK extraction, and selected TTP review. A GIF version is also available at docs/demo-videos/dfir-report-ai-analysis-compare.gif.

Matrix and actor workflowAnalysis and review workflow
![AdversaryGraph ATT&CK matrix workspace](docs/screenshots/02_1x07j05Kn78RJY96S3Ga4IVQ.png)![AdversaryGraph analysis workflow](docs/screenshots/10_1xCsGSK7APVQvnvTDCLxXKNA.png)
![AdversaryGraph actor overlay](docs/screenshots/13_1xFpAXPkiL1j3fiuOkL7tp8A.png)![AdversaryGraph evidence review](docs/screenshots/20_1xVAfpLRWhfkB0pwRR5C4Nlw.png)

---

1 — Clone and configure

git clone https://github.com/anpa1200/adversarygraph.git
cd adversarygraph
cp .env.example .env

Edit .env and add your API keys:

```env

Optional cloud providers

ANTHROPIC_API_KEY=sk-ant-... OPENAI_API_KEY=sk-... OPENAI_MODEL=gpt-4.1 GEMINI_API_KEY=AIza...

Optional local provider: Ollama / LM Studio / LocalAI / vLLM with OpenAI-compatible API

LOCAL_LLM_BASE_URL=http://host.docker.internal:11434/v1 LOCAL_LLM_API_KEY=local LOCAL_LLM_MODEL=llama3.1:8b

Configuration

All configuration is via environment variables in .env.

VariableDefaultDescription
DB_NAMEadversarygraphPostgreSQL database name. The legacy default is kept so existing deployments continue to start after upgrade.
DB_USERag_userDatabase user
DB_PASSchangemeDatabase password — **change this**
ADVERSARYGRAPH_DB_DIR./data/postgresExternal persistent Postgres data directory created on first deployment. Keep this folder across rebuilds.
ANTHROPIC_API_KEYAnthropic / Claude API key
OPENAI_API_KEYOpenAI API key
OPENAI_MODELgpt-4.1OpenAI model used when no request-level model is provided
GEMINI_API_KEYGoogle Gemini API key
LOCAL_LLM_BASE_URLhttp://host.docker.internal:11434/v1OpenAI-compatible local LLM endpoint
LOCAL_LLM_API_KEYlocalAPI key placeholder for local OpenAI-compatible servers
LOCAL_LLM_MODELllama3.1:8bLocal model used when no request-level model is provided
ATTCK_DOMAINSenterprise-attack,mobile-attack,ics-attack,atlasComma-separated ATT&CK/ATLAS domains to ingest
DYNAMIC_DB_SYNC_HOUR3Daily public dynamic DB sync hour in UTC
DYNAMIC_DB_SYNC_MINUTE30Daily public dynamic DB sync minute in UTC
DYNAMIC_DB_IOC_SYNC_DAYS7ThreatFox/public IOC sync window for daily dynamic DB refresh
LOG_LEVELinfodebug / info / warning / error

To ingest only Enterprise (faster first start):

ATTCK_DOMAINS=enterprise-attack

---

Via API

curl -X POST http://localhost:8000/api/sync/trigger

DB 1 — MITRE ATT&CK (read-only reference data)

Populated from MITRE's official STIX 2.1 bundles on startup and on each sync. Contains:

  • Groups — named threat actors with aggregate TTP profiles from the ingested release
  • Campaigns — named operations with per-operation TTP profiles from the ingested release
  • Attribution links — which group conducted which campaign (attributed-to relationships)
  • Technique usage — the specific techniques observed in each group/campaign with use descriptions

Built on the currently ingested MITRE ATT&CK and MITRE ATLAS datasets. Counts depend on the selected domain and source release.

DomainGroupsCampaignsTechniques
EnterpriseDynamicDynamicDynamic
ICSDynamicDynamicDynamic
MobileDynamicDynamicDynamic
ATLASN/A from upstreamN/A from upstreamDynamic

API Reference

Full interactive documentation at http://localhost:8000/docs.

Registered route groups include:

Inside the api container (real PostgreSQL):

docker compose exec api pytest tests/ -v

Web vs Docker

AdversaryGraph Web is the public browser-native workspace for ATT&CK exploration, manual layers, group overlays and comparisons, local workspaces, ecosystem research, coverage-gap analysis, and browser-generated exports. It does not perform LLM report extraction or backend private-report storage.

AdversaryGraph Docker is the full self-hosted platform for provider-configured AI extraction, private PostgreSQL-backed analyses, campaigns, APIs, PDF reports, detection-rule workflows, and scheduled ATT&CK synchronization.

AdversaryGraph is self-hosted. In Docker mode, report content is sent only to the LLM provider configured by the operator. For fully private analysis, use a local or private LLM gateway. The public Web workspace does not perform LLM report extraction or backend report storage.

The Docker deployment gives the operator control over storage, networking, and provider configuration. Trusted-header authentication and roles are available when configured, but internet-facing deployments still require TLS, an authenticating reverse proxy, restricted network exposure, backups, retention controls, and secrets management.

┌──────────────────────────────────────────────────────────────────┐
│                         Docker Compose                           │
├────────────────┬───────────────┬──────────────┬─────────────────┤
│  React / Vite  │   FastAPI     │  PostgreSQL  │  Redis + Celery │
│  (port 3000)   │  (port 8000)  │     16       │  worker + beat  │
│                │               │              │                 │
│  Vite proxy    │  SQLAlchemy   │  DB 1: ATT&CK│  daily MITRE    │
│  /api → :8000  │  async ORM    │  DB 2: Reports  sync job       │
└────────────────┴───────────────┴──────────────┴─────────────────┘

Backend — Python 3.12, FastAPI, SQLAlchemy 2.x (async), Celery Frontend — React 18, TypeScript, Vite, D3.js, Tailwind CSS, Zustand Database — PostgreSQL 16 with JSONB for ATT&CK STIX data Queue — Redis + Celery (daily MITRE sync at 03:00 UTC)

Compare

Rank ATT&CK groups and campaigns against your TTPs using Jaccard similarity.

Jaccard similarity = |shared techniques| / |union of all techniques|

Use the mode switcher at the top of the Compare page to choose what to compare against:

Mode: Groups (DB 1)

Rank every ATT&CK group against your current Navigator selection.

Detail tabContent
**Overview**Similarity score, shared techniques (amber chips), your-only techniques
**Tactic Breakdown**Stacked bar per kill-chain phase: shared / user-only / group-profile-only
**Visual Diff**Compact matrix colour-strip showing the full overlap
**Gap Analysis**Every technique in the group's profile not in your layer — your detection backlog

Actions: - Overlay in Navigator — visualise the overlap on the full matrix - ↓ PDF Report — export a formatted comparison report

Mode: Campaigns (DB 1)

Rank named campaigns from the currently ingested ATT&CK release against your current Navigator selection.

The detail panel shows: - Similarity score, shared techniques highlighted in purple - Full campaign technique list with overlap indicators - Attribution (which group conducted this campaign) - Date range of the campaign

Mode: Reports (DB 2)

Browse your stored AI analysis sessions. Click any report body to see which group and campaign profiles have the strongest TTP overlap with its extracted profile — without re-running the expensive LLM call.

Use cases: - Retrospective TTP-overlap review after a new ATT&CK version is released - Cross-incident correlation across multiple saved reports - Environmental profiling — which groups keep appearing across your incident set

Per-session actions: - ↓ PDF — download the full analysis PDF for that session at any time - ↓ STIX/OpenCTI — download a STIX 2.1 bundle containing the report, ATT&CK attack-patterns, and similarity-lead intrusion sets for OpenCTI import - ✕ Remove — delete the session from DB 2 (browser confirm required; list refreshes automatically)

---

🎯 aiskill88 AI 点评 A 级 2026-06-18

高质量的AI安全工作流平台

⚡ 核心功能

👥 适合人群

自动化工程师和运维人员项目经理和业务分析师希望减少重复性工作的专业人士数字化转型团队

🎯 使用场景

  • 自动化日常重复性工作,将精力集中于创造性任务
  • 构建数据采集 → 处理 → 输出的完整自动化管线
  • 实现跨平台、跨系统的数据流转和业务协同

⚖️ 优点与不足

✅ 优点
  • +大幅减少重复性人工操作
  • +可视化流程,清晰直观
  • +可扩展性强,支持复杂场景
⚠️ 不足
  • 初始配置和调试需投入一定时间
  • 强依赖外部服务的稳定性
  • 复杂场景需具备一定技术基础
⚠️ 使用须知

该工具使用 NOASSERTION 协议,商用场景请仔细阅读协议条款,必要时咨询法律意见。

AI Skill Hub 为第三方内容聚合平台,本页面信息基于公开数据整理,不对工具功能和质量作任何法律背书。

建议在沙箱或测试环境中充分验证后,再部署至生产环境,并做好必要的安全评估。

📄 License 说明

📄 NOASSERTION — 请查阅原始协议条款了解具体使用限制。

🔗 相关工具推荐

LangChain AI开发框架
Agent工作流
ai-agents-for-beginners Agent工作流
微软官方开源项目,提供12堂系统课程学习AI智能体框架。涵盖工作流设计、RAG检索增强、多智能体协作等核心技能。适合AI
n8n AI工作流自动化
Agent工作流
LangFlow 可视化AI开发
Agent工作流
🧩 你可能还需要
基于当前 Skill 的能力图谱,自动补全的工具组合
技能寻求者
MCP · Agent · 工作流
CrewAI 多代理协作平台
MCP · Agent · 工作流
LEANN AI技能包
MCP · Agent · 工作流
DeepCode Agent工作流
MCP · Agent · 工作流
Synthadoc
MCP · Agent · 工作流
total-agent-memory MCP工具
为Claude Code和Codex CLI提供持久化记忆功能的开源MCP工具。自动提取知识图谱,支持多轮对话上下文保留,适合需要长期记忆和

❓ 常见问题 FAQ

参考项目文档和示例
💡 AI Skill Hub 点评

总体来看,对手图谱 是一款质量优秀的Agent工作流,在同类工具中具备一定竞争力。AI Skill Hub 将持续追踪其更新动态,建议收藏备用,结合自身场景选择合适时机引入使用。

⬇️ 获取与下载
📚 深入学习 对手图谱
查看分步骤安装教程和完整使用指南,快速上手这款工具
⚙️ 安装教程 📚 使用教程
🌐 原始信息
原始名称 adversarygraph
Topics ai-securityatt-ck-navigatorattack-mapping
GitHub https://github.com/anpa1200/adversarygraph
License NOASSERTION
语言 HTML
🔗 原始来源
🐙 GitHub 仓库  https://github.com/anpa1200/adversarygraph 🌐 官方网站  https://1200km.com/threatmapper/

收录时间:2026-06-18 · 更新时间:2026-06-18 · License:NOASSERTION · AI Skill Hub 不对第三方内容的准确性作法律背书。

📺 订阅 AI Skill Hub Daily Telegram 频道
每天 8 条精选 AI Skill、MCP、Agent 与自动化工具推送
加入频道 →