ADVERSARY INTELLIGENCE ENGINE
Weaponizing Threat Intelligence
From raw threat reporting to an evidence-backed adversary intelligence catalog
Sign Up
A Unified View of Adversary Behavior
Browse normalized threat actions, actor profiles, and attack paths across IT and OT systems. Each view is schema-driven and built for reuse in detection and response workflows.
Source Intake
Threat reports, advisories, knowledge bases, and curated collections
Extract & Version
Text extraction (incl. PDFs) plus change detection and provenance
Reference Expansion
Firecrawl-powered link capture to enrich documents with cited context
Normalize
Strict schemas and consistent IDs across documents, actors, and techniques
SAIRA Max
Classify documents, analyze actors/techniques, and generate structured actions
Review & Enhance
Dedup + quality review, then SAIRA Research agent improvements
Data Explorer
Drill into actors, actions, and evidence to trace how attacks unfold step by step.
Examine the requirements needed for Exploitation and privileges gained after.
Heat Map
Identify concentration of adversary activity by tactic, impact, and operational maturity to prioritize defensive focus.
Determine adversary TTP overlaps and which actors operate the same.
Catalog Outputs and Governance
Intelligence you can trust, audit, and operationalize.
WHAT WE GENERATE
Actor Profiles
Evidence-backed summaries compiled across many documents to capture who the actor is, where they operate, and how they tend to behave.- Normalized attributes: aliases, regions, sectors, campaigns, and tooling
- Transparent provenance: profiles link back to supporting documents
- Built for automation: consistent fields suitable for downstream systems
Attack Library (Threat Actions)
Structured action definitions derived from technique analysis, designed to be reusable across detection, response, and risk workflows.- Prerequisites: (environment, software, and vulnerability conditions) captured at a high level
- Outcomes describing what changes when the action succeeds (by tactic category)
- Detection cues and supporting evidence stitched into each action
Quality, Compliance & Safety
Reference Expansion
Before analysis, documents are enriched by following embedded links and capturing clean, analysis-ready content with caching to reduce rework.- More coverage by including cited external material
- Better grounding so enrichment is based on fuller context
Post-Batch Review
- Semantic deduplication to keep the action catalog clean and consistent
- Quality scoring to flag weak or incomplete entries for improvement
- Approval gates with audit trails for changes
SAIRA RESEARCH
After the initial batch, SAIRA Research continuously improves threat actions through an iterative research loop. Each action is validated, enriched with external research, and re-validated until quality thresholds are met.
Initial Threat Action
Raw action from SAIRA Max enrichment
Search Engine Research
External sources queried for supporting evidence
Update
Action enriched with new findings
Validation
Schema checks and quality scoring
Testimonials
“I don’t need more intelligence. I need intelligence I can use. Frenos distills the data to the what and the how, which is exactly what makes it operationalizable.”
OT Cyber Architect
Southeast US“We want to give back to the community something we wish we had when we were practitioners. By releasing a community version of how our AI agent SAIRA operates, we’re showing our work.”
Harry Thomas
Co-Founder and CTO of Frenos"Intelligence only matters if it drives decisions. Frenos bridges ICS gaps left by MITRE ATT&CK, modeling real adversary actions and making that intelligence actionable for simulations."
Tony Turner
VP of Product, FrenosAdversary Intel Engine: Frequently Asked Questions
General
The Adversary Intel Engine is the industry's first IT/OT cybersecurity intelligence catalog, built by Frenos. It transforms raw threat reporting (advisories, research papers, knowledge bases, and curated collections) into a structured, searchable catalog of actor profiles and threat actions designed for automation. It's already in production, powering Frenos's AI reasoning agent, SAIRA, and a Community Edition is available for security teams and researchers who want to see how real-world threat actors operate across IT and OT environments.
It's built for security practitioners, threat intelligence analysts, OT security teams, and security leaders who need to understand how adversaries actually operate, not just in theory, but in terms of concrete, actionable steps. Whether you're running an OT security program, building detection rules, or evaluating risk across IT/OT boundaries, the catalog gives you evidence-backed intelligence to work with.
Most threat intelligence today is either too abstract (high-level framework mappings) or too noisy (raw indicator feeds). The Adversary Intel Engine sits in the middle: it decomposes MITRE ATT&CK techniques and D3FEND mitigations into discrete adversary actions that represent the real steps an attacker must take to achieve an outcome. This means defenders can assess feasibility, not just theoretical risk, and align their defenses to how attacks actually happen.
MITRE ATT&CK is an excellent knowledge base, and the Adversary Intel Engine builds on it but goes further. Rather than stopping at technique-level descriptions, Frenos decomposes techniques into concrete threat actions with defined prerequisites, expected outcomes, and detection cues. Think of it as translating ATT&CK from a reference taxonomy into an operational playbook that can be consumed by both humans and automated systems.
What's Inside the Catalog
The current catalog includes:
- 2,400+ Threat Actions: Structured action definitions derived from technique analysis, each with prerequisites, outcomes, and detection cues.
- 174 Actor Profiles: Evidence-backed summaries covering who the actor is, where they operate, and how they behave.
- 1,106 Tactics & Techniques: Mapped across the MITRE ATT&CK framework, including ICS-specific tactics.
- 225+ Actors & Campaigns: Tracked with normalized aliases, regions, sectors, and tooling.
- 888 Malware & Tools: Cataloged and linked to the actors and actions that use them.
Threat Actions are the core unit of the catalog. Each one represents a discrete, reusable step an attacker takes, derived from real technique analysis. Every action includes:
- Prerequisites: The environment, software, or vulnerability conditions required for the action to succeed.
- Outcomes: What changes when the action succeeds, organized by tactic category.
- Detection cues: Signals and evidence that defenders can use to identify the action.
Actor Profiles are evidence-backed summaries compiled across many source documents. Each profile captures who the actor is, where they operate, and how they tend to behave, with normalized attributes including aliases, targeted regions, targeted sectors, associated campaigns, and known tooling. Every claim in a profile links back to supporting documents, so you can trace the evidence chain yourself.
Yes, and this is a key differentiator. The catalog covers both IT and OT attack paths, including ICS-specific tactics like Impair Process Control, and maps adversary behavior across the full kill chain from initial IT access through lateral movement into OT environments. The MITRE ATT&CK for ICS framework is fully represented.
The catalog tracks adversary activity globally. Current origin-country coverage includes actors attributed to China, Russia, Iran, North Korea, Lebanon, and others. Coverage is continuously expanding as new intelligence is ingested and processed.
How It Works
The Adversary Intel Engine uses a six-stage pipeline:
- Source Intake: Threat reports, advisories, knowledge bases, and curated collections are ingested.
- Extract & Version: Text is extracted (including from PDFs), with change detection and provenance tracking.
- Reference Expansion: Embedded links in documents are followed and captured to enrich the source material with cited context.
- Normalize: Strict schemas and consistent IDs are applied across documents, actors, and techniques.
- SAIRA Max: AI-driven classification of documents, analysis of actors and techniques, and generation of structured threat actions.
- Review & Enhance: Deduplication, quality review, and continuous improvement via the SAIRA Research agent.
SAIRA is Frenos's AI reasoning agent. Within the Adversary Intel Engine pipeline, two SAIRA capabilities are at work:
- SAIRA Max handles the initial heavy lifting. It classifies documents, analyzes actors and techniques, and generates structured threat actions at scale.
- SAIRA Research runs after the initial batch, continuously improving threat actions through an iterative loop. Each action is validated, enriched with external research, updated with new findings, and re-validated until quality thresholds are met.
Quality is enforced at multiple levels:
- Strict schemas and validation ensure consistency across all catalog entries.
- Reference expansion enriches documents with the full context of cited sources before any analysis begins.
- Semantic deduplication keeps the action catalog clean by identifying and merging near-duplicate entries.
- Quality scoring flags weak or incomplete entries for improvement.
- Approval gates with audit trails track every change through the review process.
- 2-pass quality review with human-in-the-loop combines automated checks with expert oversight.
The catalog is continuously updated as new threat intelligence is ingested and processed through the pipeline. SAIRA Research runs iterative improvement loops on existing actions, so the catalog doesn't just grow. It gets better over time.
Community Edition
The Community Edition gives security teams and researchers direct access to the Adversary Intel Engine catalog, allowing them to examine how real-world threat actors operate within IT/OT environments. It's designed to bring transparency to how Frenos's AI analyzes attack paths, so defenders can see the work behind the intelligence, not just the output.
Frenos was founded by practitioners with 56 years of combined experience defending critical infrastructure. The Community Edition reflects a commitment to transparency, collaboration, and giving back to the security community. Rather than asking defenders to blindly trust a black-box AI, Frenos is showing its work.
Sign up through the Adversary Intel Engine catalog page at https://catalog.frenos.io. Once you submit your request, the Frenos team will review and approve your access. This approval process ensures the catalog is used responsibly and helps Frenos tailor the experience for each user.
Community Edition users get access to a curated subset of the full catalog. Content is gated based on your approved access level, so what you see is tailored to your role and use case. This allows Frenos to share meaningful intelligence with the community while maintaining appropriate controls over sensitive material. Any customers of Frenos gains full access to the catalog without needing additional permissions.
The Adversary Intel Engine is a browse-and-explore experience. There is no data export, download, or API access. The catalog is designed to be used directly through the web interface, where you can search, filter, and drill into actor profiles, threat actions, and supporting intelligence.
No. The Adversary Intel Engine does not offer an API. All access is through the catalog's web interface.
Support
Click the Support button (the bug icon) in the catalog interface. That will open a ticket form where you can describe the issue. Once submitted, you'll be able to track your ticket history so you'll know when the bug has been reviewed and fixed.
Have a question that's not answered here? Contact us at info@frenos.io.