AI Threat Profile

POST/api/v1/ai/threat-profile

Generate threat actor profiles from TTPs and indicators using AI. Identifies likely attribution, motivation, targeted industries, known aliases, and related threat groups based on MITRE ATT&CK patterns and indicator correlation.

Permission

ai:read

Credits

20 per request

Plans

Starter, Professional, Enterprise

Timeout

Up to 60 seconds

Request Body

{
  "ttps": [
    "T1566.001", "T1059.001", "T1053.005",
    "T1071.001", "T1041", "T1486"
  ],
  "indicators": {
    "ips": ["185.220.101.42", "91.215.85.17"],
    "domains": ["cdn-update.cloud", "api-telemetry.net"],
    "hashes": ["44d88612fea8a8f36de82e1278abb02f"]
  },
  "context": "Targeted spear-phishing campaign against financial sector in Western Europe"
}

Field	Type	Description
ttps	string[]	Array of MITRE ATT&CK technique IDs observed in the investigation (required)
indicators	object	Object containing indicator arrays: `ips`, `domains`, `hashes`, `urls`, `emails` (optional)
context	string	Additional context about the campaign, targeted sector, or geographic region to improve attribution accuracy (optional)

Response

{
  "data": {
    "profile_name": "Eastern European Financial Threat Cluster",
    "confidence": 82,
    "attribution": "Eastern Europe / CIS region",
    "motivation": "Financial gain — ransomware deployment and data theft targeting banking and financial services institutions",
    "targets": [
      "Financial services",
      "Banking institutions",
      "Payment processors",
      "Insurance companies"
    ],
    "known_aliases": [
      "FIN7",
      "Carbon Spider",
      "ELBRUS",
      "Sangria Tempest"
    ],
    "ttps": [
      {
        "technique_id": "T1566.001",
        "name": "Phishing: Spearphishing Attachment",
        "tactic": "Initial Access",
        "usage": "Weaponized Office documents with macro-enabled payloads delivered via targeted emails"
      },
      {
        "technique_id": "T1059.001",
        "name": "Command and Scripting Interpreter: PowerShell",
        "tactic": "Execution",
        "usage": "Obfuscated PowerShell scripts for payload delivery and C2 communication"
      },
      {
        "technique_id": "T1053.005",
        "name": "Scheduled Task/Job: Scheduled Task",
        "tactic": "Persistence",
        "usage": "Scheduled tasks for maintaining persistence across reboots"
      },
      {
        "technique_id": "T1071.001",
        "name": "Application Layer Protocol: Web Protocols",
        "tactic": "Command and Control",
        "usage": "HTTPS-based C2 channels using legitimate cloud service domains"
      },
      {
        "technique_id": "T1041",
        "name": "Exfiltration Over C2 Channel",
        "tactic": "Exfiltration",
        "usage": "Data exfiltration through the established C2 HTTPS channel"
      },
      {
        "technique_id": "T1486",
        "name": "Data Encrypted for Impact",
        "tactic": "Impact",
        "usage": "Ransomware deployment as final-stage payload after data exfiltration"
      }
    ],
    "related_groups": [
      {
        "name": "FIN7",
        "overlap": 0.85,
        "description": "Financially motivated threat group targeting retail, restaurant, and hospitality sectors with point-of-sale malware"
      },
      {
        "name": "Conti Team",
        "overlap": 0.62,
        "description": "Ransomware-as-a-service operation with overlapping infrastructure and TTP patterns"
      }
    ],
    "summary": "TTP pattern and indicator analysis strongly correlates with FIN7 / Carbon Spider operations. The combination of spear-phishing with macro-enabled documents, PowerShell-based execution, scheduled task persistence, and HTTPS C2 is characteristic of this group. The financial sector targeting in Western Europe and ransomware deployment as a final-stage payload further support this attribution. Infrastructure overlap with known FIN7 C2 domains increases confidence."
  },
  "meta": {
    "request_id": "req_p1r2o3f4-...",
    "credits_used": 20,
    "credits_remaining": 460,
    "processing_time_ms": 7250
  }
}

Field	Type	Description
data.profile_name	string	Descriptive name for the identified threat profile or cluster
data.confidence	number	Attribution confidence score from 0 to 100
data.attribution	string	Likely geographic or organizational attribution of the threat actor
data.motivation	string	Assessed motivation (e.g. financial gain, espionage, hacktivism, destruction)
data.targets	array	List of industries, sectors, or entity types typically targeted by this profile
data.known_aliases	array	Known names and aliases for the matched threat group across vendor taxonomies
data.ttps	array	Detailed TTP breakdown with technique_id, name, tactic, and usage description
data.related_groups	array	Related threat groups with name, overlap score, and description of the connection
data.summary	string	Comprehensive narrative summary of the threat profile assessment and attribution rationale
meta.request_id	string	Unique request identifier for support and debugging
meta.credits_used	number	Credits consumed (20 per threat profile request)
meta.credits_remaining	number	Remaining credit balance after this request
meta.processing_time_ms	number	Server-side processing time in milliseconds

Code Examples

cURL

curl -X POST https://api.dfir-lab.ch/v1/ai/threat-profile \
  -H "Authorization: Bearer sk-dfir-your-key-here" \
  -H "Content-Type: application/json" \
  -d '{
    "ttps": [
      "T1566.001",
      "T1059.001",
      "T1053.005",
      "T1071.001",
      "T1041",
      "T1486"
    ],
    "indicators": {
      "ips": ["185.220.101.42", "91.215.85.17"],
      "domains": ["cdn-update.cloud", "api-telemetry.net"],
      "hashes": ["44d88612fea8a8f36de82e1278abb02f"]
    },
    "context": "Targeted spear-phishing campaign against financial sector in Western Europe"
  }'

Python

import requests

response = requests.post(
    "https://api.dfir-lab.ch/v1/ai/threat-profile",
    headers={
        "Authorization": "Bearer sk-dfir-your-key-here",
        "Content-Type": "application/json",
    },
    json={
        "ttps": [
            "T1566.001", "T1059.001", "T1053.005",
            "T1071.001", "T1041", "T1486",
        ],
        "indicators": {
            "ips": ["185.220.101.42", "91.215.85.17"],
            "domains": ["cdn-update.cloud", "api-telemetry.net"],
        },
        "context": "Targeted spear-phishing campaign against financial sector",
    },
)

data = response.json()
profile = data["data"]
print(f"Profile: {profile['profile_name']}")
print(f"Attribution: {profile['attribution']} (confidence: {profile['confidence']})")
print(f"Motivation: {profile['motivation']}")
print(f"Known aliases: {', '.join(profile['known_aliases'])}")

for group in profile["related_groups"]:
    print(f"  Related: {group['name']} (overlap: {group['overlap']})")

Important Notes

At least one TTP technique ID is required. Providing more TTPs and indicators significantly improves attribution accuracy and confidence scores.
Attribution is probabilistic — confidence scores below 0.6 indicate low certainty. Always corroborate AI-generated profiles with additional intelligence sources.
Each request consumes 20 credits. Results are generated fresh for every profiling request — no caching is applied.

Back to API Docs