the dogesec blog

A practical approach to modelling Admiralty Codes in STIX 2.1 using Marking Definitions and Extension Definitions, with reusable objects you can adopt in your own CTI workflows.

Learn how the Cyber Threat Exchange helps researchers publish structured CTI in STIX 2.1 and lets defenders operationalise specialist intelligence through TAXII, APIs, and existing CTI tooling.

Most ATT&CK programs model tactics and techniques, but not procedures. This post explains why that gap matters, where Attack Flow helps, and how STIX could model the missing layer.

Known ATT&CK techniques are not just for labeling incidents. This post shows how to use them as anchors to infer likely predecessor and successor behavior in a realistic adversary sequence, and how MITRE TIE can support that workflow.

D3FEND becomes far more useful when it is not isolated. This post shows how D3FEND links to ATT&CK and CWE through artefacts, so you can traverse from offensive technique or weakness to concrete defensive mitigations.

Most AI CTI workflows waste tokens rediscovering ATT&CK, CWE, CAPEC, and other CTI knowledgebases from scratch. CTI Butler fixes that by giving agents a structured retrieval layer. In this post I show how to turn it into a Claude Code skill that recommends likely mappings from raw analyst input.

Learn how to avoid ad-hoc custom objects by generating schemas and Extension Definitions automatically with stix2extensions, keeping STIX extensions interoperable by default.

D3FEND was not built for STIX, but most CTI tooling depends on it. This post walks through how we model D3FEND as STIX 2.1 so defensive knowledge can finally behave like first-class CTI data.

Why STIX 2.1 bundles don’t ingest the way you expect, and what we learned building production OpenCTI pipelines.

An ATT&CK-native introduction to MITRE D3FEND: how defensive tactics, techniques, artefacts, and relationships mirror attacker behavior and complete the picture.