MITRE Engenuity Introduces Threat Report ATT&CK Mapper (TRAM)

In the realm of cybersecurity, the ability to accurately and efficiently map cyber threat intelligence reports to known tactics, techniques, and procedures (TTPs) is a critical aspect of threat detection and response. Today, we spotlight a new open-source platform developed by MITRE Engenuity’s Center for Threat-Informed Defense, known as the Threat Report ATT&CK Mapper (TRAM), designed to advance research into automating this mapping process.

TRAM: A Brief Overview

TRAM is a pioneering platform that enables researchers to test and refine Machine Learning (ML) models for identifying ATT&CK techniques in prose-based threat intelligence reports. It also allows threat intelligence analysts to train ML models and validate ML results.

The primary goal of TRAM is to reduce the cost and increase the effectiveness of integrating ATT&CK into cyber threat intelligence across the community. By automating the mapping of cyber threat intel reports to ATT&CK, TRAM aims to make it easier and more consistent for threat intel providers, platforms, and analysts to integrate ATT&CK into their products.

The Challenge

Mapping new threat intelligence reports to ATT&CK is a complex, error-prone, and time-consuming process. TRAM seeks to address this challenge by developing an open-source platform for researching the application of Natural Language Processing (NLP) and ML to identify TTPs in threat intelligence reports. It also allows analysts to validate those TTPs.

The Impact

By accelerating research into automated TTP identification in threat intelligence reports, TRAM aims to significantly reduce the time and effort required to integrate new intelligence into cyber operations. This will ultimately enhance the speed and accuracy of threat detection and response.


The introduction of TRAM marks a significant step forward in the automation of threat intelligence analysis. By leveraging machine learning and natural language processing, TRAM promises to streamline the process of mapping threat intelligence reports to known TTPs, thereby enhancing the efficiency and effectiveness of threat detection and response efforts.

Further Reading

For more information on this topic, please refer to the original article by MITRE Engenuity. For more information on the ATT&CK framework, you can refer to the following resources: