Where every claim in SecProve
comes from.

Cataloged threat groups with associated TTPs. Good for questions on attribution, TTP overlap, and intelligence-driven detection.

Four vertices: Adversary, Capability, Infrastructure, Victim. Complements the Kill Chain and ATT&CK. Questions on analytical frameworks and when to apply each model.

EU-focused annual threat assessment. Covers ransomware, supply chain, disinformation, state-sponsored threats. Useful counterpoint to US-centric sources.

Indicator hierarchy from hash values (trivial) to TTPs (tough). Foundational concept for detection engineering and threat intelligence questions.

Investigative journalism on cybercrime, breaches, and network security incidents. Good for real-world scenario questions grounded in actual events.

Seven phases from Reconnaissance to Actions on Objectives. Widely adopted but also widely critiqued (assumes perimeter-centric model). Good for compare/contrast with ATT&CK and Unified Kill Chain.

Detailed campaign analyses with TTPs mapped to ATT&CK. APT1, APT28/29, UNC groups. Primary source for threat-actor-specific IR questions. Not marketing — these are original threat research.

Annual IR data: dwell time trends, initial access vectors, detection sources. Empirical data from thousands of engagements. One of the few sources for real-world detection/response metrics.

Open-source threat intelligence platform for sharing, storing, and correlating indicators of compromise and threat data.

Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII). The standard for sharing cyber threat intelligence.

Open-source and dark web intelligence trends. Useful for questions about intelligence sources, collection methods, and the intelligence lifecycle.

Annual analysis of real breach data. The gold standard for empirical questions about attack patterns, threat actor motivations, and time-to-detection. Updated annually.