Features

Everything a CTI program needs, in one place

The web app is split into practical working areas, from a live dashboard to complete publishing workflows for each product. Here is what each area covers.

Dashboard

A live program snapshot: active PIRs/GIRs, stakeholder counts, the latest analyser run, 24-hour outcomes and pending scraper events. A built-in reference panel covers the Admiralty Scale, TLP and CTI evaluation criteria.

Stakeholders

Who consumes CTI output: role, organisation, contacts, TLP clearance, per-product subscription modes and notification channel preferences. Linked to PIRs and GIRs for ownership and delivery.

Requirements (PIR/GIR)

Full lifecycle editing with decision context, priority, status, scope, delivery settings and owner fields. Scope syncs with focus points and galaxy-backed categories from MISP.

RFI workflow

Handled from first request to closure: SLA-aware due dates, owner assignment, links to PIR or GIR, response capture and feedback tracking.

Data collection

A cached view of scraper and additional MISP servers. Browse events and reports, refresh the cache, flag follow-ups, create manual entries and generate LLM summary reports back into MISP.

Newsletter import

Turn a pasted security newsletter into a reviewable list of articles. Selected links are handed to misp-scraper; the e-mail itself is archived as its own MISP event.

Flash Intel Alert

Manual drafting, review queue, approval and publishing. Seed drafts from source events, build observed-fact and indicator tables, and insert action presets with one click.

Vulnerability advisory

The same draft, review and publish flow, with multi-CVE input, CVE-focused fields, PIR linking, expandable source-event panels and action presets.

Daily threat briefing

A triage queue from scraper events, guided story writing, a draft, edit and publish flow, and a notification when you publish.

Threat landscape report

A regular strategic product for leadership: top threats, trending threat actors, key incidents, recommendations and an outlook section, stored as MISP objects.

Product catalogue

A searchable catalogue of published outputs tagged as CTI products. Filter by type and linked PIR, inspect event reports and store feedback.

Statistics & CTI-CMM

Pipeline and program views that bring together source and outcome trends, RFI and feedback KPIs, PIR coverage and MISP source health, plus a CTI-CMM maturity signal panel.

A closer look

Complete workflows, not just screens

zsazsa dashboard

A live operational picture

The dashboard gives a quick overview of the pipeline, active requirements, your stakeholders and recent processing results, so the team can see where things stand at the start of the day.

  • Active PIR and GIR counts, and stakeholder numbers
  • How recently the analyser pipeline ran, plus 24-hour processing results
  • Pending scraper events waiting for analysis
  • Reference panel for Admiralty Scale, TLP and CTI evaluation
zsazsa data collection

Collection that flows into products

The data collection view gives a cached feed with filters for source, tags and context, so analysts can work through large numbers of events quickly, then start a new product directly from the events they select.

  • Cached events from scraper and additional MISP servers
  • CTI evaluation scoring during triage
  • Create a Flash Intel alert, advisory or briefing from source events
  • Manual collection entries for sources that aren't auto-collected
zsazsa PIR management

Requirements that drive collection

PIR pages capture the core intelligence questions that set collection and analysis priorities. Triage lets submitted PIRs be acknowledged, approved, deferred, rejected or merged, each with a clear note on the decision.

  • Scope, sub-questions, ownership, distribution and collection mapping
  • GIRs for longer cycles, with a review schedule and expected outputs
  • Scope synchronised with focus points and MISP galaxies
zsazsa stakeholder management

Distribution that matches your organisation

Stakeholders are managed locally and linked to MISP organisations. Each record supports internal or external roles, multiple contact fields, TLP clearance, product subscriptions and delivery preferences.

  • Per-stakeholder notification channels (Mattermost, Flowintel)
  • Audience, subscription and TLP checks on every published product
  • Stakeholder matrix for accountability and delivery
zsazsa statistics

Metrics with maturity signals

Statistics pages combine day-to-day metrics with CTI maturity signals. The CTI-CMM panel reads signals from your live data across five areas: Program, Situation, Analytical production, Operational delivery and Feedback.

  • Source and outcome trends, RFI and feedback KPIs
  • How many products you produce, plus PIR coverage checks
  • CTI-CMM levels CTI0 to CTI3 with measurable gaps highlighted
zsazsa AI support

AI help for analysts

AI-assisted features help with triage, relevance checking and drafting. Each feature can use its own model and prompt, and because they send raw MISP content to the model, you review the output before publishing.

  • LLM summaries of MISP reports, written back into MISP
  • AI-assisted drafts for Flash Intel alerts and advisories
  • Per-feature model and prompt configuration
zsazsa RFI workflow

RFIs from intake to closure

The RFI workflow runs from the first request through to closure, so one-off requests for intelligence are tracked just as carefully as your standing PIRs and GIRs.

  • SLA-aware due dates and owner assignment
  • Links to the originating PIR or GIR
  • Response capture and feedback tracking through to closure

See the full feature reference

The README documents every area, configuration tab and the MISP data model in detail.

Read the documentation View on GitHub