GNAT-o-sphere / core platform

GNAT

GNAT’s Not A TIP
Cyber Threat Intel Made Simple

GNAT gives security teams a stable way to ingest, model, enrich, export, automate, and investigate intelligence across a large connector surface without rebuilding around every vendor.

159 connectors STIX 2.1 native reports + investigations workflow portability threat hunt rules engine
View on GitHub

Why GNAT exists

Most security teams are forced to keep rebuilding the same automation, enrichment, and reporting logic around slightly different APIs and data models. GNAT exists to reduce that churn by standardizing the integration surface and keeping intelligence workflows portable.

What GNAT does

Normalize

Unify many data sources behind one operating model.

Translate

Use STIX 2.1 as the stable contract between tools and workflows.

Support analysis

Build investigations, reports, and reusable workflows rather than isolated lookups.

Anchor the ecosystem

Provide the hub platform that SandGNAT, SenseGNAT, & RedGNAT plug into.

Documentation by intent

GNAT uses the Diátaxis model so readers can go directly to the kind of material they need.

Action (doing) Study (reading)
Learning Tutorials
Guided, newcomer-safe walkthroughs.		 Explanation
Architecture, rationale, and design choices.
Working How-to guides
Task-focused procedures and recipes.		 Reference
Exact technical behavior, config, and interfaces.

Quick visual overview: View the 38-slide presentation deck for an interactive technical deep-dive on architecture, features, and deployment.

Start here by role

Analysts

Use GNAT when you need to correlate intelligence across multiple systems and keep the output portable.

Investigators

Use GNAT when you need a repeatable path from seed indicators to evidence and report output.

Engineers

Use GNAT when integration churn is the real bottleneck.

The GNAT-o-sphere

Addon

SandGNAT

Automated malware sandbox analysis — detonate binaries in isolated VMs, capture behavioral artifacts, emit STIX 2.1 objects.

Learn more
Addon

RedGNAT

Continuous automated readiness testing — ingest threat intel, construct adversary emulation scenarios, execute with safety controls.

Learn more
Addon

SenseGNAT

Network profiling and behavior analysis that surfaces anomalies and enriches GNAT investigations with traffic-layer context using network sensor and honeypot telemetry — high-volume ingestion from Kafka topics, Redis dedup, automatic campaign linking.

Learn more
Web App

GNAT-gui

Browser-based analyst workbench — manage investigations, review evidence graphs, run gap analysis, draft reports, and monitor jobs with live streaming progress.

Learn more

Canonical Workflow

Collect Telemetry & Sources

External indicators and raw network telemetry enter the ecosystem

Process GNAT

Ingest, normalize, convert to STIX, and route to addons

SenseGNAT

Behavioral profiling & anomaly detection

SandGNAT

Malware detonation & artifact enrichment

RedGNAT

Adversary emulation & validation

Report Investigate & Act

Unified investigation graph, reporting, and operator action

View full diagram → Read the workflow doc →