GNAT-gui

Desktop Analyst Interface for the GNAT Ecosystem

Structured investigations, hypothesis tracking, detection rules, and automated reporting — no CLI required.

The Problem

GNAT is powerful. The CLI is a barrier.

  • Most threat analysts are not comfortable in a terminal — and they shouldn't have to be
  • Investigation context lives in Confluence pages, spreadsheets, and analyst heads — not in the tool
  • Detection rules authored in ad-hoc editors have no traceability back to the investigation that motivated them
  • Reporting is manual: copy findings, format, export — a multi-hour task for every report

The interface gap

GNAT's analytical power is fully accessible today — if you use the CLI and API directly. GNAT-gui brings that power to analysts who work visually, in structured workflows, without needing to learn a command line.

Overview

Three modules. One analyst workspace.

Analysis

Structured threat intelligence investigations with NATO Admiralty Scale scoring, AI-assisted gap detection, and automated report generation.

Rules Builder

Visual detection rule authoring in Hy, YAML, or Prolog. Monaco editor, 26-predicate palette, full GNAT workflow engine integration.

Investigations

5-step evidence pipeline on a React Flow canvas. Evidence nodes, relationship edges, STIX materialization, and exportable investigation packages.

All three modules run locally as a desktop application. GNAT core is embedded as a Python library — no network hop, no separate server to maintain.
Module 1

Analysis — structured intelligence work

  • NATO Admiralty Scale scoring — source reliability (A–F) and information credibility (1–6) on every piece of intelligence, built into the workflow
  • AI gap detection — surfaces missing evidence, unresolved hypotheses, and analytical blind spots as you work
  • Structured hypothesis tracking — manage competing hypotheses against the evidence record, not in a document
  • Automated report generation — turn a completed investigation into a formatted, exportable report without manual formatting

Analytical rigor, built in

The NATO Admiralty Scale and structured hypothesis management aren't add-ons — they're the workflow. Every investigation produces a traceable, scored evidence record that feeds directly into the report.

Module 2

Rules Builder — detection without friction

  • Three rule languages — Hy (Lisp-like, expressive), YAML (declarative, readable), Prolog (logic-based, relational)
  • 26-predicate palette — pre-built logical building blocks for common detection patterns, drag-and-drop composition
  • Monaco editor — the same editor that powers VS Code, with syntax highlighting and validation
  • GNAT workflow engine integration — rules author directly into the live pipeline, not into a separate file to be deployed later

From investigation to detection

Rules authored in GNAT-gui are traceable back to the investigation that motivated them. No more detection logic disconnected from the intelligence that inspired it.

Module 3

Investigations — visual evidence pipelines

  • React Flow canvas — drag-and-drop evidence graph; nodes for artifacts, edges for relationships
  • 5-step evidence pipeline — Collect → Assess → Correlate → Conclude → Report, enforced by the workflow
  • STIX materialization — the investigation graph exports as a STIX 2.1 bundle, portable and standards-compliant
  • Exportable packages — share the full investigation record, not just a report, with other tools and teams

Graph-first investigation

Building the investigation as a graph rather than a document forces the analyst to be explicit about what connects to what — and makes gaps visible before the report is written.

Evidence Pipeline

Five steps from evidence to exportable record

Step 1 Collect Ingest indicators, artifacts, and raw intelligence into the investigation workspace
Step 2 Assess Score each piece of evidence on the NATO Admiralty Scale before drawing any conclusions
Step 3 Correlate Build relationships on the React Flow canvas; link evidence to hypotheses
Step 4 Conclude Resolve hypotheses against the scored evidence record; AI flags analytical gaps
Step 5 Report Generate formatted report and STIX 2.1 bundle export automatically
For Analysts

Do the work in the tool, not around it

  • No CLI, no Python, no setup — install and open
  • Investigations are first-class objects: structured, scored, exportable, and traceable
  • Hypothesis tracking is part of the workflow — not a sticky note on a separate document
  • Detection rules link back to the investigation that motivated them
  • Reports generate automatically from the investigation record — formatting is not your job
  • STIX export means your work travels to any tool that speaks the standard
For Engineers

React 18 + TypeScript + FastAPI — GNAT embedded

  • Frontend — React 18, TypeScript 5, Vite; React Flow for the investigation canvas
  • Backend — FastAPI 0.111+; GNAT core runs as an embedded Python library — no separate server or network hop
  • Editor — Monaco Editor (the VS Code engine) for rules authoring with full syntax support
  • Output — STIX 2.1 bundles; all investigation exports are standards-compliant

Embedded, not federated

GNAT core runs in-process as a Python library. No separate GNAT server to deploy or maintain alongside GNAT-gui. The application is self-contained.

Adoption

Getting started with GNAT-gui

  1. Install GNAT-gui — GNAT core is bundled; no separate installation required
  2. Open the application and connect to your existing GNAT data sources and connector configuration
  3. Start an investigation: pull in indicators, score them, begin building the evidence graph
  4. Author detection rules in the Rules Builder tied to the active investigation
  5. At conclusion, generate a report and export a STIX 2.1 bundle — ready for sharing or downstream tooling
GNAT-gui does not require a running GNAT server. If you already have GNAT deployed, GNAT-gui connects to it. If not, GNAT core embedded in GNAT-gui is the starting point.
Resources

Next steps

Documentation wrhalpin.github.io/GNAT-gui
Source code github.com/wrhalpin/GNAT-gui
Ecosystem hub wrhalpin.github.io/gnat-o-sphere
Ecosystem overview GNAT-o-sphere deck