Extracting The How: Scaling Adversary Procedures Intelligence With AI
Security Boulevard, Tuesday, December 16th, 2025
Labeling adversary activity with ATT&CK techniques is a tried-and-true method for classifying behavior. But it rarely tells defenders how those behaviors are executed in real environments.
To do that, analysts need the procedural detail and exact command sequences, tooling choices, parameters, required privileges, and environmental conditions that transform a technique into a real, reproducible adversary action they can model, map to defenses, assess for coverage, and prepare for validation-readiness for further testing.
Tidal Cyber's Natural Attack Reading Reading and Comprehension (NARC) AI engine was built to solve this problem at scale. It parses unstructured data from CTI reports, IR summaries, and other data to identify relevant procedures and threat objects, and maps these to groups, campaigns, and software for inclusion in the Tidal Cyber Procedures Library. It turns narrative documents into structured data that detection and hunting teams can apply directly.