As a security professional — and one of the early explorers in the world of atomic testing (yeah, that was quite a while ago) — one of the most pressing needs has always been closing the loop: evaluate the available CTI, dig deeper (because yes, you might have a report, even a TLP:AMBER one, but it still needs enrichment), map out the TTPs, and extract procedural insights to truly understand how a specific attack can be reproduced.

That’s pretty much what we do in our cyber security research lab, which has a strong offensive security flavor. There was a time when OffSec was pure fun and wildly creative. It’s still creative — but let’s be honest, combing through mountains of data to find detection patterns and craft solid Threat Hunting queries? Not exactly a party.

Like it or not, running a lab that offers Managed Threat Hunting dragged me deep into the CTI rabbit hole (something I’d have happily avoided for most of my career). I even wrote an article about OpenCTI. Long story short: yes, it can collect juicy data. But you still need to dive in, extract those Artefacts and Attack Patterns (as they call them), and go scounting around the internet to figure out how those attacks played out — and, crucially, how they can be detected.

Is that all? Well… not quite. Because this whole use case screams AI. And not the magical, do-it-all kind — but the kind that works because you feed it with real knowledge and a solid methodology patterns to stick with. I’ve been tinkering with the concept, validating data quality, integrating floating components, and applying an Agentic approach. And today, I told my colleagues: “I closed the loop.”

Get an overview over the most recent attack trends

yes, we don’t know anything, we are blind; here we go:

In the screenshot, we are using Claude Desktop with an OpenCTI MCP to query the CTI available, with a simple stupid prompt.

I used this: git clone https://github.com/Spathodea-Network/opencti-mcp.git (please comment and tell me it’s malicious and I missed it)

Give me procedural TTPs and technical simulation hints

Later I asked to make me a Simulation Campaign possible plan and provide me with procedures and instructions to understand the attack. This doesn’t mean having “attack code” ready to run, but means a lot of help in human understanding. Of course, you want them mapped to MITRE.

The OpenCTI MCP has a lot of tools but also Claude is freaking amazing so the Output includes a lot of aggregated knowledge by scounting the web (so it’s OSINT).

Lets close the loop

I belive this is freaking sexy; you know how Claude is good for coding, so why not to ask to code a specific KQL query to hunt on Sentinel.

It happens that some time ago :) I wrote an MCP server on top of our HuntsAPI to managed hunting and queries for Microsoft Sentinel Threat Hunting module and guess what…

MCP Server and HuntsAPI available here: https://github.com/Crimson7research/huntsAPI

And the magic happened, ready to hit “run”:

Should you do this at home? naaah it’s too dangerous. I would let professional hunters deal with this :)