intel-workbench

WIP

Structured analytic techniques for CTI.

GitHub repo → self-hosted · run from source

SPA

browser app, not an MCP server

analytic techniques

MIT

open source

WHAT IT DOES

Intel Workbench is a library of Structured Analytic Techniques (SATs) for cyber threat intelligence: ACH, Key Assumptions Check, Quality of Information Check, Indicators of Change, Devil's Advocacy, Premortem, and Red Team, all sharing one evidence/hypothesis substrate. It is anchored in CIA's A Tradecraft Primer for Intelligence Analysis (Sherman Kent School, 2009) and Heuer & Pherson's Structured Analytic Techniques for Intelligence Analysis, 3rd ed. Every technique surfaces its citation in-app via a shared methodology panel, and ICD 203 estimative-language bands sit on top of every SAT as the universal write-up overlay.

It is a single-page React 18 + TypeScript application with no backend: Zustand state persists to localStorage, so an analyst can pivot from Key Assumptions Check into ACH into Devil's Advocacy without leaving the workspace or copying data between tools.

Status: work in progress. ACH is shipped; the remaining six techniques land across a four-phase roadmap (see ROADMAP.md). It is an offline-first browser app, not an MCP server, so there is no AI-client config block, and it is not published to a package registry; you run it from source.

SAT LIBRARY

Seven techniques grouped by tier per the Tradecraft Primer. Each is grounded in a citable source and shares the common evidence/hypothesis matrix.

> Analysis of Competing Hypotheses (ACH) · Contrarian · Shipped

> Key Assumptions Check · Diagnostic · Phase 1

> Quality of Information Check · Diagnostic · Phase 1

> Indicators / Signposts of Change · Forward-looking · Phase 2

> Devil's Advocacy · Contrarian · Phase 3

> Premortem Analysis · Contrarian · Phase 3

> Red Team Analysis · Imagination · Phase 4

WHAT IT GIVES THE ANALYST

ACH matrix

Interactive evidence-vs-hypothesis grid with C/I/N/NA ratings, weighted scoring, and automatic preferred-hypothesis identification.

MITRE ATT&CK tagging

Tag evidence and hypotheses against the Enterprise matrix (691 techniques, 14 tactics), vendored locally for offline use.

Cognitive bias checklist

Heuer & Pherson taxonomy: 12 biases across Cognitive, Analytical, and Social categories with per-bias mitigation notes.

ICD 203 estimative language

Pick a likelihood band ("almost no chance" to "almost certainly") with the canonical ODNI probability ranges.

Evidence weighting

Credibility and relevance ratings (High/Medium/Low) feed the weighted inconsistency scores.

Export & import

Full JSON export/import for backup and sharing; Markdown export with ATT&CK technique IDs.

5 visual themes

Langley, Terminal, Analyst's Desk, Stratcom, and Cyber Noir layouts over the same store.

Offline-first

All data persists in localStorage; works with no server and no backend.

RUNNING IT

Prerequisites: Node.js 18+ and npm 9+. Clone the repo, install, and start the Vite dev server. There is no backend to stand up.

$ git clone https://github.com/solomonneas/intel-workbench.git

$ cd intel-workbench

$ npm install

$ npm run dev

# production build

$ npm run build && npm run preview

Open http://localhost:5173. A hosted build is also live at intel-workbench.vercel.app.

The ATT&CK Enterprise dataset is vendored at src/data/attack-enterprise.json and lazy-loaded; refresh it after a new ATT&CK release with the slim-attack.jq script.