Skip to content

AbstractionsLab/satrap-dl

BranchesTags

Repository files navigation

SATRAP-DL

SATRAP-DL, short for Semi-Automated Threat Reconnaissance and Analysis Powered by DECIPHER Logic, offers a suite of tools for computer-aided CTI analysis and automated incident handling informed by CTI, provided respectively by its sub-systems SATRAP and DECIPHER.

cyfort_logo

For a visual stakeholder-oriented tour of SATRAP-DL, visit the product presentation page.

satrap-dl-website

Table of contents

Overview

This repository contains the source code and documentation of SATRAP-DL, including the technical specifications. SATRAP-DL has been developed in alignment with the C5-DEC method. Among others, C5-DEC prescribes and supports (with the C5-DEC CAD software) the storage, interlinking and processing of all software development life cycle (SDLC) artifacts in a unified manner.

SATRAP-DL suite

  • SATRAP provides a platform for (semi-)automated analysis of CTI based on a knowledge representation system for explainable inference. It aims to reduce the manual effort involved in correlating threat intelligence and deriving actionable conclusions, while keeping the analysis over STIX 2.1 CTI data traceable.

  • DECIPHER provides an extensible REST service for real-time analysis of alert information and incident case creation for streamlined investigations of threat scenarios.

  • PyFlowintel is a Python library for interacting with the case management platform Flowintel through its REST API. PyFlowintel is used to support automated pipelines in DECIPHER.

Getting started

This repository is organized as follows:

  • satrap/: SATRAP Python package (KRS, ETL, CLI, analysis toolbox)
  • decipher/: DECIPHER Python package (analysis service REST API)
  • deployment/: artifacts to deploy the operational environment of DECIPHER (SATRAP will be included in the future)
  • docs/: user manual, notebooks, specs, and traceability artifacts
  • tests/: unit and integration tests
  • tutorials/: workshop and tutorial materials
  • .devcontainer/: VS Code configuration for a ready-to-use containerized development environment

Installation

SATRAP-DL uses Poetry for dependency management. Both SATRAP and DECIPHER dependencies are managed in pyproject.toml and can be installed selectively.

Install all dependencies (SATRAP, DECIPHER and dev dependencies).

poetry install

Install only SATRAP dependencies.

poetry install --only main,satrap

Install only DECIPHER dependencies.

poetry install --only main,decipher

Install all dependencies plus dependencies for jupyter notebooks.

poetry install --with notebooks

For detailed setup and usage instructions of each sub-system, please refer to the corresponding README using the links above.

Unit and integration tests

The repository includes a single script to run tests for both SATRAP and DECIPHER.

  • Run all tests (SATRAP + DECIPHER)
./run_tests.sh
  • Run only SATRAP tests
./run_tests.sh satrap
  • Run only DECIPHER tests
./run_tests.sh decipher

Individual test modules, classes and cases can be run using the unittest module. For example:

python -m unittest tests.satrap.file_util_test

For more details about the test suites, see the README files of each project.

Documentation and technical specifications

The technical specifications of SATRAP-DL including requirements, architecture design, software design and test artifacts, are available on a dedicated traceability web page.

See the SATRAP-DL user manual for usage guidance on each component of the suite.

License

Copyright (c) itrust Abstractions Lab and itrust consulting. All rights reserved.

SATRAP-DL is licensed under the GNU Affero General Public License (AGPL) v3.0 license.

Note: SATRAP incorporates a few ideas concerning the inference rules and the analysis functionality from typedb-cti (2.x), an open-source project licensed under Apache License 2.0. During the conceptual phase of SATRAP-DL, we considered building SATRAP on top of typedb-cti as they are close in spirit. However, we opted for a fresh development mainly for two reasons:

  • the design of typedb-cti was not compatible with the ambitions and architectural requirements of SATRAP
  • typedb-cti (2.x) relies on an outdated version of TypeDB 2.x, incompatible with the latest release at the time (2.27).

Acknowledgments

SATRAP-DL is a sub-project of the CyFORT project, "Cloud Cybersecurity Fortress of Open Resources and Tools for Resilience". CyFORT is co-funded by the Ministry of the Economy of Luxembourg, in the context of the EC-approved IPCEI-CIS.

Contact

For more information about the project, feedback, questions or feature requests, feel free to contact us at Abstractions Lab: info@abstractionslab.lu

About

SATRAP-DL (Semi-Automated Threat Reconnaissance and Analysis Powered by DECIPHER Logic), part of project CyFORT, offers a suite of tools for computer-aided CTI analysis and automated incident handling informed by CTI, provided respectively by its sub-systems SATRAP and DECIPHER.

abstractionslab.github.io/satrap-dl/website/product-presentation.html

Topics

docker cli correlation analysis inference python3 type-theory cti jupyter-notebooks semantic-search semantic-technologies automated-reasoning inference-engine formal-logic threat-intelligence-platform cyber-threat-intelligence stix2 typedb

Resources

Readme

License

AGPL-3.0 license
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases 1

Release 0.4 Latest
Mar 17, 2026

Packages

 
 
 

Contributors

Languages