Labeling adversary activity with ATT&CK techniques is a tried-and-true method for classifying behavior. But it rarely tells defenders how those behaviors are executed in real environments.
To do that, analysts need the procedural detail and exact command sequences, tooling choices, parameters, required privileges, and environmental conditions that transform a technique into a real, reproducible adversary action they can model, map to defenses, assess for coverage, and prepare for validation-readiness for further testing.
Tidal Cyber’s Natural Attack Reading Reading and Comprehension (NARC) AI engine was built to solve this problem at scale. It parses unstructured data from CTI reports, IR summaries, and other data to identify relevant procedures and threat objects, and maps these to groups, campaigns, and software for inclusion in the Tidal Cyber Procedures Library. It turns narrative documents into structured data that detection and hunting teams can apply directly.
NARC’s AI engine automatically parses unstructured threat intelligence and converts it into structured adversary procedures that can be mapped, correlated, and operationalized at scale. This approach gives defenders the procedural knowledge of adversary behavior and how attackers operate, driving meaningful coverage, prioritization, and validation-readiness across their defensive stack.
Why Procedures Matter: The Limits of Technique-Level Intel
ATT&CK techniques describe what an adversary aims to accomplish, but they stop short of showing how those actions play out in real environments. True attacker behavior is revealed at the procedure level and the concrete execution patterns adversaries use to carry out a technique. Procedures capture command syntax, toolchains, parameters, privilege requirements, and environmental conditions that vary widely across groups, campaigns, and malware families.
When this procedural detail is missing, teams are forced to infer behavior leading to guesswork in detection engineering, threat hunting, and preparation for validation with BAS or red-team partners. This gap slows operations, creates inconsistent coverage, and causes CTI, detection, and validation teams to repeatedly perform the same manual interpretation of threat reports.
Tidal Cyber closes this gap by elevating procedures as first-class intelligence objects, extracted and structured directly from unstructured threat data. By organizing these procedures into threat profiles and aligning them to ATT&CK, defenders gain a reliable behavioral foundation they can apply consistently across coverage mapping, detection development, measurement, and validation-readiness workflows.
Inside the NARC AI Pipeline
NARC begins by ingesting a report via URL submission or text input and segmenting it into individual sentences. It then classifies each sentence for threat relevance, filtering out narrative or contextual noise and isolating only the portions that contain procedure-level information. This triage step enables NARC to scale across thousands of heterogeneous CTI, malware, and incident-report formats by focusing exclusively on the sentences that describe concrete, extractable adversary procedures.
Relevant sentences are then processed by extraction models trained on labeled examples of procedures, tools, techniques, software, groups, and campaigns. These models are not domain-tuned general-purpose LLMs; they are purpose-built classifiers that learn to recognize ATT&CK-aligned threat objects and their attributes from structured training data. Each extracted item is returned as a structured object—rather than a simple text tag—capturing procedure-level detail such as command syntax, tool names, parameters, and associated entities.
After extraction, NARC aligns these objects to MITRE ATT&CK and correlates them with known groups, campaigns, and software where appropriate. This correlation produces a connected set of threat objects that reflects how techniques and procedures are used across real-world intrusions, without inferring or modeling additional behavior.
The output is a set of validated, interlinked intelligence objects that analysts can immediately apply to Threat-Led Defense use cases such as coverage mapping, detection development, threat profiling, and validation-readiness.
Modeling Adversary Procedures as First-Class Objects
NARC converts extracted procedures into structured objects rather than simple text snippets. Each procedure object captures the execution elements present in the source material such as commands, tools, parameters, or execution details. These procedure objects are then mapped to their corresponding ATT&CK techniques or sub-techniques and associated with any extracted threat entities (software, groups, campaigns) when those relationships are present in the source.
This structure enables analysts to understand how procedural details appear across different reports because procedures are stored in a consistent, machine-readable format. Instead of scattered narrative descriptions, defenders gain standardized procedure objects that can be applied to coverage mapping, detection engineering, prioritization, and preparation for BAS or red-team validation.
Tidal Cyber’s curation layer further enhances this by tracking Procedure Sightings, instances where the same procedure appears across multiple reports, and clustering similar variants based on shared characteristics. Sightings show frequency and prevalence, while clusters reveal recurring execution patterns across campaigns, without inferring additional behavior beyond what is present in the data
Together, this creates a scalable, structured inventory of adversary procedures that can be analyzed, compared, and operationalized with far greater consistency and precision than traditional CTI narratives allow.
Scaling Extraction: AI-Assisted Parsing with Analyst-Guided Refinement
The volume and diversity of CTI, malware analysis, and incident reporting makes manual procedure extraction slow and inconsistent. NARC addresses this by using AI models trained on labeled examples of procedures, tools, techniques, and threat entities to identify potential ATT&CK-aligned objects across heterogeneous report formats. These models do not rely on domain tuning but instead they learn structural patterns from real-world training data to extract procedures and attributes when those details are present in the source text.
Rather than outputting raw entity mentions, NARC structures each extraction into a consistent object format that analysts can review, confirm, and enrich. Human expertise remains central to the workflow: analysts validate mappings, adjust relationships, and curate clusters of procedure variants to ensure accuracy and operational fidelity. This hybrid model -AI for scale, analysts for precision- enables organizations to operationalize procedure-level intelligence far faster than manual parsing alone, without overstating automation or relying on general-purpose language models..
How Procedures Power Defensive Effectiveness & Validation Readiness
Once procedures are structured and mapped to ATT&CK, they become the foundation for Tidal Cyber’s Threat-Led Defense workflows. Each procedure is associated with the data sources, detections, and control capabilities required to observe or disrupt that execution step. This gives security leaders a clear understanding of whether their existing tools can defend against the ways adversaries execute techniques.
Tidal Cyber’s detection mappings illuminate where defensive coverage likely exists and where it does not, producing a procedure-level view that goes far deeper than traditional technique-based reporting. Coverage Maps visualize these insights by showing which adversary behaviors the stack is capable of detecting based on mapped telemetry and detection logic.
The Confidence Score builds on this foundation by summarizing how well the organization’s defensive stack aligns to the procedures represented in a given threat profile. It highlights strengths, identifies meaningful gaps, and shows where testing, through BAS platforms or red-team programs, would provide the highest value. While Tidal Cyber does not validate controls directly, it enables organizations to become validation-ready by aligning test programs to real adversary procedures.
Together, these capabilities give executives a clear, measurable understanding of defensive readiness and which tools matter most, where redundancy or waste exists, and which adversary procedures remain exposed. This transforms a fragmented defensive landscape into a coherent, behavior-aligned assessment anchored in real-world threat activity.
Closing the Loop with Threat-Led Defense
Once procedures are extracted and mapped to ATT&CK, they form the starting point for a threat-led defensive strategy. By linking real adversary procedures to required telemetry and detection logic, leaders gain visibility into which threats their stack is prepared to handle and which exposures persist.
These procedure mappings guide detection engineering and give BAS and red-team partners a precise blueprint for testing high-priority behaviors. Although Tidal Cyber does not validate controls directly, it ensures organizations are ready for it enabling structured, threat-informed testing aligned to authentic adversary tradecraft.
From there, defensive stack optimization begins. Tidal Cyber highlights overlap, blind spots, and underperforming investments, allowing leaders to prioritize tuning, reallocation, and capability improvements based on evidence rather than assumptions. The result is a more resilient, threat-aligned defensive posture grounded in how adversaries actually execute attacks.
Conclusion
Tidal Cyber is the first true Threat-Led Defense platform built to flip the traditional defensive model by putting real adversary behavior at the center of your defense strategy.
By mapping techniques, sub-techniques, and procedures to ATT&CK, we reveal exactly where you’re exposed and how attackers actually operate. It’s a level of precision you’ve never had before, empowering your security team to proactively reduce risk and optimize high-impact security investments.
Threat-Led Defense is Tidal Cyber’s unique implementation of Threat-Informed Defense, enhanced with procedure-level granularity to make CTI more relevant and actionable.