Natural Attack Reading and Comprehension (NARC): A Pillar for Threat-Led Defense

Machines can now read what analysts once had to interpret by hand. Every threat report, DFIR writeup, and red-team finding hides the procedural “how” behind an attack, but extracting that insight at scale has always been a manual bottleneck.

Most teams default to tagging techniques in ATT&CK because it’s fast, even though it strips out the commands, switches, and execution context that matter most for defending real environments. This can lead to an incomplete picture of how attacks unfold in practice.

The real value lies one layer deeper, at the Procedures layer. These are the exact commands, parameters, and behaviors adversaries use to execute techniques. But analyzing procedures manually is a daunting task even for the biggest and best-funded teams.

Introducing NARC (Natural Attack Reading and Comprehension)

Natural Attack Reading and Comprehension (NARC) changes how security teams operationalize procedure-level insights. NARC is Tidal Cyber’s AI engine that converts unstructured intelligence into structured, ATT&CK-aligned procedures that fuel the full Threat-Led Defense lifecycle.

NARC works like an analyst, only exponentially faster. It parses unstructured intelligence to extract procedures and the associated behaviors that show how a technique is carried out in the real world. Those procedures are then pushed directly into Coverage Maps, Confidence Scores, and control validation workflows so teams can engineer detections, run hunts, and validate controls against the exact tradecraft adversaries are using.

As adversaries evolve, NARC ensures defenders can evolve faster by closing the loop between intelligence and defense with continuous, procedures-level insight.

Reading Adversary Behavior is a Machine’s Job

Analysts can easily spend hours reading, extracting, and manually mapping each behavior to ATT&CK. Once they do, they struggle to keep pace with new campaigns and shifting adversary TTPs. The result is a delayed intelligence function that documents what happened but can’t always describe how to defend against it in time.

Teams have turned to natural language processing (NLP) and natural language understanding (NLU) to help automate this, but those approaches were built to identify entities and relationships in general text, not how attackers think and operate.

The scale and specificity of modern adversary behavior demand a different approach. Security teams need technology capable of reading reports like an analyst and then closing the loop between intelligence and defense, ensuring every detection, hunt, and validation effort maps back to real adversary tradecraft.

Inside NARC: How it Works

NARC was designed to solve a simple but critical problem: intelligence without action is wasted effort.

NARC reads unstructured data like CTI reports, IR records, red-team findings, and malware analyses, transforming it into structured adversary procedures aligned to the MITRE ATT&CK. The procedure objects populate Coverage Maps and Confidence Scores, and feed into Tidal Cyber’s validation-ready workflows, giving security teams the precise behavioral context they need to engineer detections, run hunts, and seamlessly integrate into an organization’s existing control validation or BAS tooling.

Any AI-powered LLM can summarize text, but NARC goes one step further to understand how attackers operate. This fuels the Threat-Led Defense loop from exposure to detection, validation, and optimization.

What NARC can do for your security team:

• Replicates analyst reasoning: Ingest threat reports, parsing verbs, objects, and execution context to reconstruct attacker workflow (command sequences, tool invocation, privilege state).
   
• Map adversary behavior to ATT&CK: Align extracted procedures to tactics and techniques, turning free-form intelligence into structured, queryable data.
  
  
• Build living relationships: Link threat groups, malware families, software, and campaigns together, creating a continuously evolving picture of adversary operations.
  
  
• Feed operational workflows: Keep intelligence updated so detection engineers, hunters, and control validators can act with current data instead of outdated notes.
  
  
• Eliminate manual drudgery: Cut the hours spent reading, tagging, and mapping threats so analysts can focus on validation and improvement.

From Natural Language Processing to Attack Comprehension

Where NLP stops at identifying PowerShell, NARC understands the sequence and purpose of the PowerShell command, extracting the procedural logic adversaries use. It captures the behavioral chain, extracting and normalizing the exact commands used, the switches invoked, and the execution context, linking them to specific groups, campaigns, and software.

Each extracted behavior is mapped to the relevant ATT&CK tactic and technique, creating structured procedure objects that can feed directly into Tidal Cyber’s Coverage Maps, detection engineering workflows, and control validation processes. This enables cross-threat correlation and pattern recognition across adversary clusters.

This transforms unstructured CTI into structured, ATT&CK-aligned procedural data, using multi-model parsing and ATT&CK ontology alignment to achieve what generic natural language tools cannot.

Parsing CTI for Procedures

Threat intelligence should not stop at awareness. Security gaps appear when new reports and dashboard metrics fail to make it into detection logic or control validation. NARC closes that loop by turning intelligence into directly actionable data for every stage of Threat-Led Defense.

Detection engineers can use extracted procedures to build and tune detections around real adversary behaviors, not just theoretical techniques. Each behavior is mapped to ATT&CK, linked to known threat groups and campaigns, and tied to the data sources and telemetry needed to catch it. That means less guesswork, faster engineering, and coverage that matches the threats targeting your environment.

Threat hunters gain a library of validated procedures to guide hunts, clustered by adversary tradecraft or behavior type. Incident responders can pivot quickly from “we saw this indicator” to “this is how they operated,” accelerating containment and root-cause analysis.

As for validation teams, NARC provides a living feed of procedures that can be tested directly in breach and attack simulation (BAS) tools or manual exercises. This creates a continuous cycle of validation and improvement.

The result is an intelligence process that describes adversaries and then takes the next step to drive measurable outcomes.  

Metrics That Prove it Works

Threat intelligence often struggles to prove ROI. NARC introduces measurable efficiency and clarity across detection, hunting, and validation workflows.

• Reduces manual mapping effort by up to 90%: Manual extraction and mapping that once took analysts hours now completes in minutes. Teams spend less time reading and tagging, and more time engineering defenses.
  
  
• Improves control coverage visibility by 40%: Each extracted procedure links directly to ATT&CK, exposing overlaps, gaps, and outdated detections. Coverage metrics become clear, defensible, and aligned to adversary behaviors.
  
  
• Cuts noise in detection tuning by 30%: Every recommendation and detection inherits traceable lineage back to its intelligence source, giving teams confidence in the quality and relevance of their coverage.
  
  
• Saving 20 hours per week and $75,000 per year: Security teams can recover valuable analyst hours by automatically extracting unstructured text and converting it into ATT&CK-aligned procedures and connected threat objects

Intelligence effectiveness should be validated as robustly as any core business process. Tidal Cyber uses NARC to provide quantifiable metrics that show measurable results.

About Tidal Cyber

Tidal Cyber is the first true Threat-Led Defense platform built to flip the traditional defensive model by putting real adversary behavior at the center of your defense strategy.

Threat-led defense maps Tactics, Techniques, and Procedures to ATT&CK, revealing exactly where you’re exposed and whether you can defend against adversary behavior and the techniques they use. It’s a level of precision you’ve never had before, empowering your security team to proactively reduce risk and optimize high-impact security investments.

Threat-Led Defense is Tidal Cyber’s unique implementation of Threat-Informed Defense, enhanced with procedure-level granularity to make CTI more relevant and actionable.