Tidal Cyber is proud to announce the release of NARC AI (Natural Attack Reading and Comprehension), the first AI engine purpose-built to automatically extract adversary procedures and MITRE ATT&CK-aligned threat intelligence from unstructured reporting.
With NARC AI, you can turn CTI reports, Incident Response summaries, and other free-text intelligence into structured, actionable insights, all within minutes, enabling organizations to operationalize intelligence and strengthen their defenses faster than ever before.
From Zero-Shot to NARC: A Leap Forward in Threat Intelligence
At the end of 2024, Tidal Cyber acquired Zero-Shot Security, founded by Harrison Van Riper, creator of NARC and pioneer of AI reasoning for adversary mapping. Through this integration, NARC evolved into a production-grade reasoning engine within Tidal Cyber’s Threat-Led Defense platform — one capable of reading, interpreting, and mapping threat reports directly to MITRE ATT&CK Tactics and Techniques, as well as Tidal Cyber procedures, groups, software, and campaigns.
What used to take hours of manual analysis now happens automatically and contextually, producing analyst-ready intelligence aligned with the latest adversary behaviors.
Inside NARC: How It Works
At its core, NARC AI applies the use of large language model reasoning to identify every relevant sentence in a report and extract procedure-level details, capturing the how behind an adversary’s behaviors, and filling in the gaps linking these behaviors to their relevant threat groups and malware or tools.
Key Capabilities
- Automated Extraction: Converts unstructured text into ATT&CK-aligned procedures.
- Contextual Linking: Builds relationships between procedures, threat groups, software, and campaigns.
- Dynamic Object Generation: Identifies and generates new threat objects when novel activity is observed.
- Immediate Operationalization: Produces structured data that feeds directly into Tidal Cyber’s Coverage Maps, control validation, and detection workflows.
From Report to Results: How NARC AI Brings Intelligence to Life
Getting started with NARC AI is simple. We have designed it to fit naturally into a user’s workflow as well as Tidal Cyber’s broader platform.
From the NARC AI Submission screen, users can choose to submit either a URL or paste report text directly into the interface. Once submitted, NARC immediately begins analyzing the content, reading through the submission to identify relevant procedures, campaigns, software, and threat groups.
As the report processes, you’ll see a progress indicator showing that the engine is extracting and correlating threat behaviors. This step only takes a few moments, even for longer reports.
When the analysis is complete, the results appear in a detailed summary view, showing procedure sightings, related groups, software, and campaigns identified in the submission. Each item is pre-mapped to MITRE ATT&CK techniques, ready for analyst validation.
Analysts can expand any row to explore context, read extracted descriptions, and preview linked ATT&CK techniques or campaigns. From there, you can choose to create new objects, update existing ones, or save all updates with a single click — instantly operationalizing new intelligence inside the Threat-Led Defense platform.
In just a few minutes, an unstructured CTI report becomes a structured, ATT&CK-aligned knowledge set, ready to power detection, validation, and defense optimization.
Human + AI Collaboration: Analyst Confidence at Scale
While NARC automates the extraction of adversary data, human analysts remain essential. Analysts validate and tune AI-generated mappings, ensuring high-confidence intelligence that meets enterprise-grade accuracy standards. “NARC doesn’t replace analysts,” said Harrison Van Riper, Director of AI at Tidal Cyber. “It augments them allowing analysts to focus on deeper analysis, detection engineering, and defense optimization, rather than manual tagging.”
Scott Small, Director of Cyber Threat Intelligence, added, “Procedures are where theory meets reality. With NARC, we can now scale procedure-level intelligence with precision, turning previously unstructured data into measurable, actionable defense insight.”
Redefining Threat-Led Defense
Tidal Cyber’s Threat-Led Defense platform enables organizations to align defenses with the threats that matter most and adversary behaviors. With the integration of NARC, users gain continuously updated, AI-derived procedure intelligence that feeds directly into coverage maps and control validation workflows, offering unmatched visibility into where defenses stand against real-world threats.
For organizations previously reliant on CVE- or exposure-based models, this marks a fundamental shift from “what’s vulnerable” to “what’s actually being used by adversaries.” Pilot programs have demonstrated near-human accuracy, eliminated manual mapping bottlenecks and cut mean time to defensive action.
The Road Ahead
The launch of NARC represents a major milestone in Tidal Cyber’s mission to make Threat-Led Defense actionable, measurable, and scalable continuing to bridge the gap between adversary intelligence and operational defense.
About Tidal Cyber
Tidal Cyber is the first true Threat-Led Defense platform built to flip the traditional defensive model by putting real adversary behavior at the center of your defense strategy. Threat-Led Defense maps techniques, sub-techniques, and procedures to ATT&CK, revealing exactly where you’re exposed and how attackers operate against that exposure.
It's a level of precision you’ve never had before, empowering security teams to proactively reduce risk and optimize high-impact security investments.
Threat-Led Defense is Tidal Cyber’s unique implementation of Threat-Informed Defense, enhanced with procedure-level granularity to make CTI more relevant and actionable.
For more information on NARC and Threat-Led Defense, visit tidalcyber.com.