WhoIsWhoAPT is a threat intelligence analysis tool that helps malware analysts, threat hunters and researchers to interrelate APT groups (Advanced Persistent Threats) based on their tactics, techniques and procedures (TTP) from MITRE ATT&CK® (https://attack.mitre.org/) and/or OpenCTI, obtaining their relationship index. It also allows you to compare your own TTP sets against known threat actors, explore global similarity across all groups, and build custom profiles from Navigator layers or OpenCTI reports.

Hope you can find my tool useful and if you want to report any bugs, add/suggest new features or ask any questions do not hesitate to contact me on LinkedIn.

My LinkedIn

Compare — actor vs all actors

Compare — custom TTP profile (incident response)

Compare — holistic metric (TTPs + sectors + countries)

Explore — actor relationship graph

Explore — similarity heatmap

Explore — all-vs-all pair ranking

Compare — rank threat actors by behavioral similarity to any input profile:

• Multiple metrics: Jaccard, Weighted Jaccard, Tactic-weighted, Software-weighted, Holistic
• Tactic-scoped analysis (filter by Initial Access, Execution, Persistence…)
• Auto-generated insight per result (top tactics, shared sectors, rare techniques)
• Enrichment filter: pre-filter candidates by sector or country before scoring
• Technique breakdown: shared / input-only / target-only, collapsible per row

TTP Profiles — build custom profiles and compare them like any actor:

• Manual entry, ATT&CK Navigator import, or OpenCTI report import
• Enrichment metadata: target sectors, countries, CVEs, motivation
• Save and reuse across analyses
• Inspect full profile details for both custom and built-in actors

Explore — global similarity analysis across all actors:

• Similarity heatmap with PNG export
• Force-directed network graph with zoom, pan, drag and PNG export
• All-vs-all pair ranking with threshold slider
• Enrichment filtering on graph and heatmap

Saved Analyses — persist and revisit comparison results:

• Save with name, re-run, inspect, delete
• Paginated list with enrichment filter badge

Data sources:

• MITRE ATT&CK (built-in, auto-loaded on first run)
• OpenCTI (optional, configure URL + API token in Settings)

• Docker and Docker Compose

git clone https://github.com/JavierMun/WhoIsWhoAPT.git
cd WhoIsWhoAPT
docker compose up --build

Open http://localhost:5173 in your browser.

On first startup the backend automatically downloads and ingests the MITRE ATT&CK dataset (~30 seconds). No manual data loading needed.

Note: Although it is not necessary, you can pre-download the resources folder to avoid the tool having to download the latest MITRE ATT&CK version on its first run.

All configuration is via environment variables (see .env.example).

To override, copy .env.example to .env and edit before running docker compose up.

In the app, go to Settings → Source → OpenCTI and enter your instance URL and API token. Click Test connection then Save, then Load data.

The tool supports OpenCTI 7.x with pycti 7.260430.0.

frontend/     React + Vite + TypeScript (port 5173)
backend/      FastAPI + SQLite (port 8000)

The frontend proxies API calls to the backend at startup; no manual API URL configuration needed for local Docker use.

Backend stack: FastAPI · SQLAlchemy · SQLite · mitreattack-python · pycti · APScheduler

Frontend stack: React · Vite · TypeScript · D3-force · Lucide

cd backend
python -m venv .venv
source .venv/bin/activate   # Windows: .venv\Scripts\activate
pip install -r requirements.txt -r requirements-dev.txt
uvicorn app.main:app --reload --port 8000

cd frontend
npm install
VITE_API_BASE_URL=http://localhost:8000 npm run dev

The VITE_API_BASE_URL variable is needed outside Docker so the frontend reaches the local backend directly (in Docker it's proxied automatically).

cd backend
pytest

cd frontend
npm run build   # type-check + build
npm run lint

AGPL-3.0 — see LICENSE.