I Turned MITRE ATT&CK Into a Tarot Deck

Threat intelligence does not have a quality problem. MITRE ATT&CK is excellent. CISA advisories are detailed. Mandiant and CrowdStrike publish thorough group profiles. The data exists. Practitioners do not read it.

This is not a criticism. There is too much of it, it is dense, and most of it does not feel urgent until something goes wrong. By then you are reading it under pressure instead of building familiarity over time.

I wanted to fix the engagement problem without dumbing anything down.

Why Tarot

The tarot format has two things working in its favor.

First, it is a fixed, finite structure. 78 cards. Major Arcana, Minor Arcana, four suits. That constraint forced me to think carefully about which adversary groups belong where, and why. Equation Group as The World. Sandworm as The Tower. Lazarus Group as the King of Pentacles. The mappings are interpretive, but they are not arbitrary. Each suit has a theme: Swords for espionage and intelligence collection, Wands for disruption and destruction, Cups for social engineering and deception, Pentacles for financial crime and ransomware. The structure gives the deck internal logic.

Second, individual cards are shareable. A threat intel PDF is not. A card with APT29's kill-chain phases, target sectors, and top defensive controls — styled well and under 500 words — gets shared. That is the point.

What Is Actually in It

Every card covers a documented adversary group with real data:

• MITRE ATT&CK technique IDs mapped to kill-chain phases
• Target sectors, origin, active dates, and assessed risk level
• Notable operations and aliases
• Specific defensive control recommendations
• ATT&CK Navigator layer export, ready to import
• Markdown threat brief you can paste into Confluence or a report

The deck covers 78 groups including Equation Group, APT28, APT29, Sandworm, Turla, APT41, Lazarus, LockBit, Conti, Scattered Spider, Hafnium, and Cl0p. 418 TTP entries in total, 97 unique technique IDs, all 14 ATT&CK Enterprise tactics represented.

Flavor text and reversed meanings are creative interpretations. Everything else is sourced and factual.

The Features That Actually Matter

The card gallery and daily draw are the obvious ones. The features worth spending time on are the analytical ones.

Technique Explorer maps every ATT&CK technique across the full deck, ranked by prevalence and grouped by tactic. If you want to know which techniques show up most across 78 documented adversary groups, this gives you that answer fast.

Defense Index ranks security controls by how many adversary groups they defend against. It is a prioritization tool. If you are trying to justify a control investment to leadership, knowing that a specific control addresses the highest number of documented adversary groups is a stronger argument than a vendor's marketing sheet.

Adversary Comparison puts any two groups side by side, highlights shared techniques, and surfaces the controls that defend against both. Useful when threat modeling, or when you want to understand how a new group relates to one you already know.

Sector Intelligence shows which industries are most targeted and the average risk scores across adversary groups that go after each sector. If you work in financial services or healthcare, the picture is not flattering.

What It Is Not

It is not a substitute for reading the actual MITRE ATT&CK pages. It is not a training platform with quizzes and certificates. It is not trying to replace threat intelligence tooling.

It is a way to build familiarity with the threat landscape passively, in small doses, without requiring someone to sit down and read a 40-page report. If a security engineer draws a daily card and spends two minutes reading about Cl0p's techniques and targets, that is two minutes they would not have spent otherwise.

Compounded over time, that is real familiarity.

Try It

tarot.scottaltiparmak.com

Source on GitHub: scottalt/Threat-Intel-Tarot