Structured analytic techniques for cyber threat intelligence.
Intel Workbench is an interactive Analysis of Competing Hypotheses (ACH) tool that brings rigorous intelligence methodology to the browser. Score evidence against hypotheses, map findings to MITRE ATT&CK, identify cognitive biases, and export structured assessments. Zero backend, full offline capability, and eight distinct visual themes.
- ACH Matrix : Interactive evidence-vs-hypothesis grid with consistency ratings (C/I/N/NA), weighted scoring, and automatic preferred-hypothesis identification
- MITRE ATT&CK Tagging : Tag evidence and hypotheses with techniques from the Enterprise ATT&CK matrix (691 techniques, 14 tactics). Searchable by ID, name, or tactic. Vendored locally so the workbench stays offline-first
- Cognitive Bias Checklist : Heuer & Pherson taxonomy with 12 biases across Cognitive, Analytical, and Social categories; track mitigation notes per bias
- Score Visualization : Real-time normalized score bars showing hypothesis support levels with color-coded confidence indicators
- ICD 203 Estimative Language : Pick a likelihood band ("almost no chance" through "almost certainly") with the canonical 1-5%/5-20%/.../95-99% ranges per ODNI Analytic Standards; the preferred hypothesis displays a probability ribbon on the matrix and in Markdown exports
- Evidence Weighting : Credibility and relevance ratings (High/Medium/Low) that feed into weighted inconsistency scores
- Export & Import : Full JSON export/import for backup and sharing; Markdown export for report generation (includes ATT&CK technique IDs)
- 8 Visual Themes : Langley, Terminal, Analyst's Desk, Stratcom, Cyber Noir, Casefile Atlas, Ops Floor, and Blacksite Minimal
- In-App Guided Tour : First-visit walkthrough powered by driver.js highlighting every major feature
- Built-In Documentation : Comprehensive help page covering ACH methodology, scoring, bias awareness, and keyboard shortcuts
- Offline-First : All data persisted in localStorage; works without any server
- Keyboard Accessible : Full keyboard navigation across the matrix grid
Intel Workbench is a single-page React application with no backend dependencies:
Browser
ββ React 18 (SPA, React Router v6)
ββ Zustand Store β persist middleware β localStorage
ββ ThemeContext (per-variant color tokens)
ββ Pages: Home / ACH / Bias / Export / Docs
ββ 8 Variant Layouts (lazy-loaded)
- State Management: Zustand with
persistmiddleware writes tolocalStorageunder the keyintel-workbench-projects - Routing: React Router v6 with nested variant routes (
/v1/*,/v2/*, β¦,/v8/*,/default/*) and a variant picker at/ - Theming:
ThemeContextprovides color tokens per variant; components read them viauseTheme() - Code Splitting: Variant layouts are
React.lazy()loaded to keep the initial bundle small
- Node.js β₯ 18
- npm β₯ 9
git clone https://github.com/solomonneas/intel-workbench.git
cd intel-workbench
npm install
npm run devOpen http://localhost:5173 in your browser.
npm run build
npm run previewnpm test # vitest, single run
npm run test:watch
npm run typecheckCI runs typecheck + tests + production build on every push (.github/workflows/ci.yml).
| Layer | Technology | Purpose |
|---|---|---|
| Framework | React 18 | Component UI |
| Language | TypeScript 5 | Type safety |
| Styling | Tailwind CSS 3 | Utility-first CSS |
| State | Zustand 4 | Global state + persistence |
| Routing | React Router 6 | Client-side navigation |
| Icons | Lucide React | Consistent icon set |
| Bundler | Vite 7 | Dev server + build |
| Tour | driver.js 1.3 (CDN) | Guided onboarding |
intel-workbench/
βββ index.html # Entry point + CDN links
βββ package.json
βββ vite.config.ts
βββ tailwind.config.js
βββ tsconfig.json
βββ public/
β βββ vite.svg
βββ src/
βββ main.tsx # React root
βββ App.tsx # Router + variant routes
βββ index.css # Tailwind layers + component classes
βββ components/
β βββ ach/
β β βββ ACHMatrix.tsx # Interactive hypothesis matrix
β β βββ ACHScoreBar.tsx
β βββ bias/
β β βββ BiasChecklist.tsx
β βββ layout/
β β βββ AppShell.tsx # Default sidebar layout
β βββ GuidedTour.tsx # driver.js onboarding tour
βββ contexts/
β βββ ThemeContext.tsx # Theme color provider
βββ data/
β βββ biasData.ts # Cognitive bias catalog
β βββ sampleProject.ts # Sandworm sample data
βββ pages/
β βββ HomePage.tsx # Project list & creation
β βββ ACHPage.tsx # Matrix workspace
β βββ BiasPage.tsx # Bias review
β βββ ExportPage.tsx # JSON/Markdown export
β βββ DocsPage.tsx # In-app help & documentation
β βββ VariantPicker.tsx # Theme selector landing
βββ store/
β βββ useProjectStore.ts # Zustand store (persisted)
βββ types/
β βββ index.ts # TypeScript interfaces
βββ utils/
β βββ achScoring.ts # Scoring algorithms
β βββ id.ts # ID generator
β βββ useBasePath.ts # Variant-aware navigation
βββ variants/
βββ v1/Layout.tsx # Langley (intel agency)
βββ v2/Layout.tsx # Terminal (hacker)
βββ v3/Layout.tsx # Analyst's Desk (clean)
βββ v4/Layout.tsx # Stratcom (military)
βββ v5/Layout.tsx # Cyber Noir (cyberpunk)
βββ v6/Layout.tsx # Casefile Atlas (evidence desk)
βββ v7/Layout.tsx # Ops Floor (live cell)
βββ v8/Layout.tsx # Blacksite Minimal (brutalist)
Each variant wraps the same core pages in a unique visual identity:
| Variant | Theme | Aesthetic |
|---|---|---|
| v1 : Langley | Intelligence Agency | Dark navy, gold accents, serif type, classified stamps |
| v2 : Terminal | Hacker / OSINT | Pure black, matrix green, scanline overlay, monospace |
| v3 : Analyst's Desk | Clean Professional | Light backgrounds, blue accents, content-first layout |
| v4 : Stratcom | Military Command | OD green, amber accents, grid patterns, military time |
| v5 : Cyber Noir | Cyberpunk | Neon cyan + magenta, glow effects, glass-morphism |
| v6 : Casefile Atlas | Evidence Desk | Warm paper, red-thread evidence board, serif-heavy dossiers |
| v7 : Ops Floor | Live Cell | Dense command-center layout, teal signal lines, amber status blocks |
| v8 : Blacksite Minimal | Brutalist | Severe monochrome, acid-lime emphasis, hard-edged controls |
All variants share the same Zustand store and page components. Switching themes is instant : just navigate back to the variant picker at /.
Tag evidence and hypotheses with techniques from the MITRE ATT&CK Enterprise matrix. Search by technique ID (T1059), name (Phishing), or filter by tactic (Initial Access, Execution, Lateral Movement, β¦). Tags persist in JSON exports and are rendered as clickable references in Markdown reports.
The full ATT&CK Enterprise dataset (691 techniques, 14 tactics) is vendored at src/data/attack-enterprise.json and lazy-loaded so the initial bundle stays small. To refresh after a new ATT&CK release:
curl -sL https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json \
| jq -f scripts/slim-attack.jq > src/data/attack-enterprise.jsonAnalysis of Competing Hypotheses (ACH) is a structured analytic technique developed by Richards J. Heuer Jr. at the CIA. Instead of seeking evidence to confirm a preferred hypothesis, ACH forces analysts to:
- Enumerate all reasonable hypotheses
- List all significant evidence and arguments
- Rate each evidence item against each hypothesis as Consistent (C), Inconsistent (I), Neutral (N), or Not Applicable (NA)
- Score inconsistencies : the hypothesis with the fewest weighted inconsistencies is the most supported
- Identify and mitigate cognitive biases that might distort the analysis
The key insight: disprove rather than prove. A single strong inconsistency can eliminate a hypothesis, while consistent evidence alone cannot confirm one.
Score = Ξ£ (weight Γ rating_value)
where:
rating_value: I = +2, N = 0, C = β1
weight: credibility_multiplier Γ relevance_multiplier
multipliers: High = 1.5, Medium = 1.0, Low = 0.5
Lower (more negative) scores indicate stronger support. The hypothesis with the lowest score is flagged as preferred.
MIT : see LICENSE for details.
