2026-05-07 –, IFEN room 1, Workshops and Detection Engineering village (Building D)
Threat intelligence has matured significantly in the domain of indicators of compromise (IOCs), with standardised formats and automated sharing infrastructure. Yet when it comes to adversary behaviors - tactics, techniques, and procedures (TTPs), intelligence is still largely delivered through unstructured reports, PDFs, and blog posts. This creates a persistent gap: while defenders receive rich insights, they lack a systematic way to translate those insights into actionable detection engineering outcomes. Measuring detection coverage remains difficult, often reduced to basic ATT&CK matrix mappings that fail to capture the relational and technical nature of adversary behaviors. Meanwhile, intelligence evolves faster than most teams can analyse, leaving detection engineers overwhelmed and without a standardised workflow to prioritise or model new threats.
OpenTide (Open Threat Informed Detection Engineering, an open source framework developed at the European Commission CSOC) addresses this challenge by introducing a structured, top‑down intelligence‑to‑detection flow. At its core are Threat Vectors - an open construct for modeling TTPs at any level of granularity. Threat Vectors can be interrelated to form attack graphs, enabling defenders to build a dynamic and continuous coverage picture as new intelligence emerges.
Within OpenTide, detection objectives and supporting rules are explicitly linked to Threat Vectors, creating a direct mapping from intelligence to detection logic. A normalised schema ensures that unstructured intelligence can be ingested, transformed, and operationalised consistently. Furthermore, experimental integrations with large language models (GenTide R&D Project) accelerate the creation of these objects, demonstrating how automation can reduce the time from intelligence inputs to detection deployment.
By reframing how we model and consume TTP‑focused intelligence, OpenTide provides a scalable path to actionable detection engineering. It enables defenders to move beyond static mappings, measure coverage in context, and continuously align detection priorities with the evolving threat landscape.
OpenTide : https://github.com/OpenTideHQ
Outline
Intelligence to Detection Engineering Gap
- TTP intelligence remains unstructured (reports, PDFs, blogs).
- Defenders struggle to operationalize insights into detections.
- Coverage measurement reduced to static ATT&CK mappings.
- Manual workflows are slow and inconsistent.
- Teams overwhelmed by volume and pace of new intel.
OpenTide Workflow
- Intelligence > Threat Vectors > Detection Objectives > Rules.
- Normalized schema for consistent ingestion of unstructured intel.
- Attack graphs enable contextual coverage measurement.
Accelerating with LLMs (GenTide)
- GenTide : LLMs accelerate Threat Vector modeling from intelligence.
- Accelerates turning into Detection Objectives to support rule development
- Reduces time from intel input to detection deployment.
- Supports continuous alignment with evolving threats.
Key take aways
OpenTide helps defenders turn unstructured threat intelligence into actionable detections. It introduces Threat Vectors to model adversary behaviors and link them directly to detection objectives and rules in comprehensive. This creates a structured, scalable workflow that replaces static ATT&CK mappings with a growing knowledge graph and redefines how detection coverage can be evaluated.
With experimental automation through large language models, OpenTide shortens the time from intelligence to deployment and enables continuous alignment with evolving threats.
With over 20+ years in the cybersecurity field, I have dedicated my career to safeguarding organisations by developing robust SOC and effective incident response teams. As a passionate advocate for knowledge sharing and collaboration - "sharing is caring"- I have actively contributed to the cybersecurity community and related open-source projects, such as MISP. In my current role, I have led the OpenTide initiative, turning it into a project at the core of the Detection Engineering team. I am looking for exchanging and collaborating with other Detection Engineering teams to develop repeatable, traceable, and pragmatic processes, effectively bridging the gap between Threat Intelligence, Threat Hunting, and Threat Detection.