HEARTH: How AI-Powered CTI Automation Turns Threat Intel Into Actionable Hunts
Hook
Most threat intelligence reports end up in a bookmark folder, never acted upon. HEARTH’s AI pipeline reads them for you, drafts complete hunt hypotheses, and opens a pull request—all from pasting a URL.
Context
Security teams face a challenge: threat intelligence reports accumulate faster than analysts can synthesize them into actionable threat hunts. Translating threat intelligence into concrete hypotheses with data sources, detection logic, and false positive considerations requires expertise and time.
HEARTH (Hunting Exchange and Research Threat Hub) by THE THOR Collective tackles this with an open-source, community-driven approach combining human curation with AI automation. Instead of every SOC independently analyzing the same reports, HEARTH provides a centralized library of 130+ threat hunting hypotheses structured using the PEAK framework. The submission workflow allows contributors to paste a CTI report URL into a GitHub issue template, triggering a GitHub Actions pipeline that uses Claude (Anthropic’s LLM) to extract key tactics, draft a complete hypothesis with MITRE ATT&CK mappings, check for duplicates using vector similarity, and automatically open a pull request for maintainer review. The resulting hypothesis gets shared with the entire security community.
Technical Insight
HEARTH’s architecture demonstrates how Git can serve as both a database and collaboration platform when properly indexed. The canonical source of truth is Markdown files organized into three directories—Flames/ for hypothesis-driven hunts (100+), Embers/ for baselining approaches (17), and Alchemy/ for ML-assisted detection (14). Each hunt follows a strict YAML frontmatter structure that makes them both human-readable and machine-parseable. Here’s what a typical hunt file looks like:
---
title: "DLL Side-Loading via Legitimate Applications"
author: "Security Researcher Name"
date: 2024-01-15
mitre_tactics: ["TA0003"]
mitre_techniques: ["T1574.002"]
category: "Flames"
severity: "High"
data_sources: ["Process Monitoring", "File Monitoring"]
---
## Hypothesis
Adversaries are leveraging DLL side-loading to maintain persistence...
## Investigation Steps
1. Identify processes loading DLLs from non-standard paths
2. Cross-reference with known vulnerable applications
...This flat-file approach means contributors use standard GitHub workflows—fork, edit, pull request—without learning specialized tooling. But searching 130+ Markdown files for duplicate detection during CI/CD would be prohibitively slow. HEARTH solves this with a SQLite database (database/hunts.db) that indexes all hunts and provides vector-based similarity search. According to the repository documentation, this indexing delivers ‘30-60x faster duplicate detection in GitHub Actions’ compared to naive file scanning.
The AI pipeline handles the heavy lifting through a multi-stage GitHub Actions workflow. When a contributor submits a CTI URL via the issue template, the extraction system attempts to parse HTML first, falls back to readability-lxml for JavaScript-heavy pages, and supports PDF and DOCX formats. Claude then analyzes the extracted text with a structured prompt that enforces the PEAK framework taxonomy and generates hypotheses following the Markdown template structure.
MITRE ATT&CK validation happens in three confidence tiers: direct technique ID lookup against the 691 indexed Enterprise techniques, fuzzy matching against technique names and tables, and keyword-based fallback for edge cases. This multi-tier approach acknowledges that AI generation is probabilistic—strict validation would reject valid submissions due to minor formatting variations, while no validation would pollute the database with invalid technique IDs. The middle path uses confidence scoring to flag uncertain mappings for human review.
The duplicate detection system performs cosine similarity comparison against all existing hunts in the SQLite index when a new hypothesis is generated. If similarity exceeds a threshold, the bot comments on the issue with potential duplicates and requests human review. This prevents the repository from accumulating near-identical hunts phrased slightly differently—a common problem in community-driven knowledge bases.
Maintainers can iterate on AI-generated content by adding a ‘regenerate’ label to the automated pull request, which triggers Claude to re-analyze the source CTI. This feedback loop balances automation speed with quality control, letting humans guide the AI toward better outputs without writing everything from scratch.
Gotcha
HEARTH’s AI-powered CTI analysis creates an operational dependency on Anthropic or OpenAI API keys. The repository requires these keys as GitHub secrets for the automated pipeline to function. However, the project still supports manual hunt submissions through a separate workflow, so contributors without API access can still participate by filling out the manual submission template directly.
The extraction pipeline has documented limitations. It supports HTML (with readability-lxml fallback for JavaScript-heavy sites), PDF, and DOCX formats. The README notes the system uses ‘Smart Parsing’ to extract article content from common blog/report structures, but complex document formatting may affect extraction quality.
The library currently contains 130+ hypotheses structured using the PEAK framework. While substantial, threat hunting remains context-dependent—a generic hypothesis needs significant adaptation for specific environments: What’s your normal baseline? Which monitoring tools do you have? What’s the false positive tolerance for your team? HEARTH provides structured starting points aligned with the PEAK framework, but teams still need expertise to operationalize hunts. It’s not a plug-and-play detection rule repository like Sigma; it’s a structured idea library that assumes you’ll do the translation work.
Verdict
Use HEARTH if you’re building or scaling a threat hunting program and need structured, community-vetted starting points aligned with the PEAK framework. It’s valuable for teams that have monitoring infrastructure in place but need help synthesizing CTI reports into actionable hunts. The AI-powered submission workflow can save time when processing vendor reports and OSINT blogs—turning reports into structured hypotheses more quickly than manual synthesis. Also use it if you’re learning threat hunting and want to see how hunters structure hypotheses, map to MITRE ATT&CK, and think about data sources—the repository provides 130+ examples across hypothesis-driven hunts (Flames), baselining approaches (Embers), and ML-assisted detection (Alchemy). Skip HEARTH if your environment is highly specialized where generic hunts won’t transfer well, or if you already have a mature threat intelligence program with comprehensive hunting workflows. Also skip it if you’re looking for ready-to-deploy detection rules rather than hypotheses—Sigma or commercial SIEM content packs will serve you better. Consider the implications if your organization has restrictions around submitting URLs to external AI APIs for the automated CTI submission workflow, though manual submission remains available as an alternative.
