Skip to content

Data Model

Babel organises threat intelligence into eight entity types. Every entity is traceable to at least one source report, and entities are connected through typed, confidence-labeled edges.

Entity types

EntityDescription
ActorsNamed threat groups with confirmed attribution — nation-state, cybercrime, hacktivist, PSOA
ClustersUnattributed activity sets tracked by behaviour. Can be graduated to Actor once attribution is confirmed.
CampaignsNamed operations with defined timeframes, target profiles, and objectives
ToolsMalware, implants, C2 frameworks, and utilities — each typed by role (backdoor, ransomware, loader...)
IndicatorsIPs, domains, hashes, URLs, and emails extracted from reports and enriched automatically
TTPsMITRE ATT&CK techniques and sub-techniques, linked to the actors and tools that use them
CVEsExploited vulnerabilities with CVSS scores and links to the actors observed exploiting them
ReportsSource intelligence documents — the immutable ground truth that every entity and edge links back to

Actors vs Clusters

Babel separates Actors (confirmed attribution — known nation, motivation, country) from Clusters (activity tracked by behaviour alone, not identity). This mirrors the UNC/DEV/Storm model used by Mandiant, Microsoft, and CrowdStrike.

When an analyst confirms attribution, a cluster can be graduated to an actor — the data migrates, edges are preserved, and the original cluster ID is aliased.

Relationships

RelationshipDirectionMeaning
documentsReport → EntityA report discusses or attributes this entity
attributed_toCampaign / Cluster → ActorA campaign or activity cluster is attributed to a named actor
sub_group_ofActor → ActorA named actor is a functional sub-unit of another actor
collaborates_withActor / Cluster ↔ Actor / ClusterJoint operation or coordinated attack between peer groups
hands_off_toActor → ActorIAB handoff — one actor passes access to another
uses_toolActor / Cluster / Campaign → ToolThe group uses this malware or framework
uses_ttpActor / Cluster / Campaign / Tool → TTPMITRE ATT&CK technique observed in use
exploitsActor / Cluster / Campaign → CVEVulnerability observed being exploited
dropsTool → ToolMalware delivers or installs another payload
communicates_withTool → IndicatorC2 communication — malware contacts an IP, domain, or URL
contains_indicatorReport → IndicatorIndicator appears in this report (provenance)
has_indicatorActor / Cluster → IndicatorPipeline-generated — not a stated relationship in a report

has_indicator edges are written by the ingest pipeline, not extracted from report text. They link an actor or cluster to each indicator attributed to it.

Auto-linked edges

When a report is ingested, the pipeline writes a set of shortcut edges in addition to the LLM-stated relationships. These are called auto-linked edges and are flagged with auto_link: true in the API response.

Auto-linked edges connect each primary actor or cluster in a report directly to the tools, TTPs, CVEs, and indicators co-documented in the same report. They exist so that querying an actor returns its full observable footprint without requiring traversal through every intermediate report or campaign node.

EdgeWritten when
has_indicatorActor / Cluster → Indicator: for every indicator in the report attributed to this actor or cluster
uses_toolActor / Cluster → Tool: for every tool documented in the same report
uses_ttpActor / Cluster → TTP: for every TTP in the report not already covered by a stated campaign edge
exploitsActor / Cluster → CVE: for every CVE documented in the same report

Confidence labels

Every edge carries a confidence label that reflects how certain the relationship is, based on the language used in the source report:

LabelMeaning
ConfirmedDirectly stated in the source with no ambiguity ("confirmed", "definitively")
High confidenceStrong assessment by the source ("high confidence", "strongly assessed")
AssessedStandard attribution language ("assessed", "attributed")
SuspectedModerate certainty ("suspected", "likely")
PossibleLow certainty or speculative ("possible", "may")

See the Methodology section for a detailed explanation of how confidence labels are assigned.

Babel is free for individual researchers, defenders, and analysts.