Data Model
Babel organises threat intelligence into eight entity types. Every entity is traceable to at least one source report, and entities are connected through typed, confidence-labeled edges.
Entity types
| Entity | Description |
|---|---|
| Actors | Named threat groups with confirmed attribution — nation-state, cybercrime, hacktivist, PSOA |
| Clusters | Unattributed activity sets tracked by behaviour. Can be graduated to Actor once attribution is confirmed. |
| Campaigns | Named operations with defined timeframes, target profiles, and objectives |
| Tools | Malware, implants, C2 frameworks, and utilities — each typed by role (backdoor, ransomware, loader...) |
| Indicators | IPs, domains, hashes, URLs, and emails extracted from reports and enriched automatically |
| TTPs | MITRE ATT&CK techniques and sub-techniques, linked to the actors and tools that use them |
| CVEs | Exploited vulnerabilities with CVSS scores and links to the actors observed exploiting them |
| Reports | Source intelligence documents — the immutable ground truth that every entity and edge links back to |
Actors vs Clusters
Babel separates Actors (confirmed attribution — known nation, motivation, country) from Clusters (activity tracked by behaviour alone, not identity). This mirrors the UNC/DEV/Storm model used by Mandiant, Microsoft, and CrowdStrike.
When an analyst confirms attribution, a cluster can be graduated to an actor — the data migrates, edges are preserved, and the original cluster ID is aliased.
Relationships
| Relationship | Direction | Meaning |
|---|---|---|
documents | Report → Entity | A report discusses or attributes this entity |
attributed_to | Campaign / Cluster → Actor | A campaign or activity cluster is attributed to a named actor |
sub_group_of | Actor → Actor | A named actor is a functional sub-unit of another actor |
collaborates_with | Actor / Cluster ↔ Actor / Cluster | Joint operation or coordinated attack between peer groups |
hands_off_to | Actor → Actor | IAB handoff — one actor passes access to another |
uses_tool | Actor / Cluster / Campaign → Tool | The group uses this malware or framework |
uses_ttp | Actor / Cluster / Campaign / Tool → TTP | MITRE ATT&CK technique observed in use |
exploits | Actor / Cluster / Campaign → CVE | Vulnerability observed being exploited |
drops | Tool → Tool | Malware delivers or installs another payload |
communicates_with | Tool → Indicator | C2 communication — malware contacts an IP, domain, or URL |
contains_indicator | Report → Indicator | Indicator appears in this report (provenance) |
has_indicator | Actor / Cluster → Indicator | Pipeline-generated — not a stated relationship in a report |
has_indicator edges are written by the ingest pipeline, not extracted from report text. They link an actor or cluster to each indicator attributed to it.
Auto-linked edges
When a report is ingested, the pipeline writes a set of shortcut edges in addition to the LLM-stated relationships. These are called auto-linked edges and are flagged with auto_link: true in the API response.
Auto-linked edges connect each primary actor or cluster in a report directly to the tools, TTPs, CVEs, and indicators co-documented in the same report. They exist so that querying an actor returns its full observable footprint without requiring traversal through every intermediate report or campaign node.
| Edge | Written when |
|---|---|
has_indicator | Actor / Cluster → Indicator: for every indicator in the report attributed to this actor or cluster |
uses_tool | Actor / Cluster → Tool: for every tool documented in the same report |
uses_ttp | Actor / Cluster → TTP: for every TTP in the report not already covered by a stated campaign edge |
exploits | Actor / Cluster → CVE: for every CVE documented in the same report |
Confidence labels
Every edge carries a confidence label that reflects how certain the relationship is, based on the language used in the source report:
| Label | Meaning |
|---|---|
| Confirmed | Directly stated in the source with no ambiguity ("confirmed", "definitively") |
| High confidence | Strong assessment by the source ("high confidence", "strongly assessed") |
| Assessed | Standard attribution language ("assessed", "attributed") |
| Suspected | Moderate certainty ("suspected", "likely") |
| Possible | Low certainty or speculative ("possible", "may") |
See the Methodology section for a detailed explanation of how confidence labels are assigned.
