Intel Workbench

Structured Analytic Techniques for CTI

Status: Complete Origin: Portfolio Project Since: 2026.01

React 18TypeScriptZustandTailwind CSSViteReact RouterlocalStorage

Open Source

Structured analytic techniques for the browser

View Repository Live Demo README Star on GitHub

53Files

6,951Source LOC

15Components

8Pages

3Zustand Stores

12Bias Definitions

Overview

Intel Workbench brings structured analytic techniques from the intelligence community into the browser. It implements the Analysis of Competing Hypotheses (ACH) methodology developed by Richards Heuer at the CIA, alongside cognitive bias checklists, IOC extraction, and the Diamond Model of Intrusion Analysis.

Everything runs client-side with localStorage persistence. No backend, no accounts, no data leaving the analyst's machine. Load the page, start analyzing. The Sandworm APT sample project ships pre-loaded so analysts can see the workflow before building their own matrices.

Analysis Tools

🎯 ACH Matrix live

Interactive Analysis of Competing Hypotheses with weighted scoring. Rate evidence against hypotheses as Consistent, Inconsistent, or Neutral, with credibility and relevance multipliers.

🧠 Cognitive Bias Checklist live

12 cognitive, analytical, and social biases with progress tracking and mitigation notes. Forces analysts to confront their own reasoning blind spots.

🔍 IOC Extractor live

Paste raw threat reports and extract IPs, domains, URLs, hashes, emails, and CVEs via regex. Deduplicate, defang/refang, and export as CSV or JSON.

💎 Diamond Model live

Visual intrusion event modeling with four vertices (adversary, capability, infrastructure, victim), kill chain phase mapping, and confidence scoring.

ACH Scoring Model

Each cell in the ACH matrix represents an analyst's judgment about how a piece of evidence relates to a hypothesis. The scoring formula weights these ratings by evidence credibility and relevance to produce a composite score per hypothesis. Higher scores indicate more inconsistency, so the hypothesis with the lowest score is the preferred explanation.

Component Values / Formula

Rating Inconsistent = 2, Neutral = 0, Consistent = -1

Credibility High = 3×, Medium = 2×, Low = 1×

Relevance High = 1.5×, Medium = 1×, Low = 0.5×

Formula Score = Σ(rating × credibility × relevance) per hypothesis

Display Normalized 0-100 bar, raw score label, preferred hypothesis highlight

Architecture

CLIENT-SIDE APPLICATION

React 18 8 pages, 15 components

→

Zustand Stores Project, IOC, Diamond

→

localStorage Persist middleware

No backend. No API calls. Everything in the browser.

DATA FLOW

Import JSON project files, raw text for IOC extraction

Analysis ACH matrix scoring, bias review, Diamond modeling

Export JSON projects, Markdown reports, CSV/JSON IOCs

Technical Decisions

Decision Reasoning

Zustand over Redux Simpler API, built-in persist middleware for localStorage, no boilerplate. Perfect for client-only state.

localStorage over backend Zero infrastructure. Analyst data stays on their machine. No server to maintain or secure.

Regex IOC extraction over NLP Deterministic, fast, no dependencies. IOC formats are structured enough that regex catches 95%+ of indicators.

5 visual variants Built during design phase to find the right analyst aesthetic. Each variant wraps the same routes in a different layout shell.

React Router with base path Supports deployment at any URL prefix. Variants use nested routes under /v1 through /v5.

driver.js for guided tour Lightweight, CDN-loaded, auto-starts on first visit. No heavy onboarding framework needed.

Development Timeline

Phase 1 ACH Core ✓ completed

Matrix CRUDHypothesis/evidence managementCell rating cyclingSandworm sample project

Phase 2 Scoring & Bias ✓ completed

Weighted scoring formulaNormalized score bars12 cognitive biasesMitigation notes

Phase 3 Polish & Variants ✓ completed

5 visual theme variantsGuided tourIn-app documentationJSON export/import

Phase 4 IOC & Diamond Model ✓ completed

IOC regex extractorDefang/refang toggleCSV/JSON exportDiamond Model eventsVertex editingKill chain mapping

Phase 5 Theme & Branding ✓ completed

Dark/light modeSystem preference detectionSolomon's brandingPortfolio badge

Phase 6 Advanced Analysis ○ planned

Sensitivity analysis panelUndo/redo stackACH matrix comparison viewEvidence linking across matrices

Phase 7 Export & Sharing ○ planned

PDF report generationShareable URL encodingMarkdown report exportSTIX 2.1 IOC export

Phase 8 Integration ○ planned

MISP feed importTheHive case importOpenCTI indicator syncCyberBRIEF report ingestion

Live Demo → GitHub Repository → ← All Projects