Classical threat intelligence rests on two pillars: indicators of compromise and MITRE ATT&CK techniques. Both miss something essential - how an attack is actually executed at the infrastructure level. IIM fills that gap.
IOCs are ephemeral snapshots. ATT&CK describes behavior at a level of abstraction that omits implementation. The actual infrastructure - hosting, routing, resolution, gating - falls in the gap. This is where campaigns live and where adversaries actually diverge.
Domains, IPs, hashes. Concrete and actionable for a short window, then stale. IOCs describe artifacts without context. A blocklist of last week's C2 domains tells you nothing about tomorrow's.
How traffic actually flows. Where nodes are hosted. Who is allowed to reach them. How containers are structured. The structural reality of the operation - stable over time, portable across samples.
Behavioral TTPs. Stable abstractions of what adversaries do on endpoints. Powerful for behavioral analysis, but deliberately silent on infrastructure composition, routing, and operational gating.
IIM separates observation from interpretation. Entities are facts. Roles are meaning. Relations are connections. Techniques are patterns. A chain weaves these into a concrete, directed execution trace that can be abstracted into a reusable pattern.
Entities are what you see: a URL, an IP, a domain, a file hash, a TLS certificate, a social account. No interpretation, no logic. An entity is strictly an artifact that exists, carrying identity and observation metadata.
Roles give an entity meaning within a specific operational context. An entity can hold different roles in different chains - but only one role at a given position within a single chain. This chain-scoping is essential: it prevents role conflicts and allows the same host to play different parts across campaigns.
Relations describe how entities actually interact: redirects, downloads, resolutions, drops, connections, references. Relations carry evidence - they assert something was observed, not assumed - and optionally carry ordering and timing.
Techniques describe recurring properties of infrastructure - CDN Abuse, Fast-Flux DNS, Geofenced Delivery, Multi-Hop Redirect. Unlike ATT&CK techniques, which describe behavior, IIM techniques describe infrastructure itself: hosting, routing, resolution, gating, composition.
A chain is a directed sequence of role positions, each carrying an entity and a set of techniques. Chains describe what was actually observed - a specific campaign's specific infrastructure at a specific time. They are the operational unit of IIM.
A pattern strips concrete entities from a chain, leaving only the structural fingerprint: role sequence, techniques, match semantics. Patterns are what federated feeds share. They match infrastructure that was never directly observed but follows the same operational logic.
Drop role nodes onto the canvas, set their entity values, and attach infrastructure techniques. The builder emits a valid IIM v1.1 chain JSON in real time. Use it to understand the model, to annotate a campaign you are analyzing, or to sketch a pattern for federation.
This is just a demo, try the IIM Workbench: https://workbench.iim.malwarebox.eu
Start by adding a role.
Click a role in the palette on the left to drop a node onto the chain. Chains are directed: entry first, terminal roles last.
Every technique describes a property of infrastructure itself - where it runs, how traffic flows, how it resolves, who it admits, how it is composed. Endpoint behavior is out of scope and belongs to ATT&CK. The two catalogs are complementary; together they describe a campaign fully.
A condensed view of the Gamaredon January 2026 delivery chain, annotated with IIM techniques. Infrastructure reads cleanly across five role positions. Behavioral ATT&CK annotations live on a separate axis and are not shown here - by design.