Build a chain.
Add entities you observed, assign them to role positions in the chain, annotate with techniques, and declare the relations between them. The Workbench validates as you go and can export the result as a pattern or a STIX 2.1 bundle.
Metadata Step 1
Entities Step 2
Chain Positions Step 3
Relations Step 4
Generated JSON
Export
Convert the chain into a reusable pattern (for publishing as a feed) or into a STIX 2.1 bundle (for MISP, OpenCTI, TAXII servers).
e1, e2) are your shorthand — use them to reference entities in Chain Positions and Relations. The Workbench re-maps everything on export.
Visualize a chain or pattern.
Render IIM chains and patterns as interactive diagrams. Switch between linear flow (chain-like) and graph (relation-rich) modes. Paste JSON, load from the Chain Builder, or pick from the reference library.
Nothing to visualize yet
Paste a chain or pattern on the left, import from the Chain Builder, or pick one from the reference library.
Interop · STIX 2.1.
Convert between IIM chains and STIX 2.1 bundles in both directions.
IIM → STIX is lossless — every IIM concept survives with x_iim_* custom properties.
STIX → IIM is an enrichment workflow — STIX lacks role semantics, ordered chains, and infrastructure techniques, so the import infers what it can, marks everything uncertain, and produces a report of what needs analyst review.
Direction Step 1
Input
Output
infrastructure_types and techniques recovered from attack-pattern references are marked tentative. Any chain with inferred annotations carries needs_review: true — treat it as a starting point, not a finished analysis.
Technique catalog.
Browse all 26 infrastructure techniques defined in IIM v1.0. Search by ID, name, or keyword. Click any card for the full definition, indicators, and examples.
Validate any chain or pattern.
Paste an existing IIM chain or pattern JSON on the left. The Workbench runs a full structural check — entity references, role validity, technique IDs against the loaded catalog, relation integrity, sequence ordering.
Input JSON
Result
Paste JSON and click Validate to see results here.
How this works.
The IIM Workbench is a local tool for building and validating IIM chains and patterns. Nothing leaves your machine — the Flask server runs on localhost and the technique catalog is loaded from a local JSON file.
What you can do
- Build a chain — add entities, assign role positions, annotate techniques, declare relations. The JSON output updates live.
- Browse techniques — full searchable catalog with definitions, indicators, examples, and ATT&CK cross-references.
- Validate — paste any IIM chain or pattern and get a structured validation report with errors and warnings.
- Export to pattern — abstract a concrete chain into a reusable feed pattern (entity values stripped, shape preserved).
- Export to STIX 2.1 — complete bundle with Infrastructure, Indicator, Attack-Pattern, and Relationship objects. Deterministic UUIDs make round-trips stable.
API endpoints
/api/health — liveness + catalog version/api/catalog — full technique catalog/api/techniques?q=<search>&category=<cat>/api/techniques/<ID> — e.g. /api/techniques/IIM-T019/api/validate/chain — body: chain JSON/api/validate/pattern — body: pattern JSON/api/export/stix — body: chain JSON → STIX bundle/api/export/pattern — body: {chain, pattern_id, name, match_semantics}CLI mode
python iim_workbench.py — start the server (default port 5000)
python iim_workbench.py --port 8080 — custom port
python iim_workbench.py --validate chain.json — validate from CLI, exit 0/1
python iim_workbench.py --stix chain.json — export to STIX and print
python iim_workbench.py --catalog /path/to/catalog.json — custom catalog location