---
code_id: 179109
site_ownership_code: "INL"
open_source: false
landing_contact: "agradmin@inl.gov"
project_type: "CS"
software_type: "S"
official_use_only: {}
developers:
- email: ""
  orcid: ""
  first_name: "Tony"
  last_name: "Paul"
  middle_name: ""
  affiliations:
  - "Idaho National Laboratory (INL), Idaho Falls, ID (United States)"
- email: ""
  orcid: ""
  first_name: "Scott"
  last_name: "Bowman"
  middle_name: "T"
  affiliations:
  - "Idaho National Laboratory (INL), Idaho Falls, ID (United States)"
- email: ""
  orcid: ""
  first_name: "Adam"
  last_name: "Pluth"
  middle_name: "J"
  affiliations:
  - "Idaho National Laboratory (INL), Idaho Falls, ID (United States)"
- email: ""
  orcid: "0009-0006-0011-1116"
  first_name: "Anna"
  last_name: "Quach"
  middle_name: "T"
  affiliations:
  - "Idaho National Laboratory (INL), Idaho Falls, ID (United States)"
- email: ""
  orcid: ""
  first_name: "Bradley"
  last_name: "Marx"
  middle_name: "E"
  affiliations:
  - "Idaho National Laboratory (INL), Idaho Falls, ID (United States)"
- email: ""
  orcid: ""
  first_name: "Edward"
  last_name: "Ramos"
  middle_name: "A"
  affiliations:
  - "Idaho National Laboratory (INL), Idaho Falls, ID (United States)"
- email: ""
  orcid: ""
  first_name: "Shaw"
  last_name: "Wen"
  middle_name: "X"
  affiliations:
  - "Idaho National Laboratory (INL), Idaho Falls, ID (United States)"
- email: ""
  orcid: ""
  first_name: "Brandon"
  last_name: "Biggs"
  middle_name: "S"
  affiliations:
  - "Idaho National Laboratory (INL), Idaho Falls, ID (United States)"
contributors: []
sponsoring_organizations:
- organization_name: "USDOE Office of Nuclear Energy (NE)"
  funding_identifiers: []
  primary_award: "AC07-05ID14517"
  DOE: true
contributing_organizations: []
research_organizations:
- organization_name: "Idaho National Laboratory (INL), Idaho Falls, ID (United States)"
  DOE: true
related_identifiers: []
award_dois: []
release_date: "2026-02-12"
software_title: "Cyote-attack Chain Estimator"
acronym: "CyOTE:-ACE"
doi: "https://doi.org/10.11578/dc.20260413.3"
description: "Attack Chain Estimator (ACE) Application\nOverview\nThe Attack Chain\
  \ Estimator (ACE) Application is a sophisticated tool designed for the ingestion,\
  \ classification, sequencing, and enrichment of cybersecurity threat reports. This\
  \ application leverages advanced machine learning models and extensive historical\
  \ data to provide comprehensive insights into cyber threats, specifically targeting\
  \ Industrial Control Systems (ICS).\n\nPurpose\nThe primary functions of the ACE\
  \ Application include:\n\nIngestion of Cybersecurity Threat Reporting:\n\nCapable\
  \ of ingesting text-based threat reports in markdown or text file format.\nSupports\
  \ ingestion of structured data from other sources in STIX/JSON format.\nClassification\
  \ of Report’s Text-Based Events:\n\nUtilizes a DeBERTa classifier, specifically\
  \ trained on cybersecurity data, to map the events to MITRE ATT&CK for ICS Tactics\
  \ and Techniques.\nClassification is performed using multiple Jupyter notebooks\
  \ and machine learning workflows hosted as FastAPI microservices:\nregex_data\n\
  deberta_base_35_train_hft_classifier_mlflow.ipynb\nhft_regex_classifier_mlflow.ipynb\n\
  param_train_hft_classifier_mlflow.ipynb\nregex_tactic_tech.ipynb\n\nOrdering of\
  \ Tactics, Techniques, and Observable Events:\n\nSequences the identified tactics,\
  \ techniques, and events to form a coherent attack chain.\nEnrichment with Historical\
  \ Attack Chain Details:\n\nEnhances the attack chain with details from historical\
  \ attacks using a Markov model developed from CyOTE Precursor Analysis Report data.\n\
  The Markov model is available as a FastAPI endpoint for seamless integration.\n\
  Enrichment with Adversary Emulation Capabilities Data:\n\nIntegrates adversary emulation\
  \ capabilities data using MITRE Caldera for OT adversary abilities UUIDs.\nExport\
  \ of Output Files:\n\nProvides options to export the enriched attack chain in JSON\
  \ or CSV formats.\nRouting of Output to Other Applications:\n\nFacilitates routing\
  \ of output to various platforms and applications, including:\nThreat Intelligence\
  \ Platforms\nCOREII Scout for Threat Intelligence Analysis\nCOREII Modeling and\
  \ Simulation for Adversary Emulation\nTechnical Description\nThe ACE Application\
  \ is an advanced cybersecurity tool designed to provide detailed threat analysis\
  \ and sequence generation. It is built on a robust architecture that integrates\
  \ natural language processing, machine learning, and historical data modeling.\n\
  \nKey Components:\n\nData Ingestion Module: Handles the input of threat reports\
  \ and data from various formats, ensuring flexibility in data sources.\nClassification\
  \ Engine: Employs DeBERTa-based classifiers hosted as FastAPI microservices to analyze\
  \ and classify threat report events in accordance with the MITRE ATT&CK framework\
  \ for ICS.\nSequence Generator: Orders the classified events into a logical attack\
  \ chain, providing clear insight into the sequence of tactics and techniques used\
  \ in the threat.\nEnrichment Engine: Integrates historical data and adversary emulation\
  \ capabilities to enhance the attack chain with valuable context and additional\
  \ details. The historical data enrichment is powered by a Markov model, which is\
  \ available as a FastAPI endpoint.\nExport and Routing Module: Facilitates the export\
  \ of the enriched attack chain in multiple formats and routes the output to designated\
  \ applications for further analysis or emulation."
programming_languages:
- "q React, Typescript, Vite, TailwindCSS, and DaisyUI"
country_of_origin: "United States"
project_keywords: []
licenses: []
recipient_org: "INL"
file_name: "Attack-Chain-Estimator-ACE--release.zip"
date_record_added: "2026-04-13"
date_record_updated: "2026-04-13"
is_file_certified: true
last_editor: "zurisaday.bravo@inl.gov"
is_limited: false
links:
- rel: "citation"
  href: "https://www.osti.gov/doecode/biblio/179109"