An open-source community library of threat hunting hypotheses, powered by the PEAK framework and AI.
Built by THE THOR Collective
Explore the Database · Submit a Hunt · Report a Bug · Request a Feature
Generating effective, timely threat hunts is hard. You're staring at logs wondering where to start, or you're reading CTI reports and thinking "someone should hunt for this" — but writing up the hypothesis takes time you don't have.
HEARTH is a community-curated library of 130+ threat hunting hypotheses that security teams can use, adapt, and build on. Submit a CTI link and our AI pipeline drafts a complete hunt hypothesis for you. Or browse what others have shared, fork what works, and contribute back.
Every hunt is categorized using the PEAK Threat Hunting Framework, giving you structured, actionable starting points — not vague ideas.
HEARTH organizes hunts into three categories based on the PEAK framework. Each serves a different hunting approach:
Classic threat hunting. You have a specific theory about adversary behavior and you go looking for evidence. "An adversary is using DLL side-loading to maintain persistence via a legitimate application."
Understand your environment before the bad stuff happens. Establish baselines, find anomalies, and discover what "normal" looks like so you can spot what isn't.
Algorithmic and ML-powered approaches. Statistical analysis, clustering, and other techniques that let the data surface threats you might not think to look for.
We've made contributing as frictionless as possible. Two paths:
Have a great threat intel report? Paste the URL and let our AI pipeline do the work.
- Open a CTI Submission →
- Paste the URL and your name for attribution.
- Our bot reads the report, drafts a hunt, checks for duplicates, and opens a PR for review.
Already have a hypothesis? Submit it directly.
- Open a Manual Submission →
- Fill out the template with your hypothesis, tactic, and references.
- Maintainers review and merge.
All approved submissions are credited on the Contributors Leaderboard.
| Feature | Description |
|---|---|
| Interactive Database | Searchable, filterable, sortable interface for all hunts. Find what you need fast. |
| AI-Powered CTI Analysis | Submit a CTI link — Claude reads, analyzes, and drafts a complete hunt hypothesis automatically. |
| MITRE ATT&CK Integration | Validates technique IDs against the full Enterprise framework (691 techniques, 99% accuracy). |
| Duplicate Detection | AI-powered similarity analysis flags potential duplicates before they're merged. 30-60x faster with SQLite indexing. |
| Automated Workflows | GitHub Actions manage the full submission lifecycle — from draft to PR to merge. |
| Review & Regeneration | Maintainers can re-roll AI-generated hunts by adding a regenerate label — iterate until it's right. |
| Contributor Leaderboard | Automated tracking of submissions. We celebrate our community. |
Architecture
- Markdown files in
Flames/,Embers/, andAlchemy/are the source of truth - Human-readable, version-controlled, and easy to contribute via standard Git workflows
- SQLite database (
database/hunts.db) provides fast querying for duplicate detection - Automatically updated when hunt files change
- 30-60x faster duplicate detection in GitHub Actions
- See database/README.md for details
- Compression: Brotli, Zstandard, and Gzip
- JS Rendering: Falls back to readability-lxml for JS-heavy sites
- Formats: HTML, PDF, and DOCX
- Smart Parsing: Extracts article content from common blog/report structures
- 691 Techniques: Complete Enterprise ATT&CK framework indexed
- Real-time Validation: Technique IDs validated against MITRE data
- Confidence Scoring: Multi-tier fallback (MITRE → table → keywords)
- Duplicate detection via vector embeddings
- AI-powered hunt generation from CTI sources
- Automatic database maintenance on file changes
- TTP diversity analysis and content validation
Further reading: Database Architecture · Optimization Guide · Testing Guide · Scripts · Workflows
Built With
- Frontend: HTML5, CSS3, Vanilla JavaScript
- Backend & Automation: GitHub Actions, Python, Claude (Anthropic) API, OpenAI API, SQLite
- Hosting: GitHub Pages
Configuration
For maintainers and self-hosted instances, HEARTH is configured via environment variables.
| Variable | Description | Default | Required |
|---|---|---|---|
AI_PROVIDER |
AI provider (claude or openai) |
claude |
No |
ANTHROPIC_API_KEY |
API key for Claude | - | Yes (for Claude) |
OPENAI_API_KEY |
API key for OpenAI | - | Yes (for OpenAI) |
CLAUDE_MODEL |
Claude model version | claude-sonnet-4-5-20250929 |
No |
GitHub Actions setup: Set ANTHROPIC_API_KEY, OPENAI_API_KEY, and HEARTH_TOKEN as Repository Secrets. Optionally set AI_PROVIDER and CLAUDE_MODEL as Repository Variables.
Troubleshooting
"Failed to retrieve or process content from the URL"
- Verify the URL is correct and publicly accessible
- Check if the article requires authentication or is behind a paywall
- Try submitting content manually instead
Content appears garbled or incomplete
- The system now supports Brotli and Zstandard compression
- If issues persist, try the manual submission workflow
Duplicate detection is slow or failing
- Database auto-rebuilds on file changes
- Maintainers can manually rebuild:
python scripts/build_hunt_database.py --rebuild - See database/README.md
Database appears out of sync
- Auto-updates via GitHub Actions on every merge to main
- For local testing:
python scripts/build_hunt_database.py
For other issues, check existing issues or open a new one.
Distributed under the MIT License. See LICENSE for details.
HEARTH is a project of THE THOR Collective, co-founded and maintained by:
- Lauren Proehl (@jotunvillur)
- Sydney Marrone (@letswastetime)
- John Grageda (@AngryInfoSecGuy)
Built by the security community. See the full Contributors Leaderboard for everyone who has contributed hunts.
Keep the HEARTH burning.