Public Roadmap

Where We Are &
Where We're Going

Threatpedia is being built in the open. This roadmap tracks our progress from foundational content to a full-scale, peer-reviewed cyber threat encyclopedia.

How We Verify

Every article in Threatpedia carries a review status pill that tells you, at a glance, how much human verification has been applied. We publish early and iterate — nothing is hidden behind a certification gate. Here's what each status means:

AI Draft
Generated by an automated pipeline. Not yet reviewed by a human editor. Treat as a lead, not a source.
Human Draft
Written or significantly revised by a human contributor. Awaiting peer review.
Under Review
Actively being verified by an editor or peer reviewer. Facts and attribution may change.
Certified
Reviewed against Threatpedia's data standards: sources verified, attribution rated, MITRE-mapped. Safe to cite.
Disputed
A reviewer has flagged factual or interpretive concerns. Read with scrutiny.
Deprecated
Superseded by a newer article or removed from the active corpus. Kept for audit trail.

Articles also carry a confidence grade (A–F) reflecting source quality, attribution strength, and interpretive completeness. Together, review status and confidence grade let you calibrate trust at the article level without reading the whole archive.

Overall Progress Phase 2 — 48%
Complete
In Progress
Planned
Live Phase 1 — Foundation Q1 2026
Cybersecurity Glossary
1,045 terms with definitions, cross-references, and framework mappings. Searchable and browsable with role-based taxonomy filters.
1,045 terms live
Threat Actor Registry
38 tracked APT groups and threat actors with attribution, affiliation, motivation, tools, and campaign history. Cross-vendor alias normalization.
38 actors filterable live
Incident Report Archive
67 documented security incidents with threat actor profiles, attack vectors, MITRE ATT&CK mapping, and impact analysis.
67 reports live
Campaign Dossiers
8 ongoing multi-event operations and persistent threat campaigns — tracked with attribution, TTPs, related incidents, and timeline data.
8 campaigns live
Zero-Day Exploit Registry
39 tracked zero-day vulnerabilities with CVEs, platform details, patch status, and links to related incidents and threat actors.
39 exploits live
Universal Site Search
Cross-index search across glossary, threat actors, campaigns, and incidents with keyboard navigation and categorized results.
Live Incident Ticker
Scrolling marquee in the nav bar showing the latest incidents with severity-coded badges.
Astro Static Site
Migrated from vanilla HTML to Astro 5 with content collections, Zod schema validation, and GitHub Pages deployment. Unified layout and component system.
Astro 5 content collections
Building Phase 2 — Pipeline & Soft Launch Q2 2026
Spec-Driven Content Pipeline
Rebuilding the article generation pipeline against a ratified spec suite — ingestion, source schema, editorial workflow, scraper contract, and coordination rules. Ensures every new article meets the DATA-STANDARDS v1.0 schema before publication.
7 specs in flight schema-validated
Automated Discovery Pipeline
High-trust feed ingestion (CISA KEV, NVD/CVE, CISA Advisories, NCSC UK, vendor PSIRTs) with a confidence-scored triage layer. Above-threshold events auto-draft articles; below-threshold flagged for human review.
CISA KEV NVD NCSC UK confidence-scored
MITRE ATT&CK v19 Refresh
Update technique mappings to ATT&CK v19 (releasing April 28, 2026). Key change: Defense Evasion tactic split. Additive update — existing articles declare their version so the migration is non-breaking.
Apr 28, 2026 non-breaking
Framework Mapping Expansion
First-class schema support for NIST CSF, Lockheed Martin Cyber Kill Chain, and MITRE ATLAS (adversarial ML). Generic framework-mapping field so new frameworks can be added without schema migrations.
NIST CSF Kill Chain ATLAS
Glossary-to-Report Auto-linking
Inline tooltips surfacing glossary definitions on hover throughout incident, campaign, and actor pages. Candidate-term pipeline already active; tooltip UI pending deployment.
client-side hover previews
X/Twitter Syndication
Automated social syndication of newly published incidents, campaigns, and zero-days to @threatpedia. Short-form threat intel posts with severity badges and direct article links. The signal channel for the soft launch.
@threatpedia auto-syndication soft launch
Collection Index Filtering
Filter chips (sector, geography, attack type, severity), column sorting, and URL-parameter state across all collection index pages. Enables geography and sector-based navigation across the corpus.
filter chips url state
Soft Launch
Public milestone: reliable article generation + X syndication live. Threatpedia begins publishing new threat intelligence at cadence, syndicated to the security community via X.
milestone
Planned Phase 3 — Visualization & Intelligence Q3 2026
Global Threat Map
Interactive world map showing threat actor origins, targets, and active campaigns. Real-time incident overlay with drill-down.
interactive real-time
MITRE ATT&CK Navigator Integration
Visual technique heatmaps per threat actor and per incident, overlaid on the ATT&CK framework matrix.
Trend Analytics Dashboard
Time-series analysis of attack types, sectors targeted, geographies, and threat actor activity. Exportable charts and reports.
Threat Actor Lineage Graphs
Visual succession and heritage tracking for threat actors — e.g. Wizard Spider → Conti → Royal → Black Basta. Captures soft and hard splits, shared infrastructure, and tool inheritance.
d3 graphs successorOf / precursorOf
Malware Family Registry
First-class entity type for malware families with variant tracking, hash storage (SHA-256), lineage/fork trees, and attribution chains to APTs and incidents. Seeded from Malpedia with curator enrichment.
Malpedia integration hash-only family lineage
Exploit & Zero-Day Visualization Layer
Interactive visualizations for exploit and zero-day intelligence: ATT&CK heatmaps per exploit family, timeline graphs, weaponization funnel charts, and patch adoption tracking.
interactive ATT&CK heatmaps timeline graphs
Community Intelligence Aggregation
Inbound monitoring of threat intelligence from X/Twitter, RSS, and cybersecurity community channels — feeding leads into the discovery pipeline's scoring engine. Complements Phase 2's outbound X syndication.
inbound X/Twitter RSS
Future Phase 4 — Community & Hard Launch Q4 2026 +
Contributor Portal
Submission interface for new incidents, corrections, and lead intake. GitHub OAuth login with MFA enforcement and role-based access. Contributors can claim articles from the review queue or submit leads (URLs, tips, observations) into the discovery pipeline.
GitHub OAuth MFA required role-based
Peer Review Workflow
Structured review and approval pipeline for AI-generated articles. Contributor accepts an article from the queue (72-hour claim window), submits structured verification, and signs off as reviewer of record. Multi-reviewer thresholds for certified status; full audit trail and version history.
72-hr claim audit trail
Founding Member Program
Small cohort of vetted security professionals, researchers, and analysts — initially 2-3 trusted collaborators, growing to a broader editorial board. Contributor roles, recognition, and reviewed-by attribution on articles they certify.
API & Data Exports
Public REST API for programmatic access to threat intelligence data. Structured exports in STIX 2.1, CSV, and JSON formats. Rate-limited free tier plus programmatic bulk access for research use.
REST API STIX 2.1 JSON
Hard Launch
Public milestone: contributor portal live, peer review battle-tested with founding members, historical backfill underway. Public call for volunteer reviewers and researchers. Threatpedia opens its doors as a community-curated encyclopedia.
milestone volunteer call
Last updated: April 16, 2026 — This roadmap is a living document and subject to change.