Thank you for your interest in contributing to ThreatActor.info! This guide will help you understand how to contribute effectively to our threat intelligence wiki.
- Adding New Threat Actors
- Updating Existing Information
- Improving Content Quality
- Enhancing Features
- Reporting Issues
- Improving Documentation
- Basic knowledge of Markdown
- Understanding of YAML syntax
- Git and GitHub account
- Local development environment (optional)
-
Fork the repository
# Fork on GitHub, then clone your fork git clone https://github.com/your-username/threatactor-info.git cd threatactor-info
-
Install dependencies (for local testing)
gem install bundler -v 2.5.10 bundle install
-
Run locally (optional)
ruby scripts/generate-indexes.rb ruby scripts/validate-content.rb bundle exec jekyll serve # Visit http://localhost:4000
This command adds a new threat actor to _data/actors/ and generates the page:
ruby scripts/actor-creator.rb new --name "Name" --alias "Alias1" --alias "Alias2" --country "Country" --description "Brief description"What it does:
- Creates
_data/actors/<url>.ymlwith required fields - Generates
_threat_actors/<url>.mdfrom template - Runs
generate-indexes.rbto update JSON artifacts
Example:
ruby scripts/actor-creator.rb new \
--name "Lazarus Group" \
--alias "Hidden Cobra" \
--alias "Guardians of the Peace" \
--alias "Zinc" \
--country "KP" \
--description "North Korea state-sponsored threat actor" \
--risk-level "Critical" \
--url "/lazarus-group"After running:
- Edit
_data/actors/lazarus-group.ymlto add more fields (sector_focus, first_seen, etc.) - Edit
_threat_actors/lazarus-group.mdto add detailed content sections - Run
ruby scripts/validate-content.rbto verify - Commit and submit PR
For manual YAML-first workflows, keep Markdown in sync using docs/new-actor-checklist.md.
After imports or bulk YAML changes, follow Keeping actor pages current so _threat_actors/*.md, _data/generated/*, and api/* stay aligned with provenance and actor fields in YAML.
- Keeping actor pages current: Regenerate pages/indexes after imports; commit paths; CI vs weekly vs import-sources
- Schema Reference: YAML fields, types, and validation rules for threat actor data
- Importer Guide: Source import workflows (MITRE ATT&CK, MISP Galaxy, RansomLook)
Run source importers first and let the automation update actor shards:
- name: "Threat Actor Name"
aliases: ["Alias 1", "Alias 2"]
description: "Brief description of the threat actor"
url: "/threat-actor-name"
country: "Country of Origin"
sector_focus: ["Sector 1", "Sector 2"]
first_seen: "YYYY"
last_activity: "YYYY"
risk_level: "High|Critical|Medium|Low"Generate _threat_actors/*.md with:
ruby scripts/generate-pages.rb --forceGenerated pages follow this structure:
---
layout: threat_actor
title: "Threat Actor Name"
aliases: ["Alias 1", "Alias 2"]
description: "Brief description"
permalink: /threat-actor-name/
country: "Country"
sector_focus: ["Sector 1", "Sector 2"]
first_seen: "YYYY"
last_activity: "YYYY"
risk_level: "High"
---
## Introduction
Detailed introduction about the threat actor...
## Activities and Tactics
Information about their activities...
## Notable Campaigns
List of major campaigns...
## Tactics, Techniques, and Procedures (TTPs)
MITRE ATT&CK techniques...
## Notable Indicators of Compromise (IOCs)
IPs, domains, hashes...
## Emulating TTPs with Atomic Red Team
Links to relevant Atomic Red Team tests...
## Malware and Tools
Associated malware and tools...
## Attribution and Evidence
Attribution information...
## References
Links to reports and analysis...
## External Links
- [Wikipedia](https://en.wikipedia.org/wiki/...)
- [MITRE ATT&CK](https://attack.mitre.org/groups/...)- Name: Primary threat actor name
- Aliases: All known aliases and alternative names
- Description: Brief, factual description
- Country: Country of origin (if known)
- Sector Focus: Target sectors and industries
- Risk Level: Threat assessment level
- Accuracy: Ensure all information is accurate and verifiable
- Sources: Include references and citations
- Neutrality: Maintain objective, factual tone
- Completeness: Include all available metadata fields
- Format: Follow the established content structure
- Language: Use clear, professional language
- Critical: Immediate threat, active destructive campaigns
- High: Significant threat, regular activity
- Medium: Moderate threat, occasional activity
- Low: Limited threat, minimal activity
- Refresh source snapshots/importers
- Regenerate pages with
ruby scripts/generate-pages.rb --force - Regenerate JSON artifacts with
ruby scripts/generate-indexes.rb - Run validation with
ruby scripts/validate-content.rb - Test locally to ensure everything works
- Submit a pull request
- Use
ruby scripts/import-ransomlook.rb fetchto create a local RansomLook snapshot - Use
ruby scripts/import-ransomlook.rb plan --snapshot ...before writing anything - Use
ruby scripts/import-ransomlook.rb import --snapshot ...only after reviewing the proposed changes - Keep reviewed rename and alias exceptions in
data/imports/ransomlook/mapping_overrides.yml - Keep imported content conservative; do not auto-import volatile IOCs or leak-site infrastructure
- Preserve CC BY 4.0 attribution when using RansomLook-derived data
- Fork the repository
- Create a feature branch
git checkout -b feature/your-feature-name
- Make your changes
- Test locally
- Commit your changes
git commit -m "Add: Brief description of changes" - Push to your fork
git push origin feature/your-feature-name
- Create a pull request
- HTML: Use semantic HTML5 elements
- CSS: Follow BEM methodology for class naming
- JavaScript: Use modern ES6+ features
- YAML: Use consistent indentation (2 spaces)
- Markdown: Follow standard Markdown conventions
When reporting bugs, please include:
- Description: Clear description of the issue
- Steps to Reproduce: How to reproduce the bug
- Expected Behavior: What should happen
- Actual Behavior: What actually happens
- Environment: Browser, OS, device information
- Screenshots: If applicable
When requesting features, please include:
- Description: Clear description of the feature
- Use Case: Why this feature would be useful
- Proposed Solution: How you think it should work
- Alternatives: Other solutions you've considered
- Test your changes locally
- Check for errors in the build
- Ensure consistency with existing code
- Update documentation if needed
- Add tests for new features
_threat_actors/is generated from_data/actors/*.yml; avoid manual page edits unless debugging generation logicruby scripts/generate-indexes.rbrebuilds actor, IOC, facet, campaign, malware, ATT&CK mapping, reference, IOC lookup, and IOC type-shard artifacts under_data/generated/- The generator also refreshes static query helpers under
api/, including/api/ioc-lookup.json,/api/ioc-types.json, and/api/iocs/by-type/*.json - The search UI and static API endpoints under
api/read those generated artifacts, so regenerate them after content edits ruby scripts/validate-content.rbnow checks collection config, exact section headings, orphan pages, generated JSON parseability, and IOC shard structuredocs/api.mddocuments the static API response shapes and IOC query patterns for downstream consumersdocs/importers.mddocuments the manual importer workflow and attribution requirements for source-derived content
## Description
Brief description of changes
## Type of Change
- [ ] Bug fix
- [ ] New feature
- [ ] Documentation update
- [ ] Content addition/update
- [ ] Other (please describe)
## Testing
- [ ] Tested locally
- [ ] No build errors
- [ ] Content verified
## Checklist
- [ ] Code follows style guidelines
- [ ] Self-review completed
- [ ] Documentation updated
- [ ] No breaking changes-
Add Missing Threat Actors
- APT groups from different countries
- Ransomware operations
- Cybercriminal organizations
-
Improve Content Quality
- Add more detailed TTPs
- Include more IOCs
- Add MITRE ATT&CK mappings
-
Enhance Search Features
- Add more filter options
- Improve search performance
- Add search suggestions
-
UI/UX Improvements
- Better mobile experience
- Dark mode support
- Accessibility improvements
-
Data Quality
- Standardize content format
- Add validation rules
- Improve data consistency
-
Documentation
- API documentation
- User guides
- Developer documentation
- No Personal Information: Do not include personal details
- No Classified Information: Only use publicly available sources
- IOC Sanitization: All IOCs are for educational purposes
- Attribution: Always cite sources and references
If you discover security vulnerabilities:
- Do not create public issues
- Email security concerns to the maintainers
- Wait for acknowledgment before public disclosure
- Follow responsible disclosure practices
- Be Respectful: Treat everyone with respect
- Be Inclusive: Welcome contributors from all backgrounds
- Be Constructive: Provide helpful feedback
- Be Professional: Maintain professional communication
- GitHub Issues: For bugs and feature requests
- GitHub Discussions: For general questions and ideas
- Pull Requests: For code and content contributions
- Email: For security concerns
Contributors will be recognized in:
- README: Listed as contributors
- Release Notes: Acknowledged in updates
- Community: Featured in community highlights
- GitHub Issues: For technical questions
- GitHub Discussions: For general questions
- Documentation: Check existing docs first
- Community: Ask in discussions
- GitHub: @maintainer-username
- Email: maintainer@example.com
- Twitter: @threatactorinfo
By contributing to ThreatActor.info, you agree that your contributions will be licensed under The Unlicense (public domain).
Thank you for contributing to ThreatActor.info! Your contributions help build a stronger, more informed cybersecurity community.