ACE-T SPECTRUM v3

ACE-T SPECTRUM v3 is the active release of the Advanced Cyber-Enabled Threat Intelligence platform. It delivers unified ingestion, deterministic scoring, and interactive graph visualization for operational threat intelligence workflows.

Directory Map (Current and Correct)

• scripts/: all Python source code and runtime modules (agents, src, core, db, graph, adapters)
• graph/: viewer assets (ace_t_spectrum_3d.html, index.html, Three.js vendor files) and generated graph outputs
• data/: generated ingest/cache directories (scaffolded with .gitkeep)
• config/: source/feed configuration (ingest_sources.yaml)
• db/: SQL schema artifacts (schema.sql)
• docs/: documentation (this file, runbook, ThreatFox summary)
• src/: environment spec (environment.yml)
• run_graph_viewer.sh: primary launcher
• requirements.txt / requirements.lock.txt: dependency manifests
• outside_data/ (local-only): key files and local caches used at runtime

What v3 Provides

• Unified graph build path for batch, streaming, and live polling modes.
• Multi-source ingestion for incidents, infrastructure intel, and enrichment.
• Deterministic scoring outputs (prediction_score, prediction_label).
• Graph metadata summary (prediction_summary) for quick posture review.
• Viewer-ready JSON artifact generation with bounded edge expansion for performance.

Release Highlights (v3 vs v2)

• Unified internal pipeline (_build_graph_payload, _record_to_node, _predict_record) across build modes.
• ThreatFox integrated as a first-class feed in the main graph pipeline.
• Source controls centralized in config/ingest_sources.yaml.
• Edge cap via ACE_T_MAX_EDGES_PER_NODE (default 24) to improve render scalability.
• Cleaner launch surfaces with shell wrappers and script-based module execution.

Quick Start

Run from SPECTRUMv3:

conda env create -f src/environment.yml
conda activate ace-t-env
pip install -r requirements.txt

Launch viewer:

bash run_graph_viewer.sh

Run tiered ingest:

bash scripts/run_tiered_ingest.sh

Run agents:

bash scripts/run_agents.sh

Operating Modes

Examples:

python3 scripts/graph/build_graph.py
python3 scripts/graph/build_graph.py --streaming
ACE_T_LIVE_POLL_INTERVAL=300 python3 scripts/graph/build_graph.py --live

Data Source Coverage

Primary incident feed

• ransomware.live

Infrastructure intelligence

• abuse.ch threatfox
• abuse.ch urlhaus
• abuse.ch feodotracker
• c2intelfeeds (verified + 30d)
• montysecurity c2 tracker
• carbon black c2

Reputation enrichment

• blocklist_de
• ipsum levels (3-8)

Background context

• cisa_kev
• optional nvd_cve (disabled by default)

Config path: config/ingest_sources.yaml
Legend/source colors: graph/data/sources.json

Output Artifacts

• graph/graph_3d.json
• graph/graph_3d_render.json
• graph/data/sources.json

Environment Controls

• RANSOMWARE_LIVE_API_KEY: override key file usage
• ACE_T_ENABLE_STREAMING=1: enable streaming mode
• ACE_T_FORCE_BUILD=1: force rebuild
• ACE_T_SKIP_BUILD=1: reuse existing artifacts
• ACE_T_LIVE_POLL_INTERVAL=<seconds>: live polling interval
• ACE_T_MAX_EDGES_PER_NODE=<int>: edge cap (default 24)

Security Notes

• Keep secrets in environment variables or ignored local files only.
• Do not commit API keys, tokens, or private datasets.
• Rotate and revoke exposed credentials immediately.

Additional Documentation

• SPECTRUM_RUNBOOK.md: reproducible launch and operating runbook
• THREATFOX_INTEGRATION_SUMMARY.md: ThreatFox architecture and integration details