Home·Gallery·Techniques·Defenses·Compare

About This Deck

What This Is

Threat Intelligence Tarot is an educational tool for information security practitioners. Each card in the deck represents a real threat actor group, drawn from MITRE ATT&CK and documented threat intelligence reports.

The tarot format is deliberate. Real threat intelligence is dense and technical: easy to ignore, hard to internalize. Packaging it as a card game makes it memorable, shareable, and impossible to scroll past. The mystical framing is aesthetics. The threat data is real.

The Deck

The full 78-card deck maps directly to tarot structure:

Major Arcana
22 cards · The most iconic APT groups
Swords
14 cards · Espionage & Intelligence
Wands
14 cards · Disruption & Destruction
Cups
14 cards · Social Engineering & Deception
Pentacles
14 cards · Financial Crime & Ransomware

How to Use It

  • Draw a Card: random adversary from the full deck. Flip to reveal their TTPs, targets, and defenses.
  • Three-Card Spread: draw Past, Present, and Future threat actors. Get a reading of your threat landscape with shared TTPs and priority defenses across all three.
  • Card of the Day: seed-based daily adversary. Same card for everyone on a given day, refreshes at midnight.
  • Gallery: browse all 78 cards. Filter by threat category, suit, or origin country. Search by group name, alias, technique ID, or targeted sector.
  • Technique Explorer: view all MITRE ATT&CK techniques across the full deck, grouped by tactic, ranked by prevalence, with a kill-chain distribution chart.
  • Defense Index: discover which security controls defend against the most adversaries. Ranked by cross-deck coverage to help prioritize controls with the broadest impact.
  • ATT&CK Navigator Export: from any card or daily page, download a Navigator v5 layer file pre-loaded with that adversary's techniques. Import directly into ATT&CK Navigator for deeper analysis.
  • Threat Brief: copy a clean markdown adversary profile to your clipboard. Paste into reports, Confluence, or security awareness materials.

Reading a Card

Each card shows the group's tarot identity, real group name and aliases, active years, origin, and risk level. Below that: the sectors they target, their MITRE ATT&CK techniques with a kill-chain coverage heatmap (click any technique ID to open the full MITRE reference), notable operations, and specific defensive recommendations.

The Reversed Meaning section (borrowed from tarot tradition) documents the group's known failures, operational security mistakes, and the circumstances that led to their exposure or disruption.

Data Sources

Threat actor data is drawn from MITRE ATT&CK, public government advisories (CISA, NSA, FBI, NCSC), and documented security research from Mandiant, CrowdStrike, Kaspersky, Citizen Lab, and others. All information is publicly available. Flavor text and reversed meanings are creative interpretations; threat data is factual.

Built by
Scott Altiparmak, Senior Information Security Engineer, CISSP
Live at tarot.scottaltiparmak.com
scottaltiparmak.comLinkedInGitHub
Data sourced from MITRE ATT&CK. For educational purposes only.