Skip to content

elchacal801/flame-exchange

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

484 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Build & Deploy License: MIT Python 3.10+ Threat Paths Detection Rules STIX 2.1 MCP Server

FLAME -- Fraud Lifecycle Analysis & Mitigation Exchange

The open-source fraud intelligence exchange. Cross-mapping the world's fraud taxonomies into one library.

FLAME is an open-source, community-driven exchange for structured fraud intelligence. It cross-maps 7 fraud frameworks into a unified taxonomy of threat paths, baselines, and emulation playbooks -- browsable through a zero-dependency web interface with D3-powered visualizations, AI-assisted intake, and an MCP server for conversational fraud intelligence. Exports to STIX 2.1, MISP, TAXII, Sigma, and CQL are built in.

Explore FLAME Live →


At a Glance

Metric Count
Threat Paths 89 (TP-0001 -- TP-0089)
Fraud Families 11 (ATT&CK-style matrix taxonomy)
Detection Logic Rules 221 in flame-detections
Baselines 36 (49/89 TPs linked via baseline_ids)
Emulation Playbooks 14 adversary simulation scripts
Fraud Types 141 in master taxonomy
Sectors Covered 24
Framework Cross-Mappings 7 (CFPF, ATT&CK, MITRE F3, Group-IB FM, Stripe FT3, UCFF, Regulatory)
Regulatory Requirements 31 across 7 jurisdictions
Export Formats 5 (STIX, MISP, TAXII, RSS, JSON API)
MCP Server Tools 6
CI/CD Workflows 7
Tests 217 (pytest)

Why FLAME Exists

Between April 2025 and April 2026, six organizations independently concluded that fraud needs structured taxonomy frameworks. Stripe published FT3 (then abandoned it). MITRE shipped F3 (April 2026). Group-IB released Fraud Matrix 2.0 (commercially gated). FS-ISAC assembled 300+ members for the Cyber Fraud Prevention Framework. The taxonomy layer is converging. The community knowledge exchange layer remains entirely unserved in open source.

Capability FLAME Group-IB FM 2.0 FS-ISAC CFPF Stripe FT3 MITRE F3
Open source Yes No Paper only Abandoned Yes
Community contributed Yes No No platform No Yes
Structured detection logic 221 rules Mobile-heavy No No No
Multi-taxonomy mapping 7 frameworks Own only Own only Own only ATT&CK only
TIP interop (STIX/MISP/TAXII) Yes No No No No
AI-assisted intake Yes No No No No

Taxonomies define the language. FLAME is where practitioners share what actually works.

* Detection rules are migrating to flame-detections for independent quality and contribution cadence.

The ACAMS International Anti-Fraud and Technology Task Force confirmed in March 2026 that cross-sector fraud intelligence sharing is the #1 industry priority — yet remains systemically blocked by siloed data, incompatible formats, and lack of structured typologies. FLAME directly addresses each of these barriers through open-source structured threat paths, standardized exports (STIX/MISP/TAXII/Sigma), and a common taxonomy spanning 141 fraud types across 24 sectors.


Supported Frameworks

Framework Status
FS-ISAC Cyber Fraud Prevention Framework (CFPF) Primary structure -- all 89 TPs mapped
MITRE ATT&CK Supplementary mapping where applicable
MITRE F3 (Fight Fraud Framework) Mapped (72/89 TPs) via f3_mapper.py -- shipped April 2026
Group-IB Fraud Matrix 2.0 Cross-reference mapping (stage names)
Stripe FT3 Mapped (69/89 TPs) via ft3_mapper.py
Group-IB UCFF Defense-side maturity alignment (7 domains)

What FLAME is not: FLAME is not a taxonomy project. It is a knowledge exchange that sits on top of existing taxonomies, providing the operational intelligence -- threat paths, detection queries, investigation playbooks, and cross-team correlation guidance -- that no taxonomy alone delivers.


Architecture

FLAME follows a markdown-first, database-derived architecture modeled on HEARTH by the THOR Collective.

  • Markdown is the source of truth. Threat paths, baselines, and detection rules are authored as structured files with YAML frontmatter including fraud_family, primary_phase, and short_name for matrix classification. Detection rules currently live in this repo but are migrating to flame-detections for independent quality and contribution cadence.
  • The database is derived. Python scripts parse the source files, build a SQLite index, and export JSON for the frontend.
  • The frontend is static. Vanilla HTML/CSS/JS served via GitHub Pages. No build step, no framework dependencies.
  • Exports are standard. Build-time pipelines produce STIX 2.1, MISP, TAXII 2.1, Sigma, and RSS artifacts.
  • CI/CD is automated. GitHub Actions validate submissions, rebuild the database, and regenerate all exports on merge.

Data Flow

graph LR
    subgraph Sources
        TP["ThreatPaths/*.md"]
        DL["flame-detections repo"]
        BL["Baselines/*.md"]
        EP["EmulationPlaybooks/*.json"]
    end

    subgraph Build
        BD["build_database.py"]
        EX_STIX["export_flame_stix.py"]
        EX_MISP["export_misp.py"]
        EX_TAXII["export_taxii.py"]
        EX_SIGMA["flame-detections CI"]
    end

    subgraph Artifacts
        DB["SQLite + JSON Index"]
        STIX["STIX 2.1 Bundle"]
        MISP_OUT["MISP Galaxy + Feed"]
        TAXII_OUT["TAXII 2.1 Endpoints"]
        SIGMA_OUT["Sigma Packs"]
        RSS["RSS Feed"]
        API["JSON API v1"]
    end

    subgraph Consumers
        SPA["Web Frontend"]
        MCP["MCP Server"]
        TIP["TIP Integration"]
    end

    TP & DL & BL & EP --> BD
    BD --> DB & RSS & API
    BD --> EX_STIX --> STIX
    BD --> EX_MISP --> MISP_OUT
    BD --> EX_TAXII --> TAXII_OUT
    BD --> EX_SIGMA --> SIGMA_OUT
    DB & API --> SPA
    DB --> MCP
    STIX & MISP_OUT & TAXII_OUT --> TIP
Loading

CI/CD Pipeline

graph TD
    PR[Pull Request] --> VAL[validate-pr.yml]
    VAL -- Merge --> BUILD[build-and-deploy.yml]
    BUILD --> PAGES[GitHub Pages]
    ISSUE[Intel Submission Issue] --> AI[ai-intake.yml]
    AI --> GEN[generate_threat_path.yml]
    GEN --> PR
    CRON[Cron 2x Daily] --> REG[fetch-regulatory.yml]
    REG --> DBUP[update-database.yml]
    LABEL[Label: submitted] --> PEER[peer-review.yml]
    PEER --> PR
Loading

Repository Structure

ThreatPaths/           89 fraud scheme lifecycle mappings (TP-XXXX.md)
                       (Detection rules now in flame-detections repo)
Baselines/             36 environmental profiling benchmarks (BL-XXXX.md)
EmulationPlaybooks/    14 adversary simulation playbooks (EP-XXXX.json)
Templates/             Submission templates (TP, DL, BL, EP)
config/                Regulatory requirements and source configs
scripts/               Build, validation, and export scripts (22 modules)
  regulatory/          6-source regulatory data fetchers
mcp_server/            FastMCP server exposing 7 fraud intelligence tools
tests/                 217 tests across pytest test modules
database/              Generated artifacts (auto-built by CI)
  flame-index.json           Metadata-only index (fast frontend load)
  flame-content/             Individual TP content files (lazy-loaded)
  flame-stats.json           Pre-computed aggregate statistics
  flame-contributors.json    Contributor leaderboard data
  flame_stix_bundle.json     STIX 2.1 bundle with fraud extensions
                             (Detection exports now in flame-detections repo)
  misp-feed/                 Per-TP MISP event files + manifest
  regulatory-alerts.json     Automated regulatory alert feed (6 sources)
  feed.xml                   RSS 2.0 feed
data/                  Taxonomies, framework mappings, MISP galaxy defs
api/
  v1/                  Static JSON API endpoints
  taxii/               TAXII 2.1 discovery, collections, objects
docs/                  Project documentation and specifications
.github/
  workflows/           7 CI/CD workflows
  ISSUE_TEMPLATE/      5 issue templates for submissions

Threat Path Collection

FLAME ships with 89 threat paths covering 141 fraud types across 24 sectors.

ID Scheme Key Fraud Types
TP-0001 Treasury Management ATO via Malvertising ATO, vishing, wire fraud
TP-0002 BEC -- Vendor Impersonation Wire Fraud BEC, invoice fraud
TP-0003 Synthetic Identity -- Credit Card Bust-Out Synthetic identity, application fraud
TP-0004 Payroll Diversion via HR Portal Compromise Payroll diversion, BEC
TP-0005 Insurance Premium Diversion via Agent Portal ATO ATO, premium diversion
TP-0006 Real Estate Wire Fraud -- Closing Scam BEC, wire fraud
TP-0007 Deepfake Voice Authorization for Wire Transfer Deepfake, impersonation
TP-0008 SIM Swap to Cryptocurrency Exchange ATO ATO, crypto laundering
TP-0009 Check Washing and Fraudulent Mobile Deposit Check fraud
TP-0010 Disability Insurance Fraud Fraudulent claims

Recently Added

ID Scheme Key Fraud Types
TP-0051 QR Code Payment Fraud / Quishing quishing, credential-stuffing, account-takeover
TP-0052 Sextortion-Investment Hybrid Fraud sextortion, investment-scam, deepfake
TP-0053 Vehicle Export Financing Fraud vehicle-export-fraud, identity-theft, application-fraud
TP-0054 Fraud-as-a-Service (FaaS) Platforms fraud-as-a-service, AI infrastructure, phishing
TP-0055 Crypto Fraud-Terrorism/Narco Financing Nexus crypto-laundering, investment-scam, state-criminal convergence
TP-0056 Insurance Claims Fraud (Motor/Medical) insurance-fraud, fraudulent-claim, identity-theft
TP-0057 Deepfake-as-a-Service Marketplace Ecosystem deepfake-as-a-service, deepfake-fraud, AI face/voice changer
TP-0058 Scam Compound Operational Infrastructure scam-compound-operations, chatbot-enabled-fraud, social-engineering
TP-0059 Automated Mule Account Infrastructure automated-mule-accounts, money-laundering, bot-driven-account-opening
TP-0060 Investment Fraud TDS Pipeline traffic-distribution-system, investment-fraud, cloaking
TP-0061 Threat Actor Enabling Bulletproof Hosting Infrastructure bulletproof-hosting, fraud-enabling-infrastructure, hosting-provider-complicity
TP-0062 Recovery Fraud -- Double-Dip Re-victimization recovery-fraud, impersonation, advance-fee-fraud
TP-0063 Organized Counterfeit Goods and Non-Delivery Fraud Networks purchase-scam, auction-fraud, brand-impersonation
TP-0064 Long-Firm and Organized Business Credit Fraud long-firm-fraud, bust-out, application-fraud
TP-0065 Organized Mass-Marketing Fraud Infrastructure robodialling-fraud, vishing, social-engineering
TP-0066 Crash-for-Cash and Organized Insurance Fraud Rings crash-for-cash, insurance-fraud, collusion
TP-0067 AiTM Phishing Kit Infrastructure and Session Token Hijacking aitm-phishing, account-takeover, fraud-as-a-service
TP-0068 Gift Card Fraud Lifecycle — Generation, Tampering, and Monetization gift-card-fraud, gift-card-tampering, loyalty-point-fraud
TP-0069 Smishing PhaaS Ecosystem — Darcula, Smishing Triad smishing, card-not-present-fraud, fraud-as-a-service
TP-0070 Travel Booking Fraud & Fake OTA Networks travel-booking-fraud, buy-for-you-fraud, fake-ota
TP-0071 IRSF & Telecom Revenue Share Fraud irsf, premium-rate-fraud, wangiri
TP-0072 Telecom Subscription & Billing Fraud subscription-fraud, telecom-billing-fraud
TP-0073 Real Estate Title Fraud & Deed Theft title-fraud, deed-theft, seller-impersonation
TP-0074 Ghost Broking & Unauthorized Insurance Portals ghost-broking, ghost-portal, unlicensed-insurance
TP-0075 Friendly Fraud & Chargeback Abuse friendly-fraud, chargeback-abuse, dispute-fraud
TP-0076 Affiliate Network Fraud & Invalid Traffic affiliate-fraud, click-fraud, cookie-stuffing
TP-0077 AI-Generated Insurance Claims Fraud ai-generated-claims, deepfake-claims, document-fraud
TP-0078 Stablecoin Laundering via CEX Hot Wallet Pipelines crypto-laundering, stablecoin-laundering, money-laundering
TP-0079 Cheap gTLD and PaaS Subdomain Abuse for Fraud Infrastructure phishing, brand-impersonation, paas-subdomain-abuse
TP-0080 Stablecoin Freeze-Evasion via Wrapped Tokens & Cross-Chain Bridges stablecoin-freeze-evasion, crypto-laundering, sanctions-evasion
TP-0081 Vishing-Led Identity Abuse and Hybrid Social Engineering vishing, account-takeover, fake-captcha-fraud
TP-0082 Gold Courier Scam — Physical Precious Metal Cash-Out social-engineering, impersonation, elder-exploitation
TP-0083 Investment Club Scam — Social Media Insider Group Fraud investment-scam, social-engineering, crypto-laundering
TP-0084 Government Impersonation — Authority-Based APP Fraud impersonation, authorized-push-payment, elder-exploitation
TP-0085 Crypto ATM/Kiosk Directed Fraud — Physical-to-Digital Monetization crypto-laundering, authorized-push-payment, elder-exploitation
TP-0086 Crisis-Exploitation Domain Intelligence — Oil Shock Infrastructure crisis-exploitation, phishing, fraud-enabling-infrastructure
TP-0087 Infostealer-to-Fraud Pipeline — MaaS Credential Harvesting credential-harvesting, account-takeover, fraud-as-a-service
TP-0088 Logistics Sector Spearphishing — Carrier Impersonation phishing, brand-impersonation, credential-harvesting
TP-0089 TAE Upstream Transit Provider Complicity bulletproof-hosting, fraud-enabling-infrastructure, hosting-provider-complicity
View TP-0011 through TP-0050
ID Scheme Key Fraud Types
TP-0011 Romance Scam to Money Mule Recruitment Romance scam, money mule
TP-0012 APP Fraud -- Tech Support / Bank Impersonation Vishing, impersonation
TP-0013 Credential Stuffing to Loyalty Point Drain Credential stuffing, ATO
TP-0014 Insider-Enabled Account Fraud Insider threat, collusion
TP-0015 Employment Fraud via Brand Impersonation Job scam, identity theft
TP-0016 First-Party Fraud (Bust-Out) Bust-out, first-party fraud
TP-0017 Pig Butchering (Investment Scam) Investment scam, romance scam
TP-0018 Deepfake Document Fraud Deepfake fraud, documentary fraud
TP-0019 Business Identity Theft Identity theft, application fraud
TP-0020 Supply Chain Payment Fraud BEC, vendor impersonation
TP-0021 Healthcare Provider Billing Fraud Healthcare fraud, phantom billing
TP-0022 Government Program Fraud Benefit fraud, tax fraud
TP-0023 Mobile Banking Trojan / Overlay Attack Malware, ATO
TP-0024 A2A Instant Payment Fraud (Zelle/FedNow/Pix) APP, unauthorized transaction
TP-0025 GenAI-Enhanced APP Fraud -- Romance Variant Romance scam, deepfake
TP-0026 GenAI-Enhanced APP Fraud -- Investment Variant Investment scam, deepfake
TP-0027 Elder Financial Exploitation Social engineering, APP
TP-0028 DME Phantom Billing (Medicare Fraud) Healthcare fraud, phantom billing
TP-0029 AI Synthetic Identity & Document Forgery Synthetic identity, deepfake fraud
TP-0030 E-Commerce Triangulation Fraud Payment diversion, identity theft
TP-0031 Refund-as-a-Service (FTID / RaaS) Refunding-as-a-service
TP-0032 Web3 Wallet Drainer / Approval Phishing Approval phishing, crypto laundering
TP-0033 Ghost Student Financial Aid Botnets Ghost student fraud, application fraud
TP-0034 DPRK State-Sponsored IT Worker Fraud DPRK IT worker fraud, data theft
TP-0035 Magecart E-Skimmer Data Compromise E-skimmer, data theft
TP-0036 Purchase Scam Merchant Networks Purchase scam, brand impersonation
TP-0037 Digital Wallet Fraud & NFC Relay Attacks Digital wallet fraud, NFC relay
TP-0038 Card Testing Infrastructure Abuse Card testing, identity theft
TP-0039 Agentic Commerce Fraud Autonomous AI fraud, unauthorized transaction
TP-0040 BNPL Multi-Provider Fraud BNPL fraud, synthetic stacking
TP-0041 RDGA-Based Infrastructure Campaigns RDGA infrastructure
TP-0042 TDS Chain Exploitation TDS exploitation, malvertising, phishing
TP-0043 AI-Accelerated Fraud Infrastructure Generation AI infrastructure, phishing, brand impersonation
TP-0044 State-Criminal Infrastructure Convergence State-criminal convergence, crypto laundering
TP-0045 Sanctions Evasion via Fraud Infrastructure Sanctions evasion, crypto laundering
TP-0046 Geopolitically-Timed Fraud Campaigns State-criminal convergence
TP-0047 Human Trafficking-Linked Fraud Infrastructure Human trafficking facilitation, scam compounds
TP-0048 Bulletproof Hosting Migration Patterns BPH migration, sanctions evasion
TP-0049 Cryptocurrency Laundering Infrastructure Crypto laundering infrastructure, CMLN operations
TP-0050 Calendar/Invite Injection Phishing Calendar phishing, social engineering

See ThreatPaths/INDEX.md for full cross-reference tables with sector, CFPF phase, and framework mappings.


Detection Rules and FLAME

Detection rules are maintained in the flame-detections sibling repo. The collection includes 221 rules — 98 pure Sigma-compatible (auto-convert to SPL, EQL, KQL) and 123 requiring hand-written native queries (CQL, SPL) for stateful correlation.

Detection rules are migrating to flame-detections in v1.0. This decoupling allows the detection content to evolve on its own quality bar and contribution cadence, separate from the core exchange taxonomy.

During migration, detection rules remain fully functional in this repo.

Audit tooling: scripts/audit_queries.py validates detection rule coverage and query correctness across the full TP inventory. scripts/sync_tp_rules.py synchronizes threat path rule references with actual detection logic files.


Emulation Playbooks

FLAME includes 14 adversary emulation playbooks -- CFPF phase-mapped simulation scripts for testing detection coverage against specific fraud schemes.

ID Playbook Linked TPs
EP-0001 Synthetic Identity Bust-Out TP-0003, TP-0016
EP-0002 BEC Wire Fraud TP-0002, TP-0006
EP-0003 SIM Swap Crypto ATO TP-0008
EP-0004 APP Fraud TP-0012, TP-0024
EP-0005 A2A Payment Exploitation TP-0024
EP-0006 RDGA Campaign Simulation TP-0041
EP-0007 TDS Chain Exploitation Simulation TP-0042
EP-0008 Treasury Management ATO TP-0001
EP-0009 Deepfake Voice Authorization TP-0007
EP-0010 First-Party Fraud Bust-Out TP-0016
EP-0011 Pig Butchering Romance/Investment TP-0017
EP-0012 DPRK IT Worker Infiltration TP-0034
EP-0013 Agentic Commerce Fraud TP-0039
EP-0014 BNPL Multi-Provider Stacking TP-0040

Playbooks follow a structured JSON schema with execution steps mapped to CFPF phases (P1--P5), cross-references to detection rules (DL-XXXX), and testability scoring. See Templates/emulation-playbook-template.json for the schema.


Frontend & Visualizations

The FLAME frontend is a vanilla HTML/CSS/JS single-page application with a dark theme, responsive design, and no build step. The default browse experience is an ATT&CK-style matrix view organizing all 89 threat paths by 11 fraud families (rows) and 5 CFPF phases (columns), with sector tab filtering and scannable short-name chips with confidence-colored borders. A card grid view is available as an alternative toggle.

Threat Path Matrix

The matrix view provides instant visual taxonomy of the fraud landscape:

  • 11 fraud family rows: Account Takeover, Payment & Wire, Social Engineering, Identity & Synthetic, Investment & Romance, Insurance & Healthcare, Crypto & Laundering, Fraud Infrastructure & FaaS, Retail & E-Commerce, State-Linked & Geopolitical, Telecom & Specialized
  • 5 CFPF phase columns: P1 Recon, P2 Initial Access, P3 Positioning, P4 Execution, P5 Monetization
  • Sector tabs filter TPs to Banking, Crypto, Insurance, Payments, Retail, and 19 more sectors
  • Short-name chips display curated labels (e.g., "Pig Butchering", "BEC Wire", "RDGA Domains") with confidence-colored left borders (green/amber/red)
  • Matrix/Grid toggle switches between matrix and card grid browse modes

D3 Visualizations

Visualization Description
Attack Flow Diagram Horizontal CFPF phase flow (P1--P5) per threat path with MITRE technique cards and detection rule badges
Ego Neighborhood Graph Force-directed 1--2 hop subgraph showing related threat paths with typed relationships
Global Relationship Graph Full-network force layout of all 89 TPs, sector-clustered with 7 color-coded relationship types
UCFF Radar Chart 7-axis maturity profile for the UCFF self-assessment
Coverage Heat Map Fraud type x CFPF phase coverage matrix with intensity-based coloring
Framework Navigator Cross-framework coverage grid (CFPF, MITRE ATT&CK, MITRE F3, Group-IB, FT3) with SVG and ATT&CK Navigator JSON export

Interactive Tools

Tool Description
UCFF Self-Assessment Maturity sliders across 7 governance domains with gap analysis and JSON import/export
Coverage Assessment Sector-specific fraud coverage analysis with phase weakness detection and gap scoring
Regulatory Pulse Live feed from 6 regulatory sources (OFAC, FinCEN, SEC, OCC, FBI IC3, CFPB) with pagination and source filtering
Contributor Leaderboard Ranked contributor table (TPs, DL rules, baselines, EPs) extracted from submission frontmatter

Additional Features

  • Matrix/Grid browse toggle -- ATT&CK-style matrix as default, card grid as alternative
  • Sector tab filtering -- filter matrix by any of 24 sectors with live TP counts
  • Full-text search via lunr.js with wildcard fallback
  • Multi-criteria filtering by CFPF phase, sector, and fraud type
  • Lazy content loading -- metadata index loads first, TP content on demand
  • Taxonomy toggle -- switch between CFPF, MITRE ATT&CK, and Group-IB views in detail
  • Hash-based routing -- deep links via #detail/TP-XXXX
  • Copy-to-clipboard on all code blocks
  • Mobile responsive with collapsible filter panel and horizontally scrollable matrix

Ecosystem Integration

STIX 2.1 Fraud Extension

4 custom SDOs extending STIX 2.1 for fraud intelligence:

  • x-flame-fraud-scheme -- Fraud lifecycle pattern (one per TP)
  • x-flame-financial-transaction -- Fraudulent money movement pattern
  • x-flame-mule-network -- Money mule infrastructure
  • x-flame-fraud-actor-profile -- Threat actor profiling

5 fraud-specific relationship types. Deterministic STIX IDs (UUID5) ensure reproducible builds. See STIX-FRAUD-EXTENSION.md for the full specification.

MISP Galaxy & Feed

A subscribable MISP galaxy with 89 cluster entries cross-referenced to MITRE ATT&CK, plus a per-TP event feed at database/misp-feed/. Point your MISP instance feed URL to database/misp-feed/manifest.json on the GitHub Pages site.

TAXII 2.1 Endpoints

Static TAXII 2.1-compatible files at api/taxii/ with 3 collections:

  1. Threat paths (as attack-pattern SDOs)
  2. Detection rules (as course-of-action SDOs)
  3. Baselines (linked to TPs via baseline_ids for benchmarking)

Compatible with MISP, OpenCTI, ThreatConnect, and other TIPs. Configure your TIP with the TAXII root at api/taxii/discovery.json.

Sigma Detection Packs

221 detection rules exported to Splunk SPL, Elasticsearch EQL, Microsoft Sentinel KQL, and CrowdStrike CQL. Detection packs are now maintained in flame-detections.

RSS Feed

Auto-generated RSS 2.0 feed at database/feed.xml with threat paths. Auto-discovery enabled in index.html.

Static JSON API

RESTful JSON endpoints at api/v1/:

GET /threat-paths.json              All TPs with metadata
GET /threat-paths/TP-XXXX.json      Individual TP details
GET /baselines.json                 All baselines
GET /coverage-matrix.json           Coverage analysis matrix
GET /stats.json                     Aggregate statistics
GET /taxonomy.json                  Master taxonomy

Regulatory Compliance

31 regulations across 7 jurisdictions (EU, UK, US, Singapore, Australia, Africa, International) mapped to relevant threat paths via regulatory_refs frontmatter. Includes PSD3 SCA, UK PSR APP, FinCEN AML/BSA, FATF R16, FATF Stablecoins 2026, MAS SRF, FFIEC Auth, DORA, UNODC Organized Fraud, STIX-FCI, MITRE F3, EBA Fraud Taxonomy v5.0, NRF Retail Fraud Taxonomy, CrowdStrike GTR 2026, World Cybercrime Index, and more.

Automated regulatory intelligence fetched 2x daily from 6 government sources:

Source Agency
OFAC Treasury Dept -- Sanctions List
FinCEN Financial Crimes Enforcement Network
SEC Securities and Exchange Commission
OCC Office of the Comptroller of the Currency
FBI IC3 Internet Crime Complaint Center
CFPB Consumer Financial Protection Bureau

MCP Server

FLAME includes a Model Context Protocol (MCP) server that exposes fraud intelligence through 6 tools, enabling AI assistants like Claude to query threat paths, framework mappings, and coverage assessments conversationally.

Tool Description
search_threat_paths Search by keyword, sector, fraud type, CFPF phase, infrastructure method, geopolitical timing, or nation-state nexus
get_threat_path Get full details of a specific threat path
map_framework Get framework-specific mappings (cfpf, mitre, groupib, ft3, ucff)
assess_coverage Assess fraud detection coverage by sector and fraud type
get_baseline Get fraud baseline measurements for benchmarking
look_left_right Analyze upstream/downstream threat relationships (CFPF Look Left/Right)

Example queries an AI assistant can answer via the MCP server:

  • "What fraud schemes target the insurance sector?"
  • "Which fraud types map across all 7 frameworks?"
  • "What MITRE ATT&CK techniques map to TP-0007?"
  • "Assess my coverage for banking account-takeover and wire-fraud"
  • "What threat paths feed into TP-0011?"
  • "Which threat paths involve RDGA infrastructure?"
  • "What is the UCFF maturity requirement for TP-0034?"

Running the MCP server

python -m mcp_server.server

Claude Desktop integration

Add the following to your Claude Desktop claude_desktop_config.json:

{
  "mcpServers": {
    "flame-fraud": {
      "command": "python",
      "args": ["-m", "mcp_server.server"],
      "cwd": "/path/to/flame-fraud"
    }
  }
}

CI/CD Pipeline

FLAME uses 7 GitHub Actions workflows for full automation:

Workflow Trigger Purpose
build-and-deploy.yml Push to main Run tests, validate TPs, rebuild database, export all artifacts, deploy to Pages
validate-pr.yml Pull request Validate changed submissions against schema and taxonomy
ai-intake.yml Issue labeled submission AI-generated threat path draft from URL via Claude
generate_threat_path.yml Triggered by ai-intake Generate TP markdown from AI output
peer-review.yml Label changes Route submissions: submitted → under-review → approved → published
fetch-regulatory.yml 2x daily (6 AM + 6 PM UTC weekdays) Fetch alerts from 6 government regulatory sources
update-database.yml On demand Force database rebuild with latest regulatory data

Security scanning: The CI pipeline includes Bandit SAST (static application security testing), pip-audit (dependency vulnerability scanning), and Ruff (linting and code quality). These run on every PR and push to main.


Quick Start

Browse online

Visit the FLAME platform.

Run locally

git clone https://github.com/elchacal801/flame-fraud.git
cd flame-fraud
pip install -r requirements.txt
python scripts/build_database.py
python -m http.server 8000
# Open http://localhost:8000

Export all artifacts

python scripts/export_flame_stix.py    # STIX 2.1 bundle
python scripts/export_misp.py          # MISP galaxy & feed
python scripts/export_taxii.py         # TAXII 2.1 endpoints
# Sigma detection packs are now in flame-detections repo

Run the MCP server

python -m mcp_server.server

Subscribe via MISP

Point your MISP instance feed URL to database/misp-feed/manifest.json on the GitHub Pages site.

Subscribe via TAXII

Configure your TIP with the TAXII root at api/taxii/discovery.json on the GitHub Pages site.

Validate a submission

python scripts/validate_submission.py ThreatPaths/TP-0001-treasury-mgmt-ato-malvertising.md

Run tests

pytest tests/ -v

Contributing

FLAME is community-driven. Contributions of threat paths, detection rules, baselines, and emulation playbooks are welcome from practitioners across all financial sectors.

Three ways to contribute

  1. AI-Assisted Intake (recommended) -- Open an Issue with the Intel Submission template, paste a URL to a fraud advisory or report, and the AI pipeline generates a structured threat path draft for review.

  2. Web submission form -- Use the Contribute page with live preview and pre-filled GitHub Issue generation.

  3. Manual PR -- Fork the repo, copy the appropriate template from Templates/, fill in all sections, and submit a pull request.

Peer review workflow

Submissions follow a label-driven lifecycle: submittedunder-reviewapprovedpublished. All PRs are automatically validated against the schema and taxonomy. Contributors are tracked on the leaderboard.

See CONTRIBUTING.md for full guidelines, frontmatter requirements, and quality standards.


Testing

FLAME includes 217 tests across the full pipeline:

pytest tests/ -v

Test coverage includes: database build pipeline, STIX 2.1 export, MISP galaxy generation, TAXII 2.1 endpoint generation, MCP server tools, submission validation, emulation playbook validation, regulatory data fetching (6 sources), regulatory models and serialization, PDF parsing, RSS feed generation.


Operational Evidence

Threat paths can include an Operational Evidence section linking real-world investigation findings to the fraud lifecycle. Evidence entries follow the format EV-[TP-ID]-[YYYY]-[NNN] and are parsed into:

  • flame-content/TP-XXXX.json -- full evidence array per threat path
  • flame-index.json -- evidence_count per entry
  • flame-evidence-index.json -- cross-TP evidence listing for deduplication

Evidence is currently sourced from the domain_intel investigation pipeline.


Documentation


Related Projects

  • flame-detections -- Open-source fraud detection rule pack built on FLAME taxonomy. Detection rules are being decoupled from this repo for independent quality and contribution cadence.

Roadmap

  • MITRE F3 mapping -- Completed April 2026 (72/89 TPs mapped)
  • Detection rule decoupling -- Completed May 2026: 221 rules in flame-detections
  • Threat path matrix view -- Completed May 2026: ATT&CK-style matrix with 11 fraud families, sector tabs, short-name chips
  • STIX SCO extensions -- Observable-level extensions for fraud indicators
  • Expanded emulation playbooks -- Coverage for remaining threat path categories
  • Community growth -- Industry partnerships and contributor onboarding

Credits

  • HEARTH / THOR Collective -- Architectural model and inspiration
  • FS-ISAC CFPF Working Group -- Primary fraud lifecycle framework
  • Group-IB -- Fraud Matrix 2.0 stage names and UCFF governance domains referenced for cross-taxonomy interoperability
  • Stripe -- FT3 (MIT-licensed) taxonomy structure
  • MITRE -- ATT&CK framework; F3 Fight Fraud Framework (shipped April 2026, mapped to 72/89 TPs)
  • FBI IC3 -- 2025 Internet Crime Report ($20.877B losses) enriching 17 TPs with updated statistics
  • OASIS -- STIX 2.1 and TAXII 2.1 specifications
  • Recorded Future -- Source intelligence for payment fraud threat paths (TP-0035 -- TP-0039)
  • LexisNexis Risk Solutions -- Global State of Fraud 2026 intelligence (TP-0040 and enhancements)
  • World Cybercrime Index -- Bruce et al. (2024) PLoS ONE geographic cybercrime attribution data (BL-0036 and geopolitical TP enrichments)

License

MIT License. See LICENSE.

About

Open-source fraud intelligence exchange: 86 threat paths, 141 fraud types, and 36 baselines mapped across 7 frameworks — with STIX 2.1, MISP, TAXII exports and an MCP server for AI-assisted analysis. Detection rules at elchacal801/flame-detections.

Topics

Resources

License

Contributing

Security policy

Stars

Watchers

Forks

Packages

 
 
 

Contributors