August 31, 2025 in activity reports by Esther Onfroy6 minutes
This month, we made significant progress toward interoperability by developing a Python package that enables seamless conversion of threat intelligence data between Colander, MISP, STIX 2, and Threatr formats, laying the groundwork for easier data exchange with industry-standard tools.
PiRogue Tool Suite (PTS) provides a platform combining analysis tools, knowledge management, incident response management and artifact management, which allows civil society organizations with limited resources to equip themselves at a low cost. The project consists of an open source tool suite that provides a comprehensive mobile device forensics and digital investigations platform.
hello [at] pts-project.org
This month, we made significant progress toward interoperability by developing a Python package that enables seamless conversion of threat intelligence data between Colander, MISP, STIX 2, and Threatr formats, laying the groundwork for easier data exchange with industry-standard tools. These advancements will soon allow users to import threat data directly from MISP servers and export Colander cases back into MISP, greatly enhancing collaboration and flexibility for organizations using PTS. Looking ahead, these improvements will empower our users to integrate PTS more effectively into their workflows, streamline investigations, and foster broader knowledge sharing across the threat intelligence community.
You can find more details about the different activities in the project roadmap.
The project seeks to enhance interoperability by enabling the import and export of knowledge in industry-standard format. This includes batch importing of knowledge, data interchange in MISP format, and the support for user-defined templates to generate custom knowledge feeds. PTS users must have the freedom to move their data and findings from and to other tools such as OpenCTI or MISP.
colander_data_converter
is a Python library that enables interoperability between cyber threat intelligence (CTI) platforms by converting structured threat data between different formats — notably MISP, STIX 2.1, and Colander. Colander data format is an opinionated data format focused on usability and interoperability.
It supports conversion between MISP, STIX 2.1, and Colander data formats. Check out the conversion matrix for more details. Data can be exported in CSV, Mermaid and Graphviz DOT formats. The library also supports user-defined templates.
One of the main objective of this project is to minimize the loss of information between data formats. To improve the support of MISP, two new objects will be added to MISP data model to include Colander Events and Colander Data Fragments. Check out the definition of these new MISP objects for more details.
This project is fully documented and tested achieving >90% of code coverage.
We warmly thank Raphaël Vinot from CIRCL and Yoyodyne IT for their invaluable help.
⚠️ This project is currently under active development and is not suitable for production use. Breaking changes may occur without notice. A stable release will be published to PyPI once development stabilizes.
We will continue to improve support for MISP and STIX2.1 data formats, publish the first stable release of this project and integrate it into Colander.
Documenting the project is key in its usability. We are continuously documenting the different tools and features we develop and build new learning materials to facilitate skills development.
Nothing significant has been achieved this month.
We will continue to improve the project documentation to accurately reflect ongoing changes and updates.
We manufacture PiRogues to supply organizations, while taking care of its maintenance. We will include OS upgrades, improvement of the documentation and fixing bugs. Regarding Colander and Threatr, we maintain the public Colander server, upgrade dependencies, improve the documentation and fix bugs.
The package pirogue-evidence-collector
has been released in version 1.0.5
. This version retrieves Frida server release directly by tag name instead of listing the n latest ones.
The package pcapng-utils
has been released in version 1.0.10
. This version supports an option to set an arbitrary time shift. In case there was a systematic time shift between socket operations timestamps vs. network traffic timestamps, user may provide the --time-shift SECONDS
flag to account for it. Indeed, socket operations timestamps come from phone date, whereas network traffic timestamps come from Pirogue date, which may be desynchronized. Positive shift means network traffic timestamps (PiRogue) were earlier than socket operations timestamps (phone).
We will continue the maintenance of the tools, Debian packages we maintain and Colander ecosystem.
Given the success of events, webinars and demos with members of the civil society, NGOs and security researchers, we continue with our outreach plan. We organize trainings and demonstration sessions as well as creating spaces for the community to share feedback and request new features via our mailing list, GitHub issues or Discord server. We analyze one Android app that has received the community’s interest (ex COP28 app) per month. The application to be analyzed is chosen by the community. The analysis report is first privately shared with the community and one month later it is publicly released.
We organize monthly calls open to all members of the community to share project updates and get the community’s feedback.
At the request of the community, the analysis report of the Android application we have analyzed this month will not be published on our website, it will be shared in TLP:AMBER+STRICT.
We will attend the Global Gathering in Estoril from September 8–10, and have a booth. Come by, the main PTS developer, along with an expert in information security, will be there to explain how it works and answer technical questions.
We have held several meetings with organizations to better understand their needs in terms of interoperability between MISP and Colander. This allowed us to discuss with CiviCERT member organizations, as well as CiviCERT’s threat analyst. Two use cases emerged from these discussions. There is an urgent need for organizations to have a simple way to query a MISP server to retrieve threat intelligence about an observable (IP address, domain name…). MISP is widely used for information sharing, so organizations that have adopted Colander need to publish their IOCs in MISP in order to share them with the rest of their community.
The next PTS community meeting will happen on Sep. 26 at 2pm CET, join us on Google Meet.
We will continue with our recurring activities.
We are continuing the implementation of the working plan with The Engine Room.
We are awaiting the final determination regarding our proposal to the NLnet’s NGI MobiFree program, our proposal to the Spyware Accountability Initiative has been rejected.
We are actively engaging with potential new partners and grant opportunities. However, the landscape is competitive, and the timeline for securing such support is often lengthy and uncertain. While we are doing our utmost to navigate this period and find new financial backing, the future remains precarious. If PTS is a valuable asset in your work, if it helps you conduct crucial investigations, research, or defend digital rights, we now earnestly ask for your support.
We will continue with our recurring activities.