H-ARMOR

Connecting cyber and information-operations defenders for actionable disruption

Different communities. Same threat actors. Shared infrastructure

H-ARMOR is a CyberPeace Institute initiative that helps cyber defenders and FIMI/information operations investigators working both in civil society, public and private sector, move from exposure to disruption by working on the technical infrastructure / digital assets that enables hybrid operations and that compose the technical layer of Information Manipulation Systems.

What H-ARMOR is / is not

H-ARMOR is

A capacity-building + coordination framework built around real hybrid cases.
A living lab focused on the infrastructure layer (domains, hosting, registrars, IP space, payment rails) where disruption is measurable and less polarising than content debates.

H-ARMOR is not

Not another monitoring network, dashboard, or “new platform” duplicating what already exists. Not a content moderation or fact-checking initiative.

Why this is different

Most hybrid-threat work still over-indexes on exposure. H-ARMOR is built for operational disruption: evidence is collected and structured with chain-of-evidence and handover pathways in mind, so outputs can travel into enforcement and accountability channels-including credible engagement with law enforcement-without requiring partners to reveal their underlying datasets.

Link to blog articles:

Read: Why infrastructure matters in nexus operations
Read: Our Ransomware report where several datasets had overlapped entities with, for example, the Recorded Future’s coverage of Stark Industries (connected to several Influence Operations).
Explore CPI’s Nexus work (links to our existing Nexus hub / articles - Analysis and Investigation , Understanding Nexus operations: Where Cyberattacks and Disinformation converge

How it works: the H-ARMOR cycle (data → overlap → disruption)

How H-ARMOR works (a case-driven, evidence-ready cycle)

H-ARMOR turns messy, cross-domain reporting into machine-readable infrastructure intelligence - so partners can detect reuse, build credible evidence packages, and move faster from analysis to disruption.

1) Collect & standardise (EU-based, machine-readable)

We ingest public reporting and partner-safe indicators, then normalise them into a tool-agnostic, machine-readable format (entities + relationships across domains, hosting, registrars, IP space, payment rails).

2) LLM-assisted entity extraction (speed without losing traceability)

LLMs help extract and structure entities (domains, orgs, services, wallets, aliases, infrastructure providers) from large volumes of with provenance preserved so every claim can be traced back to sources.

3) Federated overlap detection (Hit / No-Hit, data stays “at home”)

Participants keep sensitive data locally, but can answer a simple question: “Do we see this entity-yes or no?” This reveals infrastructure reuse and blind spots without centralising datasets.

4) Disruption pathway design (disruption is the KPI)

Because the KPI is disruption-not publication-the workflow is built to produce actionable, structured evidence: registrar/hosting interventions, takedown waves, sanctions enforcement pathways, and LEA-ready referrals where appropriate.

“Under the hood” callout

Tool-agnostic by design

H-ARMOR outputs are machine-readable and interoperable-so teams can plug them into existing CTI/FIMI workflows (e.g., OpenCTI-style pipelines) rather than adopting “yet another platform.”

EU-based by default

The data cycle is designed for EU hosting and EU legal constraints, minimising unnecessary data movement and keeping sensitive material under participant control through federated comparison.

Builds on existing experience

Built on our proven experience-from CyberPeace Tracer’s AI-powered, structured tracking of cyber threats affecting civil society, to ANONYM’s privacy-preserving cross-matching of indicators using private-set-intersection/homomorphic-encryption so organisations can detect shared infrastructure without exposing their datasets, to the Cyber attacks in times of conflict (#Ukraine) platform’s attack analysis for legal accountability and harm tracing-H-ARMOR combines scalable data engineering with evidence-ready analytical practice designed for disruption.

What’s been done + what comes next

What we’ve done so far

Convened working sessions to validate and operationalise three core outputs: a Disruption Framework, a Hit/No-Hit Overlap Finder concept, and secure information-sharing mechanisms.
Ran Action Days (Geneva, 29–30 Sep 2025; Brussels, 21 Oct 2025) to align on workflows across evidence handling, tooling, disruption objectives, and sustainability.
Advanced a first set of pilot directions, including overlap testing on a widely studied hybrid case and a sanctions-linked infrastructure proof-of-concept track (presented as methodology, not enforcement claims).

What we’re building next

A draft, shareable Disruption Framework for hybrid operations (cyber + influence) that translates disruption logic from cybercrime into FIMI workflows.
A manual Overlap Finder proof-of-concept (lean, privacy-preserving, interoperable with CTI workflows like MISP/OpenCTI in principle).
A community operating model: secure collaboration patterns, evidence/chain-of-custody alignment, and clearer handover pathways to infrastructure providers and LEA-facing partners.

For potential partners/funders

“Contact us to discuss collaboration” (simple form/email; don’t describe tools deployment, only the collaboration concept)

/h-armor/community

Who it’s for, what “joining” means, and a contact CTA-keep it high-level, “curated community of practice,” no operational access promises.