Connecting cyber and information-operations defenders for actionable disruption
Different communities. Same threat actors. Shared infrastructure
H-ARMOR is a CyberPeace Institute initiative that helps cyber defenders and FIMI/information operations investigators working both in civil society, public and private sector, move from exposure to disruption by working on the technical infrastructure / digital assets that enables hybrid operations and that compose the technical layer of Information Manipulation Systems.
A capacity-building + coordination framework built around real hybrid cases.
A living lab focused on the infrastructure layer (domains, hosting, registrars, IP space, payment rails) where disruption is measurable and less polarising than content debates.
Not another monitoring network, dashboard, or “new platform” duplicating what already exists. Not a content moderation or fact-checking initiative.
Most hybrid-threat work still over-indexes on exposure. H-ARMOR is built for operational disruption: evidence is collected and structured with chain-of-evidence and handover pathways in mind, so outputs can travel into enforcement and accountability channels-including credible engagement with law enforcement-without requiring partners to reveal their underlying datasets.
The H-ARMOR cycle (data → overlap → disruption)
H-ARMOR turns messy, cross-domain reporting into machine-readable infrastructure intelligence - so partners can detect reuse, build credible evidence packages, and move faster from analysis to disruption.
We ingest public reporting and partner-safe indicators, then normalise them into a tool-agnostic, machine-readable format (entities + relationships across domains, hosting, registrars, IP space, payment rails).
LLMs help extract and structure entities (domains, orgs, services, wallets, aliases, infrastructure providers) from large volumes of with provenance preserved so every claim can be traced back to sources.
Participants keep sensitive data locally, but can answer a simple question: “Do we see this entity-yes or no?” This reveals infrastructure reuse and blind spots without centralising datasets.
Because the KPI is disruption-not publication-the workflow is built to produce actionable, structured evidence: registrar/hosting interventions, takedown waves, sanctions enforcement pathways, and LEA-ready referrals where appropriate.
H-ARMOR outputs are machine-readable and interoperable-so teams can plug them into existing CTI/FIMI workflows (e.g., OpenCTI-style pipelines) rather than adopting “yet another platform.”
The data cycle is designed for EU hosting and EU legal constraints, minimising unnecessary data movement and keeping sensitive material under participant control through federated comparison.
Built on our proven experience-from CyberPeace Tracer’s AI-powered, structured tracking of cyber threats affecting civil society, to ANONYM’s privacy-preserving cross-matching of indicators using private-set-intersection/homomorphic-encryption so organisations can detect shared infrastructure without exposing their datasets, to the Cyber attacks in times of conflict (#Ukraine) platform’s attack analysis for legal accountability and harm tracing-H-ARMOR combines scalable data engineering with evidence-ready analytical practice designed for disruption.