center-for-threat-informed-defense · marcozucchi · Jul 16, 2025 · Aug 3, 2025 · Aug 3, 2025
diff --git a/docs/_static/attack-paths.png b/docs/_static/attack-paths.png
diff --git a/docs/developers.rst b/docs/developers.rst
@@ -191,7 +191,7 @@ The output of the command will look something like this:
     :alt: A Navigator layer with the the Tesla flow rendered as an overlay.
     :align: center
 
-    A Navigator layer with the the Tesa flow rendered as an overlay.
+    A Navigator layer with the the Tesla flow rendered as an overlay.
 
 Generate schema documentation
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -413,7 +413,7 @@ The subcommand ``export-stix`` converts one or more ``.afb`` files to a STIX bun
     ...
 
 The subcommand ``upgrade-v2`` converts one or more ``.afb`` files from Attack
-Flow v2 format to v3 format. It renameds the existing file ``.afb`` file with an
+Flow v2 format to v3 format. It renames the existing file ``.afb`` file with an
 ``.afb-v2`` extension so that you have a copy of the original. Then it upgrades
 the file to v3 format and saves it back to its original path.
 

diff --git a/docs/introduction.rst b/docs/introduction.rst
@@ -91,7 +91,7 @@ Operator Objects
 ----------------
 
 After a flow splits into parallel attack paths, **operators** combine them back
-together. An OR operator means that only of the incoming attack paths needs to succeed
+together. An OR operator means that only one of the incoming attack paths needs to succeed
 in order to continue the flow, while an AND operator means that all of the incoming
 attack paths must succeed in order to continue. The next example shows that the
 adversary has two different techniques for pivoting into a different user account. If
@@ -117,15 +117,15 @@ is at that point in the flow.
    A condition object clarifies how the actions before the operator are related to
    the action after the operator.
 
-Perhap the reader does not understand the consequences of dumping LSASS memory or how it
+Perhaps the reader does not understand the consequences of dumping LSASS memory or how it
 relates to the actions that come afterward. The condition clarifies that the adversary
 is now able to pivot into a different user account.
 
 .. warning::
 
-   It is possible to join paths together without using an operator by simplying pointing
+   It is possible to join paths together without using an operator by simply pointing
    two arrows at a single action or condition. This approach is ambiguous because it's
-   not clear how the sucess or failure of those paths affects the outcome of the flow,
+   not clear how the success or failure of those paths affects the outcome of the flow,
    but ambiguity may be appropriate in some circumstances, e.g. if the underlying CTI is
    itself ambiguous.
 
@@ -189,7 +189,7 @@ In this example, the adversary attempts to steal a targeted user's credentials v
 spearphishing. Since this technique relies evading email filtering and tricking users,
 it is inherently unreliable. The condition object after spearphishing shows a decision
 point for the adversary: if they obtained a credential then they can move on to logging
-in with it. But if the spearphshing fails, then the adversary falls back to a password
+in with it. But if the spearphishing fails, then the adversary falls back to a password
 spraying technique in another attempt to obtain a valid credential.
 
 Additional STIX Objects

diff --git a/docs/overview.rst b/docs/overview.rst
@@ -44,7 +44,7 @@ Attack Flow is designed to support many different use cases.
 **Threat Intelligence**
 
 CTI analysts can use Attack Flow to create highly detailed, behavior-based threat
-intelligence products. The langauge is machine-readable to provide for interoperability
+intelligence products. The language is machine-readable to provide for interoperability
 across organizations and commercial tools. Users can track adversary behavior at the
 incident level, campaign level, or threat actor level. Instead of focusing on indicators
 of compromise (IOCs), which are notoriously inexpensive for the adversary to change,
@@ -71,7 +71,7 @@ that executives do not need to make a business decision. Defenders can use flows
 communicate the impact of an attack in business terms (i.e. money) and make a convincing
 case for new tools, personnel, or security controls to prioritize.
 
-**Incident Reponse**
+**Incident Response**
 
 Incident responders can use Attack Flow to improve their incident response (IR) planning
 and after-action review. After a security incident has occurred, responders can create
@@ -99,13 +99,13 @@ detailed timelines. Attack Flow can showcase the adversary tools and TTPs that a
 used, which can help aid in writing detections against common behaviors and/or adversary
 toolsets, as well as prioritizing those detections.
 
-**Malaware Analysis**
+**Malware Analysis**
 
-Malware analysts typically use Attack Flow after they have analyzed samples to document behaviors they observed. 
+Malware analysts typically use Attack Flow after they have analyzed samples to document behaviors they observed.
 They start with static analysis to examine the file's structure and potential obfuscation.
-Next, they execute the sample in a controlled environment for dynamic analysis, observing its behavior and identifying 
-potential indicators of compromise. They then disassemble the code to understand its low-level operations and decode any 
-encrypted components. Finally, through detailed code reversing and behavioral analysis, analysts document their findings and 
+Next, they execute the sample in a controlled environment for dynamic analysis, observing its behavior and identifying
+potential indicators of compromise. They then disassemble the code to understand its low-level operations and decode any
+encrypted components. Finally, through detailed code reversing and behavioral analysis, analysts document their findings and
 could generate reports with recommendations for enhancing defenses against similar cyber threats.
 
 Get Started

diff --git a/docs/usage_guides/best-practices.rst b/docs/usage_guides/best-practices.rst
@@ -33,7 +33,7 @@ require preconditions in between the actions.
    relationship between is very obvious.
 
 **End a flow with an Impact technique.** If the Impact is unknown, end the flow
-with condition stating that the impact is unknown, along with any other relevant
+with a condition stating that the impact is unknown, along with any other relevant
 details.
 
 Flow Data

diff --git a/docs/visualization.rst b/docs/visualization.rst
@@ -28,7 +28,7 @@ Attack Flow offers several tools for visualizing sequences of behaviors. The :do
                 <h4>Matrix View</h4>
             </div>
         </a>
-        <a class="gallery-item" href="#tactic-table">
+        <a class="gallery-item" href="#timeline-view">
             <div class="image" style="background: url(../_static/attack-timeline.svg) center center;">
             </div>
             <div class="desc" >