How The DISARM Defence Tool Became a Global Weapon for Censorship

Why Its Power Demands Oversight

The DISARM framework was originally designed as a collaborative defense against disinformation and foreign information manipulation. However, it has quickly evolved into a powerful and interoperable system that can also be weaponized for censorship and suppression. When integrated with platforms like MISP (Malware Information Sharing Platform), DISARM’s technical architecture allows for automated, large-scale targeting of individuals, organizations, and narratives-often with minimal oversight or recourse for those who are affected.

This article traces the evolution, architecture, and real-world dangers of DISARM, drawing on research, technical documentation, and case studies-including insights from my previous article, “Cognitive Security in Ukraine”-to show how a tool meant for collective defence can become a digital guillotine.

---

Origins and Architecture: From AMITT to DISARM

The genesis of DISARM can be traced to the AMITT framework, developed by Sara-Jayne Terp and collaborators at a hybrid warfare workshop in 2018. Craig Newmark Philanthropies provided the foundational funding and vision for AMITT, supporting the MisinfoSec Standards Working Group and the Credibility Coalition as they formalized the first research, standards, and coalition-building efforts. This early support enabled AMITT to be piloted by organizations such as the UN, WHO, EU, and NATO, and to be built in synergy with MITRE’s ATT&CK framework.

As the project matured, the Alfred Landecker Foundation became a principal funder through Alliance4Europe, providing strategic and financial support for the technical scaling, institutionalization, and governance of DISARM. The Foundation’s backing enabled the expansion of DISARM’s training, community, and open-source infrastructure, helping transform it from a niche technical project into a widely adopted, community-driven standard.

• Red Framework: Models disinformation creation and spread (e.g., “Amplify Existing Narrative,” “Distort Facts”).

• Blue Framework: Catalogs countermeasures (e.g., “Deplatform Account,” “Shadow Ban Content”).

• STIX Integration: Incidents, actors, and TTPs are encoded as STIX 2.1 objects, making them machine-readable and instantly shareable across platforms.

• MISP Compatibility: DISARM is embedded in MISP, allowing for automated ingestion, sharing, and action on disinformation intelligence.

---

Timeline and Evolution of the DISARM Foundation

2017–2018:
Early work adapting infosec tools for disinformation began, involving Sara-Jayne Terp, JJ Snow, Pablo Breuer, and the SOFWERX team.

2018–2020:
The Credibility Coalition’s Misinfosec Working Group (MisinfosecWG) created the original DISARM frameworks. Key contributors included SJ Terp, Pablo Breuer, Christopher Walker (Marvelous.AI), John Grey (MentionMapp), and Roger Johnston now known as Octavia Hexe.

2020–2022:
CogSecCollab maintained and updated the AMITT models. MITRE and Florida International University (FIU) developed the SPICE fork, which was later merged with AMITT to form DISARM. This period also saw real-world trials with the CTI League, NATO, and the EU.

2022–Present:
The DISARM Foundation was established as the independent steward of the framework, with support from Alliance4Europe and Public Democracy America. The Foundation manages the ongoing development, governance, and training ecosystem for DISARM, ensuring its open-source status and global accessibility.

Key Associates and Contributors

The DISARM framework is the product of a large, multi-year collaboration across the information security, research, and counter-disinformation communities. Notable associates and contributors include:

• Sara-Jayne Terp (SJ Terp): Principal architect, original co-lead, and design authority.

• Pablo Breuer: Current design authority and co-lead, instrumental in framework development.

• Christopher Walker ("Walker"): Original co-lead (Marvelous.AI), led early development.

• Jon Brewer: Key organizer and coordinator for framework governance.

• Mark Finlayson: Led the SPICE framework at FIU, contributed to merging SPICE with AMITT/DISARM.

• Roger Johnston: Joined after ATT&CKcon, contributed technical integrations and system connections, such as STIX and MISP.
  Roger transitioned and became Octavia Hexe (VVX7): Technical contributor, active in open-source and security communities.

• John Grey: Supported technical and community growth.

• Adam Maunder: Contributor affiliated with the DISARM Foundation, involved in framework assessment, review, and ongoing development, including compatibility with frameworks like ABCDE and STIX.

• Victoria Smith: Analyst, researcher, and founder of DisinfoDocket.

• Stephen Campbell: Threat intelligence specialist.

• Carl Miller: Technologist, journalist, and founder of CASM Technology.

• Savina Koda and Daniel Sixto: FIU students, contributed to merging SPICE with AMITT/DISARM.

• Omri Preiss: Managing director of Alliance4Europe, co-founder of the DISARM Foundation.

Organizational Involvement:

• DISARM Foundation, current maintainer and coordinator

• CogSecCollab, nonprofit, maintained and updated AMITT

• MITRE Corporation, developed the SPICE fork

• Florida International University (FIU)

• Alliance4Europe, strategic and financial support

• Public Democracy America, support for the Foundation

---

Alfred Landecker Foundation and Craig Newmark Philanthropies: Twin Pillars of Support

The development, testing, and deployment of DISARM have relied on two principal funders:

• Craig Newmark Philanthropies provided the initial seed funding and support for AMITT, enabling the first research, standards, and community-building that led to DISARM’s creation.

• Alfred Landecker Foundation enabled the technical expansion, scaling, and formal governance of DISARM through support for Alliance4Europe and the DISARM Foundation, ensuring the framework’s open-source, independent stewardship and broad accessibility.

Both organizations are recognized by the DISARM Foundation as core funders, each playing a distinct but complementary role in the framework’s evolution from inception to international deployment.

---

The SMIU in Munich: DISARM’s Overlooked Roots

A crucial but often overlooked part of DISARM’s story is its connection to the Social Media Intelligence Unit (SMIU) in Munich. According to investigative reporting in my previous article,

SMIU operated as a nexus for social media surveillance, health disinformation analysis, and psychological operations. It was closely associated with James Patrick, Neal Rauhauser, and Libby Shaw, who together developed the NETWAR system.

• Personnel and Intellectual Environment:
  James Patrick’s company, SOCINT, is described as having “birthed the DISARM framework,” with SMIU’s operations and reports-such as Society Burning: Tactical Assessment, funded by Alliance4Europe-laying the groundwork for DISARM’s control tactics and NETWAR’s surveillance framework.

• Funding and Organizational Ties:
  SMIU and NETWAR Systems were funded by Alliance4Europe, which also supported the establishment of the DISARM Foundation. Omri Preiss, managing director of Alliance4Europe, is cited as a co-founder of the DISARM Foundation, further linking these entities.

• Operational Overlap:
  SMIU’s focus on health disinformation, social media surveillance, and psy-ops closely aligns with the objectives and methods encoded in the DISARM framework. The SMIU’s surveillance and psychological operations playbook, developed with organizations like the CTI-League and Team Halo, prefigured many of the tactics and countermeasures later formalized in DISARM.

• Evolution and Dissolution:
  After peaking in 2020, SMIU’s personnel and methodologies either dissolved or morphed into DISARM and NETWAR Systems. Its legacy persists in the frameworks and practices of DISARM and NETWAR.

In summary, SMIU, based in Munich and led by Patrick, Rauhauser, and Shaw, played a formative role in the intellectual and operational environment that produced the DISARM framework. Alliance4Europe, a funder of both SMIU/NETWAR and the DISARM Foundation, served as a bridge between these efforts.

---

Chris Krebs, CISA, and the CTI League: Mainstreaming Cognitive Security

Another pivotal link in the evolution and operationalization of DISARM is the partnership between the Cybersecurity and Infrastructure Security Agency (CISA)-under the leadership of Chris Krebs-and the CTI League (CTIL) during the COVID-19 pandemic.

• CISA and CTIL Partnership:
  In April 2020, while Chris Krebs was Director of CISA, he publicly announced CISA’s partnership with the CTI League, calling it “really an information exchange.” CTIL was a public-private coalition including cybersecurity professionals, government officials, and social media representatives. Internal documents and whistleblower testimony show that CTIL was actively developing and deploying frameworks for countering disinformation and influence operations, including the AMITT framework, which would later evolve into DISARM.

• Government and Private Sector Integration:
  CTIL included members from DHS (CISA’s parent agency), FBI, and other government bodies, working closely with private sector and civil society partners to combat COVID-19 and election-related disinformation. Chris Krebs, as CISA Director, facilitated and endorsed this collaboration, which helped mainstream the use of threat intelligence and “cognitive security” frameworks for content moderation and information control.

• AMITT/DISARM Development:
  Sara-Jayne Terp and colleagues developed AMITT within the MisinfoSec Working Group, with CTIL as a core operational context. AMITT was adapted from MITRE’s ATT&CK and was used by the World Health Organization and others to counter anti-vaccination campaigns. Terp later evolved AMITT into the DISARM framework.

• Krebs’ Broader Role:
  Under Krebs’ leadership, CISA became a central node in the US government’s efforts to counter disinformation, working with CTIL and similar groups to pressure social media platforms and coordinate information control strategies. This approach has been criticized for blurring the lines between cybersecurity and censorship, especially as CISA’s influence grew during the pandemic and 2020 election cycle.

Chris Krebs is connected to the DISARM framework through CISA’s partnership with CTIL, which operationalized the AMITT framework (DISARM’s precursor) during his tenure. Krebs’ public endorsement and facilitation of these partnerships were instrumental in mainstreaming cognitive security and disinformation frameworks within US government and critical infrastructure protection efforts.

---

How DISARM Works in Practice

DISARM breaks down incidents into a pyramid: campaigns, incidents, narratives, and artifacts. Each element is described with standardized objects, enabling seamless integration with cybersecurity tools and data-sharing protocols like TAXII and STIX.

Example Workflow:

1. An analyst models a disinformation incident using DISARM’s TTPs.

2. The incident is encoded as a STIX bundle.

3. The bundle is injected into MISP, where it can trigger automated actions (alerts, deplatforming, blocking).

4. The intelligence is shared with partner organizations, which may act on it without further human review.

---

Weaponization: How DISARM Can Be Abused

Automated Targeting and Enforcement

Because DISARM incidents are machine-readable and interoperable, they can be used to automate takedowns and blacklisting across platforms and jurisdictions. This is especially dangerous when the framework is used to encode subjective or politically motivated accusations. The professionalization and scaling of DISARM training, led by Alliance4Europe and the DISARM Foundation, amplifies both its defensive/offensive potential and its huge risks.

Python Code Example:

from pymisp import ExpandedPyMISP

misp = ExpandedPyMISP('https://misp-instance-url', 'api_key')
event = misp.new_event(info='Fake Disinformation Campaign', published=True)
disarm_object = {
    'name': 'Coordinated Inauthentic Behavior',
    'meta-category': 'disarm-red',
    'Attribute': [
        {'type': 'text', 'object_relation': 'Tactic', 'value': 'T0072 - Microtargeting'},
        {'type': 'threat-actor', 'value': '@TargetedJournalist'}
    ]
}
misp.add_internal_object(event['Event']['id'], disarm_object)

This code can be used to mass-flag critics or dissenters, instantly sharing accusations across the DISARM/MISP ecosystem.

Global Interoperability Means Global Censorship

Because DISARM is designed to be interoperable with cybersecurity systems and threat intelligence sharing platforms, a single accusation can propagate globally, leading to:

• Automated deplatforming

• Shadow banning

• Payment processor and service bans

• Destructive effects on speech

---

Documented Real-World Damage

• COVID-19 Debate: During the pandemic, scientists and journalists who questioned official narratives were flagged as disinformation agents using DISARM-style taxonomies, leading to professional and personal harm.

• The “Disinformation Dozen”: The Center for Countering Digital Hate (CCDH) used DISARM-compatible methodologies to label and deplatform individuals, some of whom were later shown to have been mischaracterized.

• India’s Farmer Protests: The government used frameworks like DISARM to justify mass bans of protest-related accounts, silencing activists and journalists.

• Eastern Europe: DISARM-trained teams targeted opposition communities, encoding dissent as “disinformation” and sharing it via MISP for coordinated suppression.

• The Sahel: As I write this article I am watching DISARM trained operatives from the “Mutton Crew / Reality Team” attempting to disrupt/subvert information flow about Ibrahim Traoré the president of Burkina Faso since 2022.

Reference to Cognitive Security in Ukraine

As detailed in my earlier article, “Cognitive Security in Ukraine”, the use of red, blue, and purple teams-leveraging AMITT, MITRE ATT&CK, and DISARM-has been central to Ukraine’s cognitive defense. However, the same structures that enable defense also enable overreach. The CTI League, for instance, used these frameworks not only to defend against Russian disinformation but also, at times, to justify the removal of dissenting voices and the targeting of individuals accused of spreading “unapproved” narratives. The article also highlights the ethical risk of “fighting disinformation with disinformation,” a tactic that, when exposed, can erode public trust and deepen skepticism.

---

Why DISARM + MISP Is So Dangerous

• Standardization: DISARM provides a universal language for accusations, making them harder to challenge and easier to automate.

• Automation: MISP integration allows for instant, large-scale enforcement against cognitive threats, without meaningful human oversight.

• Real Time: The framework enables defenders to coordinate content moderation, algorithmic interventions, and public communications in real time, often across multiple organizations and jurisdictions.

• Opacity: Those targeted often have no visibility or recourse, as accusations are encoded, shared, and acted upon behind closed doors.

• Scalability: A single actor can flag thousands of accounts or narratives at once, with global reach.

---

Alliance4Europe and the Professionalization of DISARM: Training for Power and Risk

A major driver behind the rapid spread and operationalization of the DISARM framework is the formal training and certification ecosystem developed by Mike Galsworthy’s Alliance4Europe in partnership with the DISARM Foundation.

Who is Alliance4Europe?
Alliance4Europe is a prominent European non-profit organization dedicated to strengthening what it refers to as democratic resilience, combating disinformation and foreign information manipulation. The group plays a central role in promoting cognitive security initiatives and has become a key force in disseminating and operationalizing DISARM across governments, civil society, and the private sector.

DISARM Certification and Training
Alliance4Europe offers a structured DISARM Analyst Certification Course that equips practitioners with the skills to analyze, map, and respond to disinformation campaigns using the DISARM framework. This course is officially recognized by the DISARM Foundation and is part of the formal data exchange system on Foreign Information Manipulation and Interference (FIMI) between the US and EU.

• Comprehensive Curriculum:
  Participants learn to identify the full spectrum of disinformation tactics and techniques (Red Framework), as well as defensive countermeasures (Blue Framework). The course emphasizes practical application, including encoding incidents in STIX format for sharing via platforms like MISP.

• Hands-On and Real-World:
  Through case studies and exercises, trainees develop proficiency in using DISARM to break down complex influence operations and recommend mitigation strategies.

• Expert Instructors:
  The course is led by leading figures such as Dr. Pablo Breuer (DISARM co-author), Julian Neylan (media literacy expert), and Stephen H. Campbell (asymmetric threat specialist).

• Format and Accessibility:
  The certification involves two intensive online sessions (2 x 2 hours), with classes capped at 12 participants to ensure quality. The course fee is €500 per person.

• Strategic Importance:
  DISARM certification is recommended by NATO’s Hybrid Centre of Excellence, the EU Cybersecurity Agency, and the EU External Action Service, underscoring its official role in counter-disinformation efforts.

• Community Building:
  By certifying analysts worldwide, Alliance4Europe is cultivating a global network of DISARM-certified professionals, able to coordinate rapid, large-scale responses to disinformation threats.

Why This Matters for the Dangers of DISARM

The professionalization and scaling of DISARM training amplify both its defensive potential and its risks. As more actors become adept at encoding and sharing disinformation incidents through DISARM and MISP, the framework’s power to automate enforcement-and potentially misclassify or suppress legitimate speech-increases dramatically. This growing cadre of certified analysts, operating within a standardized but opaque framework, can inadvertently or intentionally contribute to overreach, false positives, and censorship at scale, often without meaningful transparency or appeal for those targeted.

---

Who Built DISARM and Why?

• Sara-Jayne Terp: Principal architect, led the technical and conceptual development, and drove adoption by major institutions.

  

• Craig Newmark Philanthropies & Alfred Landecker Foundation: Provided crucial early and ongoing funding and support, enabling the framework’s creation, scaling, and piloting.

  

• Global Stakeholders: The EU, US, NATO, and NGOs have adopted and mainstreamed DISARM for both foreign and domestic information control.

  

---

Oversight & Reform

DISARM, when combined with MISP and other automated tools, is not just a shield against disinformation-it is a sword that can be wielded by anyone with access. Its technical power, interoperability, and automation make it uniquely dangerous in the hands of bad actors, governments, or even well-meaning organizations that fail to safeguard against abuse.

Without radical transparency, oversight, and redress mechanisms, DISARM risks becoming the backbone of a global censorship regime-one that can erase dissent, punish the innocent, and obliterating free speech at the push of a button.

---

References

• DISARM Foundation

• DISARM Foundation: Brief History

• DISARM Foundation - InfluenceWatch

• Alfred Landecker Foundation: Alliance4Europe & DISARM Foundation

• Alfred Landecker Foundation: Introducing DISARM

• Sentiment Inspector: Cognitive Security in Ukraine

• Sentiment Inspector: SMIU - The Sentiment Inspector

• Alliance4Europe: DISARM Certification

• Alliance4Europe: DISARM Analyst Certification Course Overview

• DISARM Foundation: Framework Overview

• DISARM Framework Explorer

• Disarm Frameworks GitHub

• EDMO: DISARM Training

• ENISA: FIMI and Cybersecurity Threat Landscape

• Hybrid CoE: Research Report 7

• MISP DISARM Techniques

• MISP DISARM Countermeasures

• MISP Project Overview

• MISP 2.4.183 Release Notes

• arXiv: Interoperable Representation of Disinformation Incidents

• Center for Countering Digital Hate: The Disinformation Dozen

• Bearskin Substack: Disarm Foundation Funding

• PeakD: DISARM Timeline

---

If you value open debate and human rights, demand urgent reform and radical transparency in the deployment of frameworks like DISARM.

The alternative is a world where a handful of analysts, armed with military-grade tools, can erase dissent at the push of a button.

The sentiment inspector is on the case.

Comments

[Hu Flung Dung]

What all those organisations did was to stamp on freedom of thought and speech. The military, the governments, the mainstream media and the medical establishment were the first to actually spread the misinformation. The whole campaign was extremely sophisticated and coordinated on a global scale, the like of which has never been seen before, not even during any of the major world wars.

The public’s attempts to make sense of this high level of propaganda and misguidance was then branded as being counter establishment speak, yet all these people were trying to do was to provide another viewpoint and to provide platforms to help.

The cabal considered these to be an uprising, a huge over reaction on their part which highlights how desperately they needed to control the narrative and also demonstrates the lengths the cover up required. Those who are awake will hopefully awaken more who are not willing to be subjugated by the evil doers.