PakitoSec · PakitoSec · Mar 14, 2026 · Mar 14, 2026
diff --git a/docs/getting-started/concepts.md b/docs/getting-started/concepts.md
@@ -133,9 +133,30 @@ obs.with_ti_draft(draft)
 
 Drafts are plain `ThreatIntel` objects without an `observable_key`; the key is generated on attach.
 
-### Tags
+To load a draft from an external API response dict (e.g. a SOAR/TIP report), use `io_load_threat_intel_draft`:
+
+```python
+report = {"source": "virustotal", "score": 4.256, "level": "SUSPICIOUS"}
+ti = Cyvest.io_load_threat_intel_draft(report)
+obs.with_ti_draft(ti)
+```
+
+An optional `preprocessor` callback lets you normalise source-specific data before validation:
 
-**Tags** organize checks with automatic hierarchy based on `:` delimiter:
+```python
+def misp_warning_list_preprocessor(data: dict) -> dict:
+    extra = data.get("extra")
+    task_name = str(extra.get("task_name", "")) if isinstance(extra, dict) else ""
+    warning_list_tasks = {"MISP.analyzer.DBWarningList", "MISP.analyzer.SearchWarningList"}
+    if task_name in warning_list_tasks and data.get("level") not in ("INFO", "SAFE"):
+        data["level"] = "SAFE"
+        data["score"] = 0.0
+    return data
+
+ti = Cyvest.io_load_threat_intel_draft(report, preprocessor=misp_warning_list_preprocessor)
+```
+
+### Tags
 - Group related checks together
 - Create logical investigation sections
 - Auto-create ancestor tags (e.g., `header:auth:dkim` creates `header` and `header:auth`)

diff --git a/js/packages/cyvest-app/package.json b/js/packages/cyvest-app/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyvest/cyvest-app",
-  "version": "5.3.1",
+  "version": "5.3.2",
   "private": true,
   "scripts": {
     "dev": "vite",

diff --git a/js/packages/cyvest-js/package.json b/js/packages/cyvest-js/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyvest/cyvest-js",
-  "version": "5.3.1",
+  "version": "5.3.2",
   "type": "module",
   "files": [
     "dist"

diff --git a/js/packages/cyvest-vis/package.json b/js/packages/cyvest-vis/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyvest/cyvest-vis",
-  "version": "5.3.1",
+  "version": "5.3.2",
   "type": "module",
   "files": [
     "dist"

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "cyvest"
-version = "5.3.1"
+version = "5.3.2"
 description = "Cybersecurity investigation model"
 readme = {file = "README.md", content-type = "text/markdown"}
 requires-python = ">=3.10"

diff --git a/src/cyvest/__init__.py b/src/cyvest/__init__.py
@@ -21,7 +21,7 @@
 from cyvest.model_enums import ObservableType, RelationshipDirection, RelationshipType
 from cyvest.proxies import CheckProxy, EnrichmentProxy, ObservableProxy, TagProxy, ThreatIntelProxy
 
-__version__ = "5.3.1"
+__version__ = "5.3.2"
 
 logger.disable("cyvest")
 

diff --git a/src/cyvest/cyvest.py b/src/cyvest/cyvest.py
@@ -1063,8 +1063,8 @@ def io_load_dict(data: dict[str, Any]) -> Cyvest:
         """
         return load_investigation_dict(data)
 
+    @staticmethod
     def io_load_threat_intel_draft(
-        self,
         report: dict[str, Any],
         *,
         preprocessor: Callable[[dict[str, Any]], dict[str, Any]] | None = None,

diff --git a/uv.lock b/uv.lock