Home/Compliance/Report
Threat-informed report

csa-ccm-4 - threat & detection coverage

Generated 2026-06-04 13:37 UTC from TTPI engine data
This report maps csa-ccm-4 controls to the MITRE ATT&CK techniques they address, then checks each technique against our detection corpus (Sigma, CAR, IDS, YARA, Falco). It shows, control by control, what attacks each control is meant to stop and whether those attacks are actually detectable today. Use it as the threat-informed backbone of an audit response or pentest report.

Coverage Summary

57
threat-mapped controls
213
ATT&CK techniques addressed
140
techniques we can detect
65%
detection coverage
Coverage = of the distinct techniques mapped to this framework, the share for which we hold at least one detection rule. Gaps below list controls with zero detection coverage - the priority remediation set.

AIS

49/64 techniques covered
AIS-02 Application Security Baseline Requirements 6/11 detectable
T1072 · Software Deployment Tools ✓T1078.004 · Cloud Accounts ✓T1119 · Automated Collection ✓T1496.004 · Cloud Service HijackingT1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1539 · Steal Web Session Cookie ✓T1550.004 · Web Session CookieT1567 · Exfiltration Over Web Service ✓T1648 · Serverless ExecutionT1671 · Cloud Application Integration
AIS-04 Secure Application Design and Development 10/11 detectable
T1059 · Command and Scripting Interpreter ✓T1078.004 · Cloud Accounts ✓T1190 · Exploit Public-Facing Application ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1212 · Exploitation for Credential Access ✓T1528 · Steal Application Access Token ✓T1550 · Use Alternate Authentication Material ✓T1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.005 · Cloud Instance Metadata API ✓T1606.001 · Web Cookies
AIS-05 Automated Application Security Testing 16/19 detectable
T1040 · Network Sniffing ✓T1059 · Command and Scripting Interpreter ✓T1059.009 · Cloud API ✓T1068 · Exploitation for Privilege Escalation ✓T1078.004 · Cloud Accounts ✓T1110 · Brute Force ✓T1134 · Access Token Manipulation ✓T1190 · Exploit Public-Facing Application ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1499.003 · Application Exhaustion FloodT1499.004 · Application or System Exploitation ✓T1505.003 · Web Shell ✓T1539 · Steal Web Session Cookie ✓T1548 · Abuse Elevation Control Mechanism ✓T1550.004 · Web Session CookieT1552 · Unsecured Credentials ✓T1552.005 · Cloud Instance Metadata API ✓T1567 · Exfiltration Over Web Service ✓T1606.001 · Web Cookies
AIS-06 Automated Secure Application Deployment 9/15 detectable
T1068 · Exploitation for Privilege Escalation ✓T1072 · Software Deployment Tools ✓T1190 · Exploit Public-Facing Application ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1496 · Resource Hijacking ✓T1525 · Implant Internal Image ✓T1535 · Unused/Unsupported Cloud RegionsT1546 · Event Triggered Execution ✓T1556.009 · Conditional Access PoliciesT1578 · Modify Cloud Compute Infrastructure ✓T1578.005 · Modify Cloud Compute ConfigurationsT1610 · Deploy Container ✓T1648 · Serverless ExecutionT1666 · Modify Cloud Resource HierarchyT1671 · Cloud Application Integration
AIS-07 Application Vulnerability Remediation 5/5 detectable
T1190 · Exploit Public-Facing Application ✓T1195.002 · Compromise Software Supply Chain ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓
AIS-08 API Security 3/3 detectable
T1059 · Command and Scripting Interpreter ✓T1059.009 · Cloud API ✓T1204 · User Execution ✓

BCR

6/10 techniques covered
BCR-08 Backup 6/10 detectable
T1485 · Data Destruction ✓T1485.001 · Lifecycle-Triggered DeletionT1486 · Data Encrypted for Impact ✓T1490 · Inhibit System Recovery ✓T1491 · DefacementT1491.001 · Internal Defacement ✓T1491.002 · External DefacementT1561 · Disk WipeT1561.001 · Disk Content Wipe ✓T1561.002 · Disk Structure Wipe ✓

CEK

11/14 techniques covered
CEK-03 Data Encryption 11/14 detectable
T1020.001 · Traffic DuplicationT1119 · Automated Collection ✓T1213 · Data from Information Repositories ✓T1530 · Data from Cloud StorageT1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1557 · Adversary-in-the-Middle ✓T1557.002 · ARP Cache Poisoning ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1649 · Steal or Forge Authentication Certificates ✓T1669 · Wi-Fi Networks

DCS

22/43 techniques covered
DCS-09 Equipment Identification 2/4 detectable
T1200 · Hardware Additions ✓T1219.003 · Remote Access HardwareT1599 · Network Boundary BridgingT1599.001 · Network Address Translation Traversal ✓
DCS-15 Secure Utilities 4/8 detectable
T1489 · Service Stop ✓T1496 · Resource Hijacking ✓T1496.002 · Bandwidth HijackingT1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499.002 · Service Exhaustion FloodT1529 · System Shutdown/Reboot ✓
DCS-18 Datacenter Operations Resilience 7/16 detectable
T1485 · Data Destruction ✓T1485.001 · Lifecycle-Triggered DeletionT1489 · Service Stop ✓T1490 · Inhibit System Recovery ✓T1491 · DefacementT1496 · Resource Hijacking ✓T1496.001 · Compute HijackingT1496.002 · Bandwidth HijackingT1496.004 · Cloud Service HijackingT1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499 · Endpoint Denial of Service ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1529 · System Shutdown/Reboot ✓
DSP-02 Secure Disposal 1/2 detectable
T1052 · Exfiltration Over Physical MediumT1091 · Replication Through Removable Media ✓
DSP-04 Data Classification 8/13 detectable
T1005 · Data from Local System ✓T1020 · Automated Exfiltration ✓T1025 · Data from Removable MediaT1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1119 · Automated Collection ✓T1537 · Transfer Data to Cloud Account ✓T1567 · Exfiltration Over Web Service ✓T1567.004 · Exfiltration Over Webhook

DSP

62/77 techniques covered
DSP-07 Data Protection by Design and Default 9/9 detectable
T1078 · Valid Accounts ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1212 · Exploitation for Credential Access ✓T1550 · Use Alternate Authentication Material ✓T1550.001 · Application Access Token ✓T1559 · Inter-Process Communication ✓T1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓
DSP-08 Data Privacy by Design and Default 7/10 detectable
T1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1213 · Data from Information Repositories ✓T1530 · Data from Cloud StorageT1550.004 · Web Session CookieT1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓
DSP-10 Sensitive Data Transfer 11/16 detectable
T1020 · Automated Exfiltration ✓T1020.001 · Traffic DuplicationT1040 · Network Sniffing ✓T1048 · Exfiltration Over Alternative Protocol ✓T1114 · Email Collection ✓T1114.001 · Local Email Collection ✓T1114.002 · Remote Email CollectionT1114.003 · Email Forwarding Rule ✓T1119 · Automated Collection ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1550.001 · Application Access Token ✓T1565 · Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1565.003 · Runtime Data ManipulationT1669 · Wi-Fi Networks
DSP-15 Limitation of Production Data Use 15/17 detectable
T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1072 · Software Deployment Tools ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1133 · External Remote Services ✓T1199 · Trusted Relationship ✓T1210 · Exploitation of Remote Services ✓T1530 · Data from Cloud StorageT1552.007 · Container API ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1586.003 · Cloud Accounts ✓T1610 · Deploy Container ✓
DSP-16 Data Retention and Deletion 6/9 detectable
T1070 · Indicator Removal ✓T1485 · Data Destruction ✓T1485.001 · Lifecycle-Triggered DeletionT1486 · Data Encrypted for Impact ✓T1490 · Inhibit System Recovery ✓T1491 · DefacementT1491.001 · Internal Defacement ✓T1491.002 · External DefacementT1565 · Data Manipulation ✓
DSP-17 Sensitive Data Protection 14/16 detectable
T1048 · Exfiltration Over Alternative Protocol ✓T1059.009 · Cloud API ✓T1098.001 · Additional Cloud Credentials ✓T1098.003 · Additional Cloud Roles ✓T1119 · Automated Collection ✓T1190 · Exploit Public-Facing Application ✓T1213 · Data from Information Repositories ✓T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.005 · Cloud Instance Metadata API ✓T1555.006 · Cloud Secrets Management StoresT1567 · Exfiltration Over Web Service ✓T1609 · Container Administration Command ✓

HRS

7/11 techniques covered
HRS-03 Clean Desk Policy and Procedures 7/11 detectable
T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.003 · Additional Cloud Roles ✓T1113 · Screen Capture ✓T1485 · Data Destruction ✓T1530 · Data from Cloud StorageT1556 · Modify Authentication Process ✓T1556.006 · Multi-Factor Authentication ✓T1556.007 · Hybrid Identity

I&S

105/130 techniques covered
I&S-03 Network Security 22/31 detectable
T1008 · Fallback Channels ✓T1029 · Scheduled Transfer ✓T1040 · Network Sniffing ✓T1046 · Network Service Discovery ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1071.005 · Publish/Subscribe ProtocolsT1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1090.003 · Multi-hop Proxy ✓T1095 · Non-Application Layer Protocol ✓T1104 · Multi-Stage ChannelsT1132 · Data Encoding ✓T1132.001 · Standard Encoding ✓T1132.002 · Non-Standard EncodingT1219 · Remote Access Tools ✓T1557 · Adversary-in-the-Middle ✓T1570 · Lateral Tool Transfer ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration Dump
I&S-04 OS Hardening and Base Controls 12/13 detectable
T1059 · Command and Scripting Interpreter ✓T1059.009 · Cloud API ✓T1080 · Taint Shared ContentT1087 · Account Discovery ✓T1098 · Account Manipulation ✓T1136 · Create Account ✓T1204 · User Execution ✓T1490 · Inhibit System Recovery ✓T1548 · Abuse Elevation Control Mechanism ✓T1552 · Unsecured Credentials ✓T1556 · Modify Authentication Process ✓T1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓
I&S-05 Production and Non-Production Environments 4/4 detectable
T1078 · Valid Accounts ✓T1195 · Supply Chain Compromise ✓T1550 · Use Alternate Authentication Material ✓T1550.001 · Application Access Token ✓
I&S-06 Segmentation and Segregation 25/29 detectable
T1008 · Fallback Channels ✓T1040 · Network Sniffing ✓T1046 · Network Service Discovery ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1072 · Software Deployment Tools ✓T1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1090.003 · Multi-hop Proxy ✓T1095 · Non-Application Layer Protocol ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1133 · External Remote Services ✓T1136 · Create Account ✓T1136.003 · Cloud Account ✓T1190 · Exploit Public-Facing Application ✓T1199 · Trusted Relationship ✓T1210 · Exploitation of Remote Services ✓T1219 · Remote Access Tools ✓T1557 · Adversary-in-the-Middle ✓T1570 · Lateral Tool Transfer ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration Dump
I&S-07 Migration to Cloud Environments 11/13 detectable
T1020.001 · Traffic DuplicationT1119 · Automated Collection ✓T1213 · Data from Information Repositories ✓T1530 · Data from Cloud StorageT1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1557 · Adversary-in-the-Middle ✓T1557.002 · ARP Cache Poisoning ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1565.002 · Transmitted Data Manipulation ✓T1649 · Steal or Forge Authentication Certificates ✓
I&S-09 Network Defense 31/40 detectable
T1008 · Fallback Channels ✓T1029 · Scheduled Transfer ✓T1040 · Network Sniffing ✓T1046 · Network Service Discovery ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1071 · Application Layer Protocol ✓T1071.001 · Web Protocols ✓T1071.002 · File Transfer ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNS ✓T1071.005 · Publish/Subscribe ProtocolsT1072 · Software Deployment Tools ✓T1090 · Proxy ✓T1090.001 · Internal Proxy ✓T1090.002 · External Proxy ✓T1090.003 · Multi-hop Proxy ✓T1095 · Non-Application Layer Protocol ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1104 · Multi-Stage ChannelsT1132 · Data Encoding ✓T1132.001 · Standard Encoding ✓T1132.002 · Non-Standard EncodingT1133 · External Remote Services ✓T1136 · Create Account ✓T1136.003 · Cloud Account ✓T1190 · Exploit Public-Facing Application ✓T1199 · Trusted Relationship ✓T1210 · Exploitation of Remote Services ✓T1219 · Remote Access Tools ✓T1557 · Adversary-in-the-Middle ✓T1570 · Lateral Tool Transfer ✓T1571 · Non-Standard Port ✓T1572 · Protocol Tunneling ✓T1602 · Data from Configuration RepositoryT1602.001 · SNMP (MIB Dump)T1602.002 · Network Device Configuration Dump

IAM

171/249 techniques covered
IAM-02 Strong Password Policy and Procedures 12/16 detectable
T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.003 · Additional Cloud Roles ✓T1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1110.004 · Credential StuffingT1136.003 · Cloud Account ✓T1199 · Trusted Relationship ✓T1555.006 · Cloud Secrets Management StoresT1556 · Modify Authentication Process ✓T1556.006 · Multi-Factor Authentication ✓T1556.007 · Hybrid IdentityT1621 · Multi-Factor Authentication Request Generation ✓
IAM-03 Identity Inventory 3/4 detectable
T1098.001 · Additional Cloud Credentials ✓T1136 · Create Account ✓T1136.003 · Cloud Account ✓T1556.007 · Hybrid Identity
IAM-04 Separation of Duties 2/4 detectable
T1098.003 · Additional Cloud Roles ✓T1098.006 · Additional Container Cluster RolesT1548 · Abuse Elevation Control Mechanism ✓T1548.005 · Temporary Elevated Cloud Access
IAM-05 Least Privilege 16/28 detectable
T1021.008 · Direct Cloud VM ConnectionsT1048 · Exfiltration Over Alternative Protocol ✓T1072 · Software Deployment Tools ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1136.003 · Cloud Account ✓T1199 · Trusted Relationship ✓T1213 · Data from Information Repositories ✓T1484.002 · Trust Modification ✓T1485.001 · Lifecycle-Triggered DeletionT1490 · Inhibit System Recovery ✓T1530 · Data from Cloud StorageT1548.005 · Temporary Elevated Cloud AccessT1556 · Modify Authentication Process ✓T1556.006 · Multi-Factor Authentication ✓T1556.009 · Conditional Access PoliciesT1562 · Impair Defenses ✓T1562.007 · Disable or Modify Cloud FirewallT1562.008 · Disable or Modify Cloud LogsT1578 · Modify Cloud Compute Infrastructure ✓T1578.001 · Create SnapshotT1578.002 · Create Cloud InstanceT1578.003 · Delete Cloud Instance ✓T1578.005 · Modify Cloud Compute ConfigurationsT1648 · Serverless ExecutionT1666 · Modify Cloud Resource Hierarchy
IAM-06 User Access Provisioning 16/24 detectable
T1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.004 · SSH ✓T1021.008 · Direct Cloud VM ConnectionsT1072 · Software Deployment Tools ✓T1098 · Account Manipulation ✓T1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1213.004 · Customer Relationship Management SoftwareT1484 · Domain or Tenant Policy Modification ✓T1484.001 · Group Policy Modification ✓T1484.002 · Trust Modification ✓T1505 · Server Software Component ✓T1530 · Data from Cloud StorageT1538 · Cloud Service DashboardT1548 · Abuse Elevation Control Mechanism ✓T1548.005 · Temporary Elevated Cloud AccessT1555 · Credentials from Password Stores ✓T1555.005 · Password Managers ✓T1578 · Modify Cloud Compute Infrastructure ✓T1648 · Serverless Execution
IAM-07 User Access Changes and Revocation 10/17 detectable
T1021 · Remote Services ✓T1021.001 · Remote Desktop Protocol ✓T1021.004 · SSH ✓T1021.008 · Direct Cloud VM ConnectionsT1078 · Valid Accounts ✓T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.003 · Additional Cloud Roles ✓T1213 · Data from Information Repositories ✓T1213.001 · ConfluenceT1213.002 · SharepointT1530 · Data from Cloud StorageT1538 · Cloud Service DashboardT1548.005 · Temporary Elevated Cloud AccessT1555 · Credentials from Password Stores ✓T1555.005 · Password Managers ✓T1648 · Serverless Execution
IAM-08 User Access Review 4/5 detectable
T1528 · Steal Application Access Token ✓T1530 · Data from Cloud StorageT1550.001 · Application Access Token ✓T1552.004 · Private Keys ✓T1606 · Forge Web Credentials ✓
IAM-09 Segregation of Privileged Access Roles 12/15 detectable
T1021.007 · Cloud Services ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.003 · Additional Cloud Roles ✓T1484 · Domain or Tenant Policy Modification ✓T1484.002 · Trust Modification ✓T1543 · Create or Modify System Process ✓T1546 · Event Triggered Execution ✓T1548 · Abuse Elevation Control Mechanism ✓T1555.006 · Cloud Secrets Management StoresT1556.007 · Hybrid IdentityT1556.009 · Conditional Access PoliciesT1606 · Forge Web Credentials ✓
IAM-10 Management of Privileged Access Roles 12/15 detectable
T1021.007 · Cloud Services ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.003 · Additional Cloud Roles ✓T1484 · Domain or Tenant Policy Modification ✓T1484.002 · Trust Modification ✓T1543 · Create or Modify System Process ✓T1546 · Event Triggered Execution ✓T1548 · Abuse Elevation Control Mechanism ✓T1555.006 · Cloud Secrets Management StoresT1556.007 · Hybrid IdentityT1556.009 · Conditional Access PoliciesT1606 · Forge Web Credentials ✓
IAM-11 CSCs Approval for Agreed Privileged Access Roles 11/14 detectable
T1021.007 · Cloud Services ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.003 · Additional Cloud Roles ✓T1484 · Domain or Tenant Policy Modification ✓T1484.002 · Trust Modification ✓T1543 · Create or Modify System Process ✓T1546 · Event Triggered Execution ✓T1555.006 · Cloud Secrets Management StoresT1556.007 · Hybrid IdentityT1556.009 · Conditional Access PoliciesT1606 · Forge Web Credentials ✓
IAM-13 Uniquely Identifiable Users 8/11 detectable
T1036 · Masquerading ✓T1036.010 · Masquerade Account NameT1078.004 · Cloud Accounts ✓T1087.004 · Cloud Account ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.003 · Additional Cloud Roles ✓T1556.007 · Hybrid IdentityT1564.002 · Hidden Users ✓T1585.003 · Cloud AccountsT1586.003 · Cloud Accounts ✓
IAM-14 Strong Authentication 16/19 detectable
T1021 · Remote Services ✓T1021.007 · Cloud Services ✓T1072 · Software Deployment Tools ✓T1078 · Valid Accounts ✓T1078.002 · Domain Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.003 · Additional Cloud Roles ✓T1098.005 · Device Registration ✓T1098.006 · Additional Container Cluster RolesT1133 · External Remote Services ✓T1136 · Create Account ✓T1213 · Data from Information Repositories ✓T1530 · Data from Cloud StorageT1539 · Steal Web Session Cookie ✓T1556 · Modify Authentication Process ✓T1556.007 · Hybrid Identity
IAM-15 Passwords Management 13/15 detectable
T1078 · Valid Accounts ✓T1078.003 · Local Accounts ✓T1078.004 · Cloud Accounts ✓T1110 · Brute Force ✓T1110.001 · Password Guessing ✓T1110.002 · Password Cracking ✓T1110.003 · Password SprayingT1550 · Use Alternate Authentication Material ✓T1552 · Unsecured Credentials ✓T1552.001 · Credentials In Files ✓T1552.005 · Cloud Instance Metadata API ✓T1555 · Credentials from Password Stores ✓T1555.003 · Credentials from Web Browsers ✓T1555.005 · Password Managers ✓T1555.006 · Cloud Secrets Management Stores
IAM-16 Authorization Mechanisms 36/62 detectable
T1021.007 · Cloud Services ✓T1021.008 · Direct Cloud VM ConnectionsT1059 · Command and Scripting Interpreter ✓T1059.009 · Cloud API ✓T1070 · Indicator Removal ✓T1070.008 · Clear Mailbox DataT1074.002 · Remote Data StagingT1080 · Taint Shared ContentT1098 · Account Manipulation ✓T1098.001 · Additional Cloud Credentials ✓T1098.002 · Additional Email Delegate PermissionsT1098.003 · Additional Cloud Roles ✓T1098.004 · SSH Authorized Keys ✓T1098.005 · Device Registration ✓T1098.006 · Additional Container Cluster RolesT1136 · Create Account ✓T1136.003 · Cloud Account ✓T1204.003 · Malicious ImageT1213 · Data from Information Repositories ✓T1484 · Domain or Tenant Policy Modification ✓T1484.002 · Trust Modification ✓T1485 · Data Destruction ✓T1485.001 · Lifecycle-Triggered DeletionT1486 · Data Encrypted for Impact ✓T1490 · Inhibit System Recovery ✓T1491.002 · External DefacementT1496 · Resource Hijacking ✓T1496.001 · Compute HijackingT1496.002 · Bandwidth HijackingT1496.004 · Cloud Service HijackingT1530 · Data from Cloud StorageT1531 · Account Access Removal ✓T1535 · Unused/Unsupported Cloud RegionsT1537 · Transfer Data to Cloud Account ✓T1546 · Event Triggered Execution ✓T1548 · Abuse Elevation Control Mechanism ✓T1550 · Use Alternate Authentication Material ✓T1552.005 · Cloud Instance Metadata API ✓T1552.007 · Container API ✓T1555 · Credentials from Password Stores ✓T1556 · Modify Authentication Process ✓T1556.009 · Conditional Access PoliciesT1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.007 · Disable or Modify Cloud FirewallT1562.008 · Disable or Modify Cloud LogsT1564 · Hide Artifacts ✓T1567 · Exfiltration Over Web Service ✓T1567.002 · Exfiltration to Cloud Storage ✓T1578 · Modify Cloud Compute Infrastructure ✓T1578.001 · Create SnapshotT1578.002 · Create Cloud InstanceT1578.003 · Delete Cloud Instance ✓T1578.004 · Revert Cloud InstanceT1578.005 · Modify Cloud Compute ConfigurationsT1602 · Data from Configuration RepositoryT1606 · Forge Web Credentials ✓T1610 · Deploy Container ✓T1648 · Serverless ExecutionT1651 · Cloud Administration CommandT1666 · Modify Cloud Resource HierarchyT1671 · Cloud Application Integration

IPY

22/28 techniques covered
IPY-02 Application Interface Availability 9/12 detectable
T1021.007 · Cloud Services ✓T1059 · Command and Scripting Interpreter ✓T1059.009 · Cloud API ✓T1071.001 · Web Protocols ✓T1072 · Software Deployment Tools ✓T1098.004 · SSH Authorized Keys ✓T1199 · Trusted Relationship ✓T1538 · Cloud Service DashboardT1552.005 · Cloud Instance Metadata API ✓T1552.007 · Container API ✓T1651 · Cloud Administration CommandT1671 · Cloud Application Integration
IPY-03 Secure Interoperability and Portability Management 13/16 detectable
T1021 · Remote Services ✓T1021.007 · Cloud Services ✓T1119 · Automated Collection ✓T1133 · External Remote Services ✓T1190 · Exploit Public-Facing Application ✓T1213 · Data from Information Repositories ✓T1530 · Data from Cloud StorageT1537 · Transfer Data to Cloud Account ✓T1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1552.005 · Cloud Instance Metadata API ✓T1552.007 · Container API ✓T1567 · Exfiltration Over Web Service ✓T1610 · Deploy Container ✓T1651 · Cloud Administration CommandT1659 · Content Injection

LOG

18/33 techniques covered
LOG-02 Audit Logs Protection 5/11 detectable
T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.007 · Clear Network Connection History and ConfigurationsT1070.009 · Clear PersistenceT1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.007 · Disable or Modify Cloud FirewallT1562.008 · Disable or Modify Cloud LogsT1562.012 · Disable or Modify Linux Audit System
LOG-04 Audit Logs Access and Accountability 5/8 detectable
T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.008 · Disable or Modify Cloud LogsT1562.012 · Disable or Modify Linux Audit System
LOG-08 Audit Logs Sanitization 3/3 detectable
T1213 · Data from Information Repositories ✓T1528 · Steal Application Access Token ✓T1552 · Unsecured Credentials ✓
LOG-10 Audit Records Protection 5/11 detectable
T1070 · Indicator Removal ✓T1070.001 · Clear Windows Event Logs ✓T1070.002 · Clear Linux or Mac System LogsT1070.007 · Clear Network Connection History and ConfigurationsT1070.009 · Clear PersistenceT1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1562.002 · Disable Windows Event Logging ✓T1562.007 · Disable or Modify Cloud FirewallT1562.008 · Disable or Modify Cloud LogsT1562.012 · Disable or Modify Linux Audit System

STA

9/11 techniques covered
STA-10 Supply Chain Risk Management 6/7 detectable
T1176 · Software ExtensionsT1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1210 · Exploitation of Remote Services ✓T1525 · Implant Internal Image ✓
STA-16 Supply Chain Data Security Assessment 3/4 detectable
T1176 · Software ExtensionsT1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓

TVM

15/18 techniques covered
TVM-05 Detection Updates 4/5 detectable
T1068 · Exploitation for Privilege Escalation ✓T1210 · Exploitation of Remote Services ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1656 · Impersonation
TVM-06 External Library Vulnerabilities 7/9 detectable
T1176 · Software ExtensionsT1190 · Exploit Public-Facing Application ✓T1195 · Supply Chain Compromise ✓T1195.001 · Compromise Software Dependencies and Development Tools ✓T1195.002 · Compromise Software Supply Chain ✓T1204.003 · Malicious ImageT1525 · Implant Internal Image ✓T1574 · Hijack Execution Flow ✓T1574.001 · DLL ✓
TVM-07 Penetration Testing 4/4 detectable
T1190 · Exploit Public-Facing Application ✓T1211 · Exploitation for Stealth ✓T1212 · Exploitation for Credential Access ✓T1499.004 · Application or System Exploitation ✓

UEM

71/102 techniques covered
UEM-05 Endpoint Management 15/21 detectable
T1059 · Command and Scripting Interpreter ✓T1059.009 · Cloud API ✓T1080 · Taint Shared ContentT1087 · Account Discovery ✓T1098 · Account Manipulation ✓T1136 · Create Account ✓T1204 · User Execution ✓T1211 · Exploitation for Stealth ✓T1213 · Data from Information Repositories ✓T1213.004 · Customer Relationship Management SoftwareT1490 · Inhibit System Recovery ✓T1535 · Unused/Unsupported Cloud RegionsT1537 · Transfer Data to Cloud Account ✓T1548 · Abuse Elevation Control Mechanism ✓T1550.004 · Web Session CookieT1552 · Unsecured Credentials ✓T1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1606 · Forge Web Credentials ✓T1606.001 · Web CookiesT1666 · Modify Cloud Resource Hierarchy
UEM-08 Storage Encryption 8/9 detectable
T1119 · Automated Collection ✓T1213 · Data from Information Repositories ✓T1530 · Data from Cloud StorageT1550.001 · Application Access Token ✓T1552 · Unsecured Credentials ✓T1552.004 · Private Keys ✓T1565 · Data Manipulation ✓T1565.001 · Stored Data Manipulation ✓T1649 · Steal or Forge Authentication Certificates ✓
UEM-09 Anti-Malware Detection and Prevention 11/14 detectable
T1025 · Data from Removable MediaT1027 · Obfuscated Files or Information ✓T1036 · Masquerading ✓T1059 · Command and Scripting Interpreter ✓T1059.001 · PowerShell ✓T1059.005 · Visual Basic ✓T1059.006 · Python ✓T1080 · Taint Shared ContentT1091 · Replication Through Removable Media ✓T1092 · Communication Through Removable MediaT1204 · User Execution ✓T1221 · Template Injection ✓T1543 · Create or Modify System Process ✓T1564 · Hide Artifacts ✓
UEM-10 Software Firewall 14/23 detectable
T1070 · Indicator Removal ✓T1070.007 · Clear Network Connection History and ConfigurationsT1071 · Application Layer Protocol ✓T1071.005 · Publish/Subscribe ProtocolsT1090 · Proxy ✓T1090.003 · Multi-hop Proxy ✓T1095 · Non-Application Layer Protocol ✓T1205 · Traffic Signaling ✓T1205.001 · Port Knocking ✓T1205.002 · Socket FiltersT1219 · Remote Access Tools ✓T1219.002 · Remote Desktop Software ✓T1498 · Network Denial of Service ✓T1498.001 · Direct Network FloodT1498.002 · Reflection AmplificationT1499 · Endpoint Denial of Service ✓T1499.002 · Service Exhaustion FloodT1499.003 · Application Exhaustion FloodT1562 · Impair Defenses ✓T1562.004 · Disable or Modify System FirewallT1562.007 · Disable or Modify Cloud FirewallT1572 · Protocol Tunneling ✓T1590.002 · DNS ✓
UEM-11 Data Loss Prevention 8/13 detectable
T1005 · Data from Local System ✓T1020 · Automated Exfiltration ✓T1025 · Data from Removable MediaT1041 · Exfiltration Over C2 Channel ✓T1048 · Exfiltration Over Alternative Protocol ✓T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ✓T1052 · Exfiltration Over Physical MediumT1052.001 · Exfiltration over USBT1119 · Automated Collection ✓T1537 · Transfer Data to Cloud Account ✓T1567 · Exfiltration Over Web Service ✓T1567.004 · Exfiltration Over Webhook
UEM-14 Third-Party Endpoint Security Posture 15/22 detectable
T1059 · Command and Scripting Interpreter ✓T1059.009 · Cloud API ✓T1080 · Taint Shared ContentT1087 · Account Discovery ✓T1098 · Account Manipulation ✓T1136 · Create Account ✓T1204 · User Execution ✓T1204.003 · Malicious ImageT1211 · Exploitation for Stealth ✓T1213 · Data from Information Repositories ✓T1213.004 · Customer Relationship Management SoftwareT1490 · Inhibit System Recovery ✓T1535 · Unused/Unsupported Cloud RegionsT1537 · Transfer Data to Cloud Account ✓T1548 · Abuse Elevation Control Mechanism ✓T1550.004 · Web Session CookieT1552 · Unsecured Credentials ✓T1562 · Impair Defenses ✓T1562.001 · Disable or Modify Tools ✓T1606 · Forge Web Credentials ✓T1606.001 · Web CookiesT1666 · Modify Cloud Resource Hierarchy
Switch framework: NIST 800-53 · NIST CSF · CIS v8.1 · OWASP Web
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin