attack-control-framework-mappings VS attack-stix-data

Here's a mapping to 800-53: https://ctid.mitre-engenuity.org/our-work/nist-800-53-control-mappings/

BlindSPOT: https://blindspotsec.com/ Specific graphic from BlindSPOT: https://blindspotsec.com/wp-content/uploads/2021/04/Failure_Before.jpg How to Measure Anything in Cybersecurity Risk: https://www.amazon.com/dp/B01J4XYM16/ Monte Carlo simulation approach: https://embracethered.com/blog/posts/2020/red-teaming-and-monte-carlo-simulations/ D3FEND: https://d3fend.mitre.org/ ATT&CK mappings: https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings ATT&CK evals: https://attackevals.mitre-engenuity.org/index.html CALDERA: https://github.com/mitre/caldera Offensive Countermeasures: https://www.amazon.com/dp/1974671690/ SPIFFE: https://spiffe.io/ SPIRE: https://github.com/spiffe/spire Zerotier: https://www.zerotier.com/ Zerotier libzt: https://github.com/zerotier/libzt

Does the curriculum map to a threat model? A real applied course connects each technique to specific MITRE ATT&CK tactics so the student knows what their model catches and what it misses. Living-off-the-land techniques (T1047, T1218) and slow-and-low attackers (sub-1% of normal traffic) are designed to defeat naive anomaly detection. A working curriculum teaches the gap, not just the algorithm.

SOC analysts and threat hunters. Applied ML for detection and hunting. IsolationForest and DBSCAN for anomaly detection on auth and network features. RandomForestClassifier for supervised classification of malicious URLs and files. TF-IDF and clustering on Sysmon command-line telemetry. Each technique mapped to a MITRE ATT&CK tactic so the analyst knows what is and is not in scope.

Security-shaped data. Zeek conn.log, Sysmon Event ID 1 process telemetry, Windows Security Events 4624/4625, PhishTank URL feeds, VirusTotal reports, threat-intel JSON, and labeled datasets aligned to MITRE ATT&CK techniques. Kaggle Titanic does not qualify.

Applied machine learning for detection. IsolationForest and DBSCAN for anomaly detection on auth and network features. RandomForestClassifier for supervised classification of malicious URLs or files. TF-IDF and DBSCAN for clustering attacker tooling out of Sysmon command-line telemetry. Each technique mapped to a specific MITRE ATT&CK tactic so the student knows what they are and aren't catching.

mukul975/Anthropic-Cybersecurity-Skills en GitHub- Homepage oficial del proyecto- Estándar agentskills.io- MITRE ATT&CK- NIST Cybersecurity Framework 2.0- MITRE ATLAS- MITRE D3FEND- NIST AI Risk Management Framework

Security shouldn’t just be about stopping the bad, but understanding how the bad actually happens. Enter the MITRE ATT&CK framework. Built from years of real-world threat research, it offers a living map of how adversaries operate, move laterally, and exploit systems step by step. And when paired with a modern analytics platform, it turns that understanding into actionable visibility by showing exactly where your defenses are strong and, by contrast, where they may be weak.

CrowdStrike delivers intelligence derived from real-time endpoint and cloud telemetry collected via its Falcon platform. It includes high-confidence IOCs, adversary attribution, and detailed insight into tactics, techniques, and procedures (TTPs) observed during live attacks, often mapped to the MITRE ATT&CK framework.

The way these docs were created are interesting: using AI agents that simulate attacks in a sandbox environment, then gather the relevant events that help detect this attack. This gives security score to every cloud log with its mapping to the MITRE ATT&CK framework.

MITRE ATT&CK

If you’ve just dipped your toes into cybersecurity, you’ve probably heard conversations about MITRE ATT&CK. But what is it really? Is it a tool? A framework?