Attack Flow: Learn how cyber adversaries combine and sequence offensive techniques

MITRE’s Attack Flow project aims to translate complex cyber operations into a structured language. By describing how adversaries sequence and combine offensive techniques to reach their objectives, Attack Flow offers defenders, analysts, and decision-makers a tool to see the bigger picture.

Threat intelligence

Cyber threat intel (CTI) teams can use Attack Flow to show how attackers behave, not just what tools they use. It tracks activity across incidents, campaigns, or threat groups. Because it’s machine-readable, teams can share and compare flows across tools and organizations. Unlike indicators of compromise (IOCs), which change often, attacker behavior is harder to fake—and that’s what Attack Flow focuses on.

Defense

Blue teams can use flows to spot weak points in their defenses. It helps map out which parts of an attack are covered and where the gaps are. Teams can also use it in tabletop exercises to plan better defenses. It gives security leaders solid data to explain where resources should go.

Executive communication

Attack Flow helps technical teams explain attacks to non-technical people. Instead of showing logs and raw data, defenders can share a visual story of what happened, what it means for the business, and what’s needed next. It’s a way to turn complex attacks into clear decisions.

Incident response

After a breach, responders can use Attack Flow to figure out what went wrong and what worked. Flows make it easy to document the incident and keep that knowledge for next time. Over time, this helps teams respond faster and recover better.

Adversary emulation

Red teams can use Attack Flow to plan more realistic attack simulations. They can build tests based on real-world behavior, and use flows to talk clearly with defenders during purple team exercises.

Threat hunting

Hunters can search for patterns seen in real attacks. Flows help piece together what happened and when. They also help teams write better detections by showing how attackers combine their tools and techniques.

Attack Flow is available for free on GitHub.

Must read:

• GitHub CISO on security strategy and collaborating with the open-source community
• Don’t let these open-source cybersecurity tools slip under your radar
• 33 open-source cybersecurity solutions you didn’t know you needed

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!