Overview
The Adversary Matrix is an interactive dashboard that maps observed adversary behavior using the MITRE ATT&CK framework. It allows users to understand which attacker techniques are actively being used against specific industries, regions, and organizations — and how those techniques can be detected and mitigated.
Rather than presenting ATT&CK as a static reference, the Adversary Matrix surfaces real-world technique usage tied to active threat actors, including both ransomware gangs and APT groups.
This dashboard is designed to help security, threat intelligence, and third-party risk teams prioritize controls and investigations based on what adversaries are actually doing, not theoretical risk.
Accessing the Adversary Matrix
The Adversary Matrix is available in the platform under:
Dashboards → Adversary Matrix
Matrix Heatmap View
The default view of the Adversary Matrix is a heatmap of tactics and techniques (TTPs).
Each cell represents a MITRE ATT&CK technique
Heat intensity reflects observed adversary activity
The matrix updates dynamically based on selected filters
This interaction model mirrors the behavior of the Attack and Ransomware dashboards, allowing users to quickly identify which techniques are most relevant under specific conditions.
Importantly, the heatmap reflects confirmed activity and intelligence collection, not probabilistic scoring or hypothetical threat modeling.
Filters and Scoping Logic
The Adversary Matrix can be filtered to reflect either:
A user’s own organizational profile, or
The industry or geography of a vendor or prospective vendor being assessed
Available filters include:
Date range
Industry
Geography
Threat actor
Includes both ransomware gangs and APT groups
When filters are applied, the matrix updates to display only the techniques associated with threat activity relevant to those parameters.
This enables users to understand which adversary behaviors are most applicable to a given business context.
TTP Cards and Technique Detail View
Each technique in the matrix is interactive. Selecting a TTP opens a detailed view that provides additional context and defensive guidance.
The TTP detail view includes:
Technique Description
A plain-language explanation of the technique and how it is commonly used by adversaries.
Sub-Techniques
Lists associated MITRE sub-techniques
Each sub-technique is clickable for deeper detail
Includes information on:
Associated threat actors
Relevant mitigations
Detection considerations
Associated Threat Actors
Displays ransomware gangs and APT groups observed using the technique
Group descriptions will be added in a future release
Mitigations
Defensive mitigations mapped to MITRE Mitigation (M) codes
Supports alignment between observed adversary behavior and preventive controls
Detection Strategies
Detection guidance mapped to MITRE Detection (DET) codes
Designed to support detection engineering and monitoring strategy development
This view connects attacker behavior directly to defensive action, helping teams move from awareness to response.
How the Adversary Matrix Is Intended to Be Used
Common use cases include:
Prioritizing security controls based on active techniques, not generic framework coverage
Supporting third-party risk assessments with adversary-relevant context
Informing detection and response planning
Translating threat intelligence into actionable mitigation and detection strategies
The Adversary Matrix is particularly useful when evaluating risk across industries, geographies, or vendor ecosystems, where threat exposure varies significantly.
Version Scope and Future Enhancements
The Adversary Matrix is currently released as v1.
This initial version focuses on:
Technique-level visibility
Threat actor associations
MITRE-mapped mitigations and detections
Interactive filtering and exploration
Additional enrichment, context, and functionality will be added in future iterations while maintaining the same core interaction model.
Comments
0 comments
Article is closed for comments.