The phishing decision
A burden-of-proof argument
01

Phishing for clicks is easy.

02

Phishing for credentials a little harder.

03

Phishing for shells is the money shot.

But phishing defence has always been done in half measures. Let's break down how to do it properly, and the delta between the status quo and proper.

Reading14 min Citations6 peer-reviewed and 3 framework references Diagnostic9 questions, 27-point spectrum
The work to do

What control participation looks like, and where it exists.

Controls don't deploy themselves. They land through workstreams owned by named teams, with security architecture in the room. Each workstream below names the teams that own it and what they deliver. The recurring loop check on each (done? when? changed?) sits with the methodology phases and SOC loop further down, where the operational loop lives.

  1. DMARC and DNS hygiene.
    Security architecture · Network and DNS · Mail platform

    SPF and DKIM enforced. DMARC moved from monitor to quarantine to reject, with the path actually walked. Subdomain delegation hardened. Reports actively monitored, not piped to a forgotten mailbox.

  2. Mail gateway and content controls.
    Security architecture · Mail platform · Endpoint security

    Attachment sandboxing with dynamic analysis. Link rewriting with time-of-click rescan. Impersonation protection. BEC anomalous-send detection. External sender flagging. Autoforward to external blocked.

  3. Network defence layer.
    Network engineering · Security architecture · SOC

    Egress filtering deny-by-default. DNS sinkholing for known indicators. Web filtering with category enforcement. Segmentation tested against assumed-breach. IDS and IPS rule-base reviewed, not left on factory defaults.

  4. Endpoint hardening.
    Endpoint engineering · Security architecture · IT operations

    Filetype blocking driven by the endpoint review of how each type behaves under duress, not a fixed list (currently ISO, LNK, HTA, OneNote, XLL on standard Windows builds; the list moves as adversary tooling moves). ASR rules deployed and audited. AppLocker or WDAC in enforced mode. Office macros blocked from internet zone. Local admin removed by default. Mark-of-the-Web propagating to archives.

  5. OS and application hardening.
    Platform engineering · Security architecture · Application security

    CIS benchmarks adopted and audited. Patching SLAs documented and met. Container image hardening with a refresh cadence. Runtime protection where the workload warrants. Application allow-listing where the threat model demands.

  6. Identity and access.
    Identity · Security architecture · IT operations

    MFA on every account, no exceptions. FIDO2 phishing-resistant for privileged users. Legacy authentication disabled. Conditional access with named locations. OAuth app consent governed. Privileged access workstations for tier zero. Just-in-time elevation.

  7. Detection engineering and the SOC loop.
    SOC · Detection engineering · Security architecture · Security comms

    Logging coverage audited against MITRE ATT&CK. SIEM correlation rules tested, not just deployed. One-button reporter in the mail client. Triage SLA documented and met. Loop closure on every report, with feedback to the reporter and IOCs feeding the next assessment scope.

  8. Workforce education and reporting culture.
    Security comms · SOC (intel source) · People and HR · Awareness team

    Education drawn from real reported lures, not vendor templates. Monthly comms that name the techniques landing against the sector. Reporting acknowledged within hours, every time. Just-in-time micro-prompts at the decision point, not quarterly modules. Success measured by reporting rate and time-to-report, not click rate. People are part of the defence, once the defence exists.

If you can't answer all three questions for each workstream above, there's room to move before the user is the right person to blame. The rest of the page is the case for why, and what to do instead.

01The first approach

Traditional simulated phishing.

Send a fake lure, count who clicks, send the clickers to training. That's been the default for twenty years. The market got to standard practice before anyone checked whether it works. Here's the case both ways.

Simulation-led
Send the lure, count the clicks.
Quarterly campaign cycle. Deliver, measure, remediate. Cheap, reportable, gameable.
Net valueLowper available evidence
What it does
  1. Vendor or in-house generates a phishing template, lands it in a defined population of inboxes.
  2. Tracking pixels and link-rewrites measure opens, clicks, and credential submissions.
  3. Users who click receive an immediate "you have been phished" interstitial and a training module.
  4. Aggregate metrics roll up to a quarterly click-rate dashboard for leadership.
What it does well 5 points

The ETH Zurich CCS 2024 follow-up pinned whatever effect simulations have to the nudge itself, the periodic reminder that phishing is real, not to the training content. Most employees don't read the training.

Evidence: Lain et al. CCS 2024

Mature vendor platforms automate templating, scheduling, reporting, and even role-based targeting. Marginal cost per campaign is small. Capital outlay falls on the licence.

Trade observation

PCI-DSS, ISO 27001 Annex A, NIST CSF, HIPAA. All reference awareness training and the demonstration of such. A click-rate dashboard answers the question with a number, even if the number doesn't predict anything real.

Trade observation

"Click rate fell from 14% to 6% this year" reads as progress to a non-technical audience. The number is concrete, comparable across quarters, easy to chart. Whether it predicts a real-world outcome is a separate question. Boards rarely ask it.

Trade observation

A live simulation is a recurring touchpoint between the security team and the workforce. Run well, it normalises security comms. Run badly, it builds resentment.

Trade observation
What it does badly 7 points

The 2025 large-scale empirical assessment grounded in the NIST Phish Scale, with 12,511 participants, found no statistically significant impact of training modality on either click rates or reporting behaviour across the conditions tested.

Evidence: arXiv 2506.19899 (2025)

The 14,000-employee, 15-month ETH Zurich study at IEEE S&P 2022 reported that embedded training as commonly deployed in industry does not make employees more resilient and, in places, made them more susceptible. This is now corroborated across multiple field studies.

Evidence: Lain et al. IEEE S&P 2022

Harder lures produce higher click rates, easier lures lower. No industry-standard methodology exists for calculating click rates. A team that wants a better number can simply pick easier lures next quarter and report improvement.

Industry research, Beauceron / Cybeready

The UK NCSC has stated in its public guidance for over half a decade that punishment-oriented programmes suppress reporting: users who fear reprisals will not report mistakes promptly, if at all. The behaviour the security team needs most is the one the programme discourages.

Evidence: NCSC UK guidance

A hospital case study found employee workload was the dominant predictor of phishing vulnerability. Staff intended to detect attacks but could not under load. Any programme that frames clicking as a knowledge or competence failure is testing the wrong thing.

Evidence: PMC8935590 hospital case study

Real operators use lures that work against the specific organisation: invoice fraud against finance, CV attachments against HR, internal-looking calendar invites against engineering. Vendor template libraries test against a threat that no longer exists in current operations.

Threat-led observation

"Sarah clicked again" is not a work order. It identifies no control gap, no configuration drift, no policy correction. The hours spent on the simulation programme are hours not spent on DMARC enforcement, attachment policy, FIDO2 rollout, or conditional access, which would.

Operational observation
02The second approach

Technical assessment of the email threat.

Three phases. Look at the endpoint's filetype handling. Look at the mail gateway and the defence layers behind it. Then take a working credential as given and work the success paths without bothering with social engineering. Solicitation is the awareness team's problem, not the assessor's.

00
Endpoint build review.

What payloads can actually fire on this endpoint? Walk through the filetypes that show up in current adversary tooling and document how each behaves under duress on the standard build. The output is the filetype block list, refreshed as the threat moves.

OwnersEndpoint engineering · Security architecture · IT operations · EDR operations
  • Filetype execution policy for ISO, LNK, HTA, SVG, CHM, XLL, OneNote
  • Office macro policy, MOTW propagation, protected view
  • ASR rules, SmartScreen, browser download handling
  • AppLocker or WDAC posture, LOLBin reachability
  • EDR detection coverage for known initial access techniques
  • Local privilege boundaries, sudoers, UAC, autoelevation paths
Loop
Done?
When?
Changed?
01
Mail gateway and defence layers.

The configuration review the vendor won't run on themselves. What actually lands in the inbox, what gets sandboxed, what gets stripped at the gateway.

OwnersMail platform · Security architecture · Network and DNS · SOC
  • SPF, DKIM, DMARC enforcement posture (quarantine vs reject)
  • Attachment sandboxing depth, dynamic analysis, file unwrap
  • Link rewriting, time-of-click rescan, browser isolation handoff
  • External sender flagging, impersonation protection, anti-spoof
  • BEC detection, anomalous-send patterns, autoforwarding controls
  • Transport rules, attachment block lists, executable handling
Loop
Done?
When?
Changed?
02
Assumed-compromise account testing.

Credential in hand on day one. No social engineering, no waiting on a click. The question is what an attacker with creds can actually do once they're inside.

OwnersSecurity architecture · Identity · SOC · Application security · External assessor (CHECK / CREST)
  • MFA bypass viability: legacy auth, app passwords, device gaps
  • Conditional access posture, named locations, session controls
  • Token theft, AiTM proxy viability, primary refresh token reach
  • OAuth consent attacks, app registration permissions
  • Internal phish viability, mailbox rule abuse, SharePoint reach
  • Data exfil paths, autoforward to external, eDiscovery export
Loop
Done?
When?
Changed?
Assessment-led
Test the controls, not the people.
Three phases. Findings that engineering can act on. Solicitation is out of scope, because solicitation is what the awareness team is for.
Net valueHighper available evidence
What it does well 7 points

"Block ISO and LNK at the gateway." "Move DMARC from quarantine to reject." "Disable legacy auth in conditional access." Every finding lands on someone with the authority and tooling to fix it. The remediation path is concrete and verifiable.

Operational observation

Credentials get stolen. Eventually. The defensible question is not whether a user will be phished, it is what an attacker with a working credential can do next. Assumed-compromise testing maps that surface directly to MITRE ATT&CK techniques the team can detect and contain.

Aligns with NCSC layered defence model

Whether a user clicks is a function of workload, fatigue, and pretext quality, not of control posture. Decoupling the assessment from solicitation tests the controls cleanly. Solicitation is what the awareness team is for.

Methodological observation

The controls a technical assessment exercises (filetype handling, gateway posture, MFA enforcement, conditional access) defend against phishing, smishing, drive-by download, malicious removable media, and supply-chain compromise. Awareness training defends only against the user-decision moment.

Threat model observation

No employee is named, scored, or trained as a result of this assessment. Reporting culture is unaffected. The NCSC's stated concern about punitive simulation programmes is structurally avoided.

Evidence: NCSC UK guidance

Every finding has a configuration artifact attached, every retest is a diff against a known state. Reports survive auditor scrutiny in a way that a click-rate trend graph does not.

Assessment methodology observation

The remediation backlog naturally lands on identity, mail gateway, and endpoint engineering, which is where the evidence base says investment produces resilience. Hours that would have gone on quarterly campaigns move to FIDO2 rollout, attachment policy, and conditional access.

Operational observation
What it does badly 4 points

Endpoint build review, gateway configuration audit, and assumed-compromise testing each require skilled hands. Mid-market organisations may need to engage an assessor. CHECK or CREST-aligned engagement is sensible for the assumed-compromise phase.

Practitioner observation

Skilled assessor days cost more than a SaaS simulation licence. The cost lands in a single procurement decision rather than spread across operations, which is harder to justify on a budget line even where total annual cost is comparable.

Commercial observation

Some compliance frameworks ask whether a phishing simulation has been conducted in the prior period. A technical assessment is a stronger answer, but the box still has a specific name on it. The mitigation is to keep a lightweight awareness programme and align it with the assessment findings.

Compliance interface observation

A workforce still needs to know what to report and how. The technical assessment removes the assessment from the workforce, but the reporting culture, the report button, and the response loop still need to be designed. NCSC's layered defence still applies.

Evidence: NCSC UK guidance
03The third context

Phishing as red team initial access.

Same logic for commissioned red team engagements. Phishing as the entry vector is the most expensive and least useful way to start. Assume-breach is the better default. Even the frameworks that used to insist on full-chain testing now say so.

Engagement comparison, time and effort allocation 0 ────────────────────── 6 weeks
Phishing-led red teamTypical default
~6 weeks · post-compromise: 35%
Assumed-breach red teamTIBER-EU and CBEST aligned
~4 weeks · post-compromise: 75%
Infrastructure or foothold setup Initial access, detection-risk window Post-compromise testing (the part defenders need) Reporting
~33%
Shorter engagement,
same scope
Relative time on post-
compromise testing
0
Wasted weeks if the
SOC catches the lure
Phishing-led initial access
Spend the first third of the engagement on the part you already know works.
Threat intel, infrastructure, lure development, then a wait for clicks. The work you actually commissioned starts in week three at best.
Net value as entryLowper framework and field reports
What it does
  1. Threat intelligence phase identifies plausible attacker pretexts and likely targets within the workforce.
  2. Infrastructure setup: registered domains, SSL, mail relay, payload development, evasion testing against the target's email security stack.
  3. Lures delivered to selected targets. The team waits for clicks, credential submissions, or sandboxed execution.
  4. Successful initial access feeds the post-compromise phase, with whatever time remains.
What it does well 3 points

For regulated scenarios where the threat model explicitly includes external initial access, end-to-end testing answers a specific question. TIBER-EU's standard variant covers this. The trade-off is that the answer is rarely surprising.

Evidence: TIBER-EU framework, ECB

The gateway, sandboxing, and impersonation controls get an end-to-end workout that a configuration review cannot fully replicate. The catch is that this is also achievable with a much narrower mail security assessment for a fraction of the cost.

Methodological observation

CBEST and DORA both reference threat-intelligence-led testing that includes initial access scenarios. For financial entities subject to those regimes, full-chain testing is sometimes expected. The expectation is itself softening: TIBER variants now explicitly allow assume-breach.

Evidence: TIBER variants supporting assume-breach
What it does badly 7 points

Every credible threat report from Mandiant, CrowdStrike, and Verizon over the last decade shows that determined adversaries achieve initial access. Spending a quarter of a multi-week engagement re-establishing this point surfaces no actionable new finding. The defensible question is what happens after.

Industry threat reporting consensus

If the SOC catches the phish, which is the entire point of the awareness and email security programme, the red team has nowhere to go. The client paid for a multi-week engagement and got one finding about their mail filter.

Operational observation

Registered domains, SSL certificates, mail relay configuration, payload development, anti-detection tuning. None of it carries to the next engagement. One to two weeks of senior engineer time goes on building the entry vehicle rather than on testing the client's controls.

Trade observation

"We phished a finance contractor" tells you very little about whether the same approach would work against a different role next quarter. "Lateral movement from a low-priv user succeeded via SeImpersonatePrivilege abuse" tells you everything, because the technique applies to every user with that privilege.

Methodological observation

Whether a user clicks depends on their workload, fatigue, pretext quality, and the time of day the lure lands. The same engagement run twice produces different results. Assumed-breach starts from the same position every time, which makes year-over-year improvement measurable.

Methodological observation

A red team phish lands in the same inboxes that the awareness team is trying to measure separately. The signals contaminate each other. Real phishing reports become indistinguishable from red team simulations, and trend data gets noisy.

Operational observation

In a six-week engagement, post-compromise work might get two to three weeks. The same two to three weeks against the same internal estate, with a foothold provided on day one, is the assumed-breach engagement. The client pays roughly a third more for the privilege of seeing the email security stack tested in the same engagement, which a much cheaper assessment could have covered.

Operational observation
Assumed-breach entry
Start where the interesting work begins.
Client provides a low-priv foothold. Day one, the assessor is in. The whole engagement window goes on testing the internal control plane.
Net value as entryHighper framework and operational evidence
What it does
  1. The client provides a low-privilege foothold. A standard user account, an unprivileged workstation in the target environment, or both.
  2. The engagement starts on day one in the post-compromise position. No infrastructure setup, no waiting for clicks.
  3. Lateral movement, privilege escalation, persistence, and impact testing proceed against the real internal control plane.
  4. Findings map directly to MITRE ATT&CK techniques the SOC can detect and contain. The blue team gets actionable improvement work.
What it does well 7 points

No infrastructure setup, no lure development, no waiting on clicks. The full window goes to lateral movement, privilege escalation, persistence, and impact. The deliverable density is higher per pound spent.

Operational observation

Same starting position, same scope, same measurement framework. Improvement actually shows up. Two consecutive phishing-led engagements with different lure performance tell you very little about whether the internal controls got better.

Methodological observation

TIBER variants now formally allow the initial entry phase to be skipped. Operational reality has caught up with the methodology. CBEST has long permitted intelligence-led scenarios that begin from documented footholds. The framework consensus is moving in this direction.

Evidence: TIBER-EU, TIBER assume-breach variants

In phishing-led testing, detection is the failure condition. In assumed-breach, detection is a finding to celebrate and refine. The blue team's catches become rule-tuning material in the closing purple-team session.

Operational observation

"T1078.002 Domain Accounts," "T1558.003 Kerberoasting," "T1484.001 Group Policy Modification." Each finding lands in a framework the SOC already uses for detection engineering. The remediation backlog writes itself.

MITRE ATT&CK Enterprise

No infrastructure cost, shorter engagement window, no failure-mode rework. The savings come out of the part of the budget that was producing the least new information anyway.

Trade observation

The workforce is untouched. The phishing-report channel keeps its signal-to-noise ratio. The two programmes (red team and awareness) can run on independent schedules without interfering with each other's metrics.

Operational observation
What it does badly 4 points

The email security stack, perimeter web exposure, and edge identity controls go untested in a pure assumed-breach engagement. The mitigation is to commission separate, narrower assessments for those (which is also cheaper than rolling them into the red team scope).

Methodological observation

Some procurement and risk functions struggle with this. The provided credential needs scoping, time-boxing, and revocation procedures. This is a process problem, not a methodology problem, and it solves itself once a single engagement has been run through it.

Procurement observation

Senior stakeholders who think "red team" means "we tested whether attackers could get in" may need re-education. The honest answer (they will, eventually, and what matters is what happens next) is harder to put on a slide than a click-rate trend graph.

Stakeholder management observation

Assumed-breach is most valuable when the SOC and detection engineering function are mature enough to absorb the findings and improve. For organisations without that capability, the engagement still produces a remediation backlog, but the deeper purple-team value is harder to realise.

Organisational maturity observation
Framework position
TIBER-EU was built around full-chain threat-intelligence-led engagements. The framework now explicitly permits the assume-breach variant. "Use of 'assume breach' where the initial entry phase is skipped when necessary to adhere to privacy legislation." TIBER.info documentation, on the TIBER-NL and TIBER-Rijk variants
04The operational loop

The SOC feedback loop.

A good phish that gets past the gateway, the sandbox, the link rewriter, and the EDR, and lands in someone's inbox, isn't a control failure. It's free, current, targeted threat intel about what's working against you right now. Most programmes have nowhere to put it. Without a loop, everything else is guesswork.

01
Receive.

The lure landed. The user now has a sample of what just bypassed everything you've got.

OwnersMail platform · End user · Security comms OperationalOne-button reporter in the mail client. Button does the structured submission. No forwarding to a mailbox nobody reads. SLA targetMinutes from suspicion to report. Friction is the enemy. ValueFree, current, targeted intel. No procurement, no infrastructure.
Loop
Done?
When?
Changed?
02
Triage.

SOC picks it up, decides benign, suspicious, or malicious. Real adversary stuff jumps the queue.

OwnersSOC · Incident response OperationalAutomated acknowledge on receipt. Human classify after. Confirmed malicious gets paged. SLA targetAcknowledge under 1 hour. Classify under 4. ValueThe reporter sees the report taken seriously before they have time to doubt it.
Loop
Done?
When?
Changed?
03
Extract.

IOCs, TTPs, sender infrastructure, attachment behaviour, link patterns, who got targeted. Pulled out in a structured format that the rest of the stack can ingest.

OwnersSOC · Detection engineering · Threat intel OperationalOpen formats. STIX 2.1 or the Triageable Evidence Format (TEF). Without structure the report turns into a screenshot in a Teams channel that nobody can act on. MappingEvery observed technique tagged with a MITRE ATT&CK identifier. Initial access is usually the T1566 family. ValueThe intel is now in a form the gateway, the SIEM, the next assessor, and your peers can all eat.
Loop
Done?
When?
Changed?
04
Act.

Block what landed. Block what looks like it. Hunt the inbox set and the SIEM history for earlier related deliveries that nobody reported.

OwnersMail platform · Endpoint security · Detection engineering · Network engineering OperationalTransport rules on the gateway. Custom EDR signatures. SIEM correlation rules. Hunt queries against the prior 30 days at minimum. ReachSame lure shouldn't land twice. Variants land less often. Earlier missed deliveries surface. ValueControls got better. Attributable directly to the user who reported it.
Loop
Done?
When?
Changed?
05
Close.

Tell the reporter what their report did. Update the threat model. Share with peers through an ISAC, sector group, or NCSC where you can. Feed the IOC and TTP set into the next assumed-breach engagement so it's testing against the real adversary.

OwnersSOC · Security comms · Threat intel · Security architecture OperationalTemplated response to the reporter with an anonymised impact summary. Monthly comms showing the workforce real sector lures. Peer share where you can. ForwardIOCs and TTPs feed the next assumed-breach engagement scope. The exercise tests what's actually being thrown at the place. ValueThe workforce sees the loop close. Next assessment is tighter. Peers get earlier warning. Reporting culture compounds.
Loop
Done?
When?
Changed?
Loop continues. Each pass: controls catch more, reports come in faster, the assessment programme tests what's actually happening.
Framework position
MITRE's Center for Threat-Informed Defense[8] calls the mature state a continuous feedback loop between adversary behaviour, control visibility, and operational readiness. The phish that bypassed your controls is the way in to that loop. Without it, you're working off generic assumptions. "Mature organisations develop a continuous feedback loop between adversary behavior, control visibility, and operational readiness." MITRE Center for Threat-Informed Defense and partner guidance
05Value comparison

Side by side on the dimensions that matter.

Click any row to expand the definition. Dot colour shows relative strength of each approach on that dimension.

Dimension
Traditional simulation
Technical assessment
Actionability of findings Can a named person fix the finding by changing a configuration, policy, or control?
Names of clickers, no control gaps surfaced
Specific configuration changes per finding
Threat realism Does the test reflect what real operators are doing against this organisation in the current period?
Generic vendor templates
Assumed-compromise model maps to current TTPs
Workforce impact Does the test treat the workforce as the threat surface or as the sensor network?
Threat surface, blame risk
Unaffected, reporting culture preserved
Reporting culture Does the programme encourage or suppress timely reporting of real suspicious emails?
Suppresses (per NCSC)
Neutral, reporting can be built alongside
Evidence base Is the practice supported by peer-reviewed empirical study or by vendor case studies?
Vendor case studies, multiple null results in field studies
Standard pen-test methodology, NCSC-aligned
Cost profile Where does the spend land? Operational subscription or skilled engagement?
Low recurring spend, hidden operational cost
Higher per-engagement, focused remediation spend follows
Compliance fit Does the practice answer the specific question auditors are asked to ask?
Direct fit with "simulation conducted" items
Stronger evidence, may require lightweight awareness alongside
Defence range Does the practice defend against other initial access vectors too, or only phishing?
Phishing-only
Phishing, smishing, drive-by, removable media, supply chain
06Self-diagnostic

Where does your programme sit on the spectrum?

Nine questions, scored 0 to 3 each. Find out where the programme sits between simulation theatre and assessment-led resilience with a closed loop. Responses are captured locally, aggregated only if you've wired analytics in.

Programme diagnostic, 9 questions

Answer straight. The score is for you, not an auditor.

0/27
band
label
meaning
Theatre In transition Resilience
Most useful next step

References

  1. Lain, D., Kostiainen, K., Čapkun, S. Phishing in Organizations: Findings from a Large-Scale and Long-Term Study. IEEE Symposium on Security and Privacy (S&P), 2022. 14,000 employees, 15 months. arxiv.org/pdf/2112.07498
  2. Lain, D., Jost, T., Matetic, S., Kostiainen, K., Čapkun, S. Content, Nudges and Incentives: A Study on the Effectiveness and Perception of Embedded Phishing Training. ACM CCS 2024. Distinguished Paper Award. 4,554 participants. arxiv.org/abs/2409.01378
  3. Anti-Phishing Training Does Not Work. A Large-Scale Empirical Assessment of Multi-Modal Training Grounded in the NIST Phish Scale. arXiv preprint, 2025. 12,511 participants. arxiv.org/html/2506.19899v1
  4. Various. Phishing simulation exercise in a large hospital: a case study. PubMed Central. Workload-driven susceptibility analysis. ncbi.nlm.nih.gov/pmc/articles/PMC8935590
  5. UK National Cyber Security Centre. Phishing attacks: defending your organisation. Official guidance, multi-layer mitigation framework, updated 2025. ncsc.gov.uk/guidance/phishing
  6. European Central Bank. TIBER-EU: Threat Intelligence-based Ethical Red Teaming. Framework for controlled, intelligence-led red team testing of financial entities, supporting DORA compliance. ecb.europa.eu/paym/cyber-resilience/tiber-eu
  7. TIBER.info documentation. TIBER-NL and TIBER-Rijk assume-breach variants. Explicit framework provision for skipping the initial entry phase where operationally or legally appropriate. tiber.info/documentation
  8. MITRE Center for Threat-Informed Defense. Threat-Informed Defense. Continuous feedback loop between adversary behaviour, control visibility, and operational readiness. ATT&CK is the underlying taxonomy. mitre.org/focus-areas/cybersecurity/threat-informed-defense
copied