Watch the attack. Read the catch. Pick your industry.
Choose a sector and watch a real attacker pick a route to your crown jewels, then read the purple-team analysis underneath: every stage flagged to MITRE ATT&CK, and the MITRE D3FEND countermeasure, and the control, that should catch it.
Payments, trading systems, customer accounts, and the deal book.
Every sector has a prize an attacker is after: its crown jewels, named above. Pick your sector below, then click an entry point in the graph and trace a path toward it. Each step you take is flagged to MITRE ATT&CK, and matched to the MITRE D3FEND countermeasure (and the control) that catches it.
Attack · MITRE ATT&CKDefense · MITRE D3FEND + the control
Click an entry point in the left column, then trace a path toward a prize. Each step is flagged to MITRE ATT&CK and matched to the MITRE D3FEND control that catches it.
Or read every stage, flagged and caught:
01Initial accessEntry
Attack
Phishing, stolen credentials, a trusted third party, an exposed app.
Segmentation around the payments core, DLP on egress, and transaction-flow monitoring.
Click an entry point in the left column, then trace a path toward a prize. Each step is flagged to MITRE ATT&CK and matched to the MITRE D3FEND control that catches it.
Or read every stage, flagged and caught:
01Initial accessEntry
Attack
A freelancer’s laptop, a post-house’s shared project, the public streaming app.
Segmentation that stops the hop, with NDR watching east-west traffic for the pivot.
04Privilege escalationEscalate
Attack
Steal credentials and become an administrator.
T1003 OS Credential DumpingT1078.002 Valid Accounts: Domain Accounts
caught by
Defense
User Behavior Analysis (D3-UBA)
Tiered admin and LAPS, with identity analytics flagging the anomalous logon.
05ObjectiveObjective
Attack
Reach and exfiltrate unreleased masters, or take broadcast down.
T1530 Data from Cloud StorageT1567 Exfiltration Over Web ServiceT1489 Service Stop
caught by
Defense
Outbound Traffic Filtering (D3-OTF)
DLP and egress filtering on the asset stores, with isolation around broadcast.
Click an entry point in the left column, then trace a path toward a prize. Each step is flagged to MITRE ATT&CK and matched to the MITRE D3FEND control that catches it.
Or read every stage, flagged and caught:
01Initial accessEntry
Attack
A phished engineer, vendor remote-maintenance, removable media on the OT side.
T1566 PhishingT1133 External Remote ServicesT1091 Replication Through Removable Media
Enforced IT/OT segmentation and conduits, with OT-aware monitoring on the boundary.
Click an entry point in the left column, then trace a path toward a prize. Each step is flagged to MITRE ATT&CK and matched to the MITRE D3FEND control that catches it.
Or read every stage, flagged and caught:
01Initial accessEntry
Attack
Phishing, stolen credentials, an exposed VPN, or a trusted contractor.
DLP and egress monitoring, with identity analytics catching the quiet account.
Click an entry point in the left column, then trace a path toward a prize. Each step is flagged to MITRE ATT&CK and matched to the MITRE D3FEND control that catches it.
Or read every stage, flagged and caught:
01Initial accessEntry
Attack
Phishing a clerk, stolen credentials, an exposed VPN or public portal, a shared MSP.
DLP and egress monitoring, plus tested segmentation and backups for the ransomware play.
Click an entry point in the left column, then trace a path toward a prize. Each step is flagged to MITRE ATT&CK and matched to the MITRE D3FEND control that catches it.
Or read every stage, flagged and caught:
01Initial accessEntry
Attack
A web skimmer, a payment integration, a store network, a phish.
Segmentation that stops the hop, with NDR watching east-west traffic for the pivot.
04Privilege escalationEscalate
Attack
Steal credentials and become an administrator.
T1003 OS Credential DumpingT1078.002 Valid Accounts: Domain Accounts
caught by
Defense
User Behavior Analysis (D3-UBA)
Tiered admin and LAPS, with identity analytics flagging the anomalous logon.
05ObjectiveObjective
Attack
Skim card data, reach the CDE, or take the storefront down at peak.
T1530 Data from Cloud StorageT1486 Data Encrypted for ImpactT1499 Endpoint Denial of Service
caught by
Defense
Outbound Traffic Filtering (D3-OTF)
CDE segmentation, DLP, and file-integrity monitoring on payment pages.
Click an entry point in the left column, then trace a path toward a prize. Each step is flagged to MITRE ATT&CK and matched to the MITRE D3FEND control that catches it.
Or read every stage, flagged and caught:
01Initial accessEntry
Attack
An ag-tech platform, IoT telemetry, remote access, an exposed service.
OT/IoT segmentation and monitoring, with tested, isolated backups.
Representative paths, not a specific engagement. Your real attack surface, ATT&CK coverage and D3FEND mapping are established live, in the open, on a purple team. Frameworks: MITRE ATT&CK ↗MITRE D3FEND ↗