Purple team · in action

Watch the attack. Read the catch. Pick your industry.

Choose a sector and watch a real attacker pick a route to your crown jewels, then read the purple-team analysis underneath: every stage flagged to MITRE ATT&CK, and the MITRE D3FEND countermeasure, and the control, that should catch it.

Financial services — the prize

Payments, trading systems, customer accounts, and the deal book.

Every sector has a prize an attacker is after: its crown jewels, named above. Pick your sector below, then click an entry point in the graph and trace a path toward it. Each step you take is flagged to MITRE ATT&CK, and matched to the MITRE D3FEND countermeasure (and the control) that catches it.

EntryFootholdPivotEscalateObjectivePhishingstaff inboxStolen credscredential dumpThird partyvendor accessExposed apppublic-facingRemote accessVPNWorkstationemployee hostCorporate networkflat · trustedWeb / API DMZperimeterLateral movementhost to hostCloud / SaaSdata storesCore banking netsegmentedDomain adminActive DirectoryPayments adminprivilegedPayments / SWIFTmove moneyCustomer dataPII · accountsTrading / deal bookmarket-movingthe route taken this runother possible routesloop back to go again
Click an entry point in the left column, then trace a path toward a prize. Each step is flagged to MITRE ATT&CK and matched to the MITRE D3FEND control that catches it.
    Or read every stage, flagged and caught:
    01Initial accessEntry
    Attack

    Phishing, stolen credentials, a trusted third party, an exposed app.

    T1566 PhishingT1078 Valid AccountsT1199 Trusted Relationship
    Defense
    Message Analysis (D3-MA)Multi-factor Authentication (D3-MFA)

    MFA and conditional access, email security, and tightly scoped third-party access.

    02Execution & footholdFoothold
    Attack

    Code runs on the first host, and the attacker digs in.

    T1204 User ExecutionT1059 Command & Scripting Interpreter
    Defense
    Process Analysis (D3-PA)File Analysis (D3-FA)

    EDR on every endpoint, alerting on the suspicious process and script behaviour the foothold needs.

    03Lateral movementPivot
    Attack

    Host to host, toward where the value actually sits.

    T1021 Remote ServicesT1210 Exploitation of Remote Services
    Defense
    Network Traffic Analysis (D3-NTA)Broadcast Domain Isolation (D3-BDI)

    Segmentation that stops the hop, with NDR watching east-west traffic for the pivot.

    04Privilege escalationEscalate
    Attack

    Steal credentials and become an administrator.

    T1003 OS Credential DumpingT1078.002 Valid Accounts: Domain Accounts
    Defense
    User Behavior Analysis (D3-UBA)

    Tiered admin and LAPS, with identity analytics flagging the anomalous logon.

    05ObjectiveObjective
    Attack

    Reach payments and trading, or quietly exfiltrate customer data.

    T1213 Data from Information RepositoriesT1567 Exfiltration Over Web Service
    Defense
    Outbound Traffic Filtering (D3-OTF)User Behavior Analysis (D3-UBA)

    Segmentation around the payments core, DLP on egress, and transaction-flow monitoring.

    EntryFootholdPivotEscalateObjectivePhishingstaff inboxStolen credscredential dumpPost-house / vendorshared projectRemote accessVPNStreaming / webpublic appFreelancercontractor laptopEditor workstationproduction hostCorporate networkflat · trustedWeb / streaming DMZperimeterLateral movementhost to hostCloud / render · storeSaaSProduction networkMAMDomain adminActive DirectoryMAM / prod adminasset managementUnreleased contentmasters · cutsSubscriber dataPIIBroadcast / distrotake it off airthe route taken this runother possible routesloop back to go again
    Click an entry point in the left column, then trace a path toward a prize. Each step is flagged to MITRE ATT&CK and matched to the MITRE D3FEND control that catches it.
      Or read every stage, flagged and caught:
      01Initial accessEntry
      Attack

      A freelancer’s laptop, a post-house’s shared project, the public streaming app.

      T1566 PhishingT1199 Trusted RelationshipT1190 Exploit Public-Facing Application
      Defense
      Message Analysis (D3-MA)Multi-factor Authentication (D3-MFA)

      MFA on vendor and remote access, email security, and hardened public apps.

      02Execution & footholdFoothold
      Attack

      Code runs on the first host, and the attacker digs in.

      T1204 User ExecutionT1059 Command & Scripting Interpreter
      Defense
      Process Analysis (D3-PA)File Analysis (D3-FA)

      EDR on every endpoint, alerting on the suspicious process and script behaviour the foothold needs.

      03Lateral movementPivot
      Attack

      Host to host, toward where the value actually sits.

      T1021 Remote ServicesT1210 Exploitation of Remote Services
      Defense
      Network Traffic Analysis (D3-NTA)Broadcast Domain Isolation (D3-BDI)

      Segmentation that stops the hop, with NDR watching east-west traffic for the pivot.

      04Privilege escalationEscalate
      Attack

      Steal credentials and become an administrator.

      T1003 OS Credential DumpingT1078.002 Valid Accounts: Domain Accounts
      Defense
      User Behavior Analysis (D3-UBA)

      Tiered admin and LAPS, with identity analytics flagging the anomalous logon.

      05ObjectiveObjective
      Attack

      Reach and exfiltrate unreleased masters, or take broadcast down.

      T1530 Data from Cloud StorageT1567 Exfiltration Over Web ServiceT1489 Service Stop
      Defense
      Outbound Traffic Filtering (D3-OTF)

      DLP and egress filtering on the asset stores, with isolation around broadcast.

      EntryIT footholdIT/OT boundaryOT controlImpactPhishingstaff inboxRemote accessVPNVendor remoteintegratorExposed serviceedgeRemovable mediaUSBCorporate ITworkstationIT domainActive DirectoryEngineering WSOT-connectedOT DMZperimeterOT jump hostaccessData historianIT ↔ OTOT remote gatewayvendor maintSCADA servercontrolHMIoperatorPLCcontrollerField I/Osensors · valvesSafety PLCSISHalt the linedowntimeSafety systemsSISRansom productionencryptTamper processqualitythe route taken this runother possible routesloop back to go again
      Click an entry point in the left column, then trace a path toward a prize. Each step is flagged to MITRE ATT&CK and matched to the MITRE D3FEND control that catches it.
        Or read every stage, flagged and caught:
        01Initial accessEntry
        Attack

        A phished engineer, vendor remote-maintenance, removable media on the OT side.

        T1566 PhishingT1133 External Remote ServicesT1091 Replication Through Removable Media
        Defense
        Multi-factor Authentication (D3-MFA)Message Analysis (D3-MA)

        MFA on remote and vendor access, and removable-media controls at the boundary.

        02Execution & footholdFoothold
        Attack

        Code runs on the first host, and the attacker digs in.

        T1204 User ExecutionT1059 Command & Scripting Interpreter
        Defense
        Process Analysis (D3-PA)File Analysis (D3-FA)

        EDR on every endpoint, alerting on the suspicious process and script behaviour the foothold needs.

        03Lateral movementPivot
        Attack

        Host to host, toward where the value actually sits.

        T1021 Remote ServicesT1210 Exploitation of Remote Services
        Defense
        Network Traffic Analysis (D3-NTA)Broadcast Domain Isolation (D3-BDI)

        Segmentation that stops the hop, with NDR watching east-west traffic for the pivot.

        04Privilege escalationEscalate
        Attack

        Steal credentials and become an administrator.

        T1003 OS Credential DumpingT1078.002 Valid Accounts: Domain Accounts
        Defense
        User Behavior Analysis (D3-UBA)

        Tiered admin and LAPS, with identity analytics flagging the anomalous logon.

        05ObjectiveObjective
        Attack

        Cross IT→OT to manipulate control, or encrypt the historian and stop the line.

        T0831 Manipulation of ControlT1486 Data Encrypted for Impact
        Defense
        Network Traffic Analysis (D3-NTA)Broadcast Domain Isolation (D3-BDI)

        Enforced IT/OT segmentation and conduits, with OT-aware monitoring on the boundary.

        EntryFootholdPivotEscalateObjectivePhishinga stafferStolen credscredential dumpExposed VPNremote accessPublic portalcitizen-facingContractorsupply chainStaff workstationendpointAgency networkflat · trustedDMZ / appperimeterLateral movementhost to hostGovCloud / M365SaaSShared servicescross-agencyDomain adminActive DirectoryPrivileged accesssysadminCitizen dataPIISensitive dataclassifiedCritical servicetake it downPersistencelong dwellthe route taken this runother possible routesloop back to go again
        Click an entry point in the left column, then trace a path toward a prize. Each step is flagged to MITRE ATT&CK and matched to the MITRE D3FEND control that catches it.
          Or read every stage, flagged and caught:
          01Initial accessEntry
          Attack

          Phishing, stolen credentials, an exposed VPN, or a trusted contractor.

          T1566 PhishingT1078 Valid AccountsT1199 Trusted Relationship
          Defense
          Message Analysis (D3-MA)Multi-factor Authentication (D3-MFA)Inbound Traffic Filtering (D3-ITF)

          MFA, a patched perimeter, and hardened contractor and remote access.

          02Execution & footholdFoothold
          Attack

          Code runs on the first host, and the attacker digs in.

          T1204 User ExecutionT1059 Command & Scripting Interpreter
          Defense
          Process Analysis (D3-PA)File Analysis (D3-FA)

          EDR on every endpoint, alerting on the suspicious process and script behaviour the foothold needs.

          03Lateral movementPivot
          Attack

          Host to host, toward where the value actually sits.

          T1021 Remote ServicesT1210 Exploitation of Remote Services
          Defense
          Network Traffic Analysis (D3-NTA)Broadcast Domain Isolation (D3-BDI)

          Segmentation that stops the hop, with NDR watching east-west traffic for the pivot.

          04Privilege escalationEscalate
          Attack

          Steal credentials and become an administrator.

          T1003 OS Credential DumpingT1078.002 Valid Accounts: Domain Accounts
          Defense
          User Behavior Analysis (D3-UBA)

          Tiered admin and LAPS, with identity analytics flagging the anomalous logon.

          05ObjectiveObjective
          Attack

          Exfiltrate classified or CUI data, or settle in for long-dwell espionage.

          T1213 Data from Information RepositoriesT1567 Exfiltration Over Web ServiceT1078 Valid Accounts
          Defense
          Outbound Traffic Filtering (D3-OTF)User Behavior Analysis (D3-UBA)

          DLP and egress monitoring, with identity analytics catching the quiet account.

          EntryFootholdPivotEscalateObjectivePhishinga clerkStolen credscredential dumpExposed VPNremote accessPublic portalcitizen-facingMSP / vendorshared servicesStaff workstationendpointCounty networkflat · trustedDMZ / appperimeterLateral movementhost to hostStateRAMP cloud / M365SaaSShared servicescross-departmentDomain adminActive DirectoryPrivileged accesssysadminCitizen dataPIICourt & police recordsCJIServices ransomedshut the city downPersistencelong dwellthe route taken this runother possible routesloop back to go again
          Click an entry point in the left column, then trace a path toward a prize. Each step is flagged to MITRE ATT&CK and matched to the MITRE D3FEND control that catches it.
            Or read every stage, flagged and caught:
            01Initial accessEntry
            Attack

            Phishing a clerk, stolen credentials, an exposed VPN or public portal, a shared MSP.

            T1566 PhishingT1078 Valid AccountsT1190 Exploit Public-Facing Application
            Defense
            Message Analysis (D3-MA)Multi-factor Authentication (D3-MFA)Inbound Traffic Filtering (D3-ITF)

            MFA, a patched perimeter, and a WAF in front of public portals.

            02Execution & footholdFoothold
            Attack

            Code runs on the first host, and the attacker digs in.

            T1204 User ExecutionT1059 Command & Scripting Interpreter
            Defense
            Process Analysis (D3-PA)File Analysis (D3-FA)

            EDR on every endpoint, alerting on the suspicious process and script behaviour the foothold needs.

            03Lateral movementPivot
            Attack

            Host to host, toward where the value actually sits.

            T1021 Remote ServicesT1210 Exploitation of Remote Services
            Defense
            Network Traffic Analysis (D3-NTA)Broadcast Domain Isolation (D3-BDI)

            Segmentation that stops the hop, with NDR watching east-west traffic for the pivot.

            04Privilege escalationEscalate
            Attack

            Steal credentials and become an administrator.

            T1003 OS Credential DumpingT1078.002 Valid Accounts: Domain Accounts
            Defense
            User Behavior Analysis (D3-UBA)

            Tiered admin and LAPS, with identity analytics flagging the anomalous logon.

            05ObjectiveObjective
            Attack

            Exfiltrate citizen data, or ransom the services a community depends on.

            T1213 Data from Information RepositoriesT1486 Data Encrypted for ImpactT1567 Exfiltration Over Web Service
            Defense
            Outbound Traffic Filtering (D3-OTF)User Behavior Analysis (D3-UBA)

            DLP and egress monitoring, plus tested segmentation and backups for the ransomware play.

            EntryFootholdPivotEscalateObjectivePhishingstaff inboxE-commerce apppublicPayment integrationthird-partyStolen credscredential dumpStore networkbranchWeb skimmerMagecartStore / POS netbranchCorporate netflat · trustedE-commerce DMZperimeterLateral movementhost to hostCloud / hostingSaaSPayment net / CDEcard dataDomain adminActive DirectoryPOS / pay adminpayment opsCard datathe CDECustomer dataloyalty · PIIE-commerce fraudlogic abuseSite downat peakthe route taken this runother possible routesloop back to go again
            Click an entry point in the left column, then trace a path toward a prize. Each step is flagged to MITRE ATT&CK and matched to the MITRE D3FEND control that catches it.
              Or read every stage, flagged and caught:
              01Initial accessEntry
              Attack

              A web skimmer, a payment integration, a store network, a phish.

              T1566 PhishingT1190 Exploit Public-Facing ApplicationT1199 Trusted Relationship
              Defense
              Inbound Traffic Filtering (D3-ITF)Message Analysis (D3-MA)

              WAF and MFA, plus payment-page integrity monitoring for the skimmer.

              02Execution & footholdFoothold
              Attack

              Code runs on the first host, and the attacker digs in.

              T1204 User ExecutionT1059 Command & Scripting Interpreter
              Defense
              Process Analysis (D3-PA)File Analysis (D3-FA)

              EDR on every endpoint, alerting on the suspicious process and script behaviour the foothold needs.

              03Lateral movementPivot
              Attack

              Host to host, toward where the value actually sits.

              T1021 Remote ServicesT1210 Exploitation of Remote Services
              Defense
              Network Traffic Analysis (D3-NTA)Broadcast Domain Isolation (D3-BDI)

              Segmentation that stops the hop, with NDR watching east-west traffic for the pivot.

              04Privilege escalationEscalate
              Attack

              Steal credentials and become an administrator.

              T1003 OS Credential DumpingT1078.002 Valid Accounts: Domain Accounts
              Defense
              User Behavior Analysis (D3-UBA)

              Tiered admin and LAPS, with identity analytics flagging the anomalous logon.

              05ObjectiveObjective
              Attack

              Skim card data, reach the CDE, or take the storefront down at peak.

              T1530 Data from Cloud StorageT1486 Data Encrypted for ImpactT1499 Endpoint Denial of Service
              Defense
              Outbound Traffic Filtering (D3-OTF)

              CDE segmentation, DLP, and file-integrity monitoring on payment pages.

              EntryFootholdPivotEscalateObjectivePhishinga credentialAg-tech platformvendorRemote accessVPNIoT telemetrysensorExposed serviceedgeCorporate ITofficeFarm / site netlocalProcessing ITplantLateral movementhost to hostFleet telemetrycloudIT/OT boundarysegmentDomain adminActive DirectoryOT / SCADAcontrolHalt processingdowntimeDisrupt logisticscold chainTamper automationirrigation · feedRansomencryptthe route taken this runother possible routesloop back to go again
              Click an entry point in the left column, then trace a path toward a prize. Each step is flagged to MITRE ATT&CK and matched to the MITRE D3FEND control that catches it.
                Or read every stage, flagged and caught:
                01Initial accessEntry
                Attack

                An ag-tech platform, IoT telemetry, remote access, an exposed service.

                T1190 Exploit Public-Facing ApplicationT1133 External Remote ServicesT1566 Phishing
                Defense
                Multi-factor Authentication (D3-MFA)Inbound Traffic Filtering (D3-ITF)

                MFA, a patched edge, and IoT/OT segmentation off the business network.

                02Execution & footholdFoothold
                Attack

                Code runs on the first host, and the attacker digs in.

                T1204 User ExecutionT1059 Command & Scripting Interpreter
                Defense
                Process Analysis (D3-PA)File Analysis (D3-FA)

                EDR on every endpoint, alerting on the suspicious process and script behaviour the foothold needs.

                03Lateral movementPivot
                Attack

                Host to host, toward where the value actually sits.

                T1021 Remote ServicesT1210 Exploitation of Remote Services
                Defense
                Network Traffic Analysis (D3-NTA)Broadcast Domain Isolation (D3-BDI)

                Segmentation that stops the hop, with NDR watching east-west traffic for the pivot.

                04Privilege escalationEscalate
                Attack

                Steal credentials and become an administrator.

                T1003 OS Credential DumpingT1078.002 Valid Accounts: Domain Accounts
                Defense
                User Behavior Analysis (D3-UBA)

                Tiered admin and LAPS, with identity analytics flagging the anomalous logon.

                05ObjectiveObjective
                Attack

                Disrupt processing and logistics, tamper with automation, or ransom.

                T0831 Manipulation of ControlT1486 Data Encrypted for Impact
                Defense
                Network Traffic Analysis (D3-NTA)Broadcast Domain Isolation (D3-BDI)

                OT/IoT segmentation and monitoring, with tested, isolated backups.

                Representative paths, not a specific engagement. Your real attack surface, ATT&CK coverage and D3FEND mapping are established live, in the open, on a purple team. Frameworks: MITRE ATT&CK ↗  MITRE D3FEND ↗

                Scope a purple team