Defenses

Name	TL;DR	Techniques	D3FEND Tactic
ABAC	Controls access based on user attributes, resource attributes, and environment conditions.		Execution Isolation (D3-EI)Credential Hardening (D3-CH)
Access Control List (ACL)	Defines who can access an object and what actions they can perform.	Credential theft	Execution Isolation (D3-EI)
Account Lockout Policies	Locks user accounts after a number of failed login attempts.		Credential Eviction (D3-CE)
Admission Controller	Validates and enforces policies on resources in a K8s cluster.		Application Hardening (D3-AH)
AI-SPM	Assesses and enhances an organization's AI pipeline security posture.	Malicious AI model LLMjacking LLM Prompt Injection	Application Hardening (D3-AH)
API Gateway	Manages API requests, security, and passes them to back-end services.	SQL injection	Network Traffic Analysis (D3-NTA)Network Isolation (D3-NI)
Bastion Host	A highly secured server used to access and protect internal networks.	Password bruteforcing Password spraying	Network Isolation (D3-NI)
CDN	Distributes content to users from various global servers to enhance performance.	Discover origin IP of fronted domain	Network Isolation (D3-NI)Message Hardening (D3-MH)
CI/CD Configuration Scanning		Credential harvesting from code repository Script injection into CICD workflow
Cloud Configuration Scanning	Scans cloud setups for compliance and security best practices.	Abuse of cross-job access in CI/CD system Propagation via Kubelet Public exposure abuse K8s anonymous auth abuse Azure Arc abuse Azure Run Commands abuse Azure Batch abuse Azure AD abuse Appstream abuse	Platform Hardening (D3-PH)
Cloud Log monitoring	Collects and analyzes cloud logs to detect security incidents.	Policy simulation Create new cloud user Create or modify cloud key Attach administrative role to account Abuse naming patterns to guess resource IDs or fingerprint resources Add attacker-controlled IdP via ADFS access Erase logs Linux fileless malware	Process Analysis (D3-PA)User Behavior Analysis (D3-UBA)
Confidential Computing	Protects data in use by processing it in secure, isolated environments.		Platform Hardening (D3-PH)
Containerization	Runs applications in isolated containers sharing an OS kernel.	SSH propagation	Execution Isolation (D3-EI)
Data Backups	Copies and archives data for recovery in case of loss or corruption.	Bucket / storage ransomware Database ransomware	Restore Object (D3-RO)
Data Encryption	Converts data to a coded format readable only with a key.	Data exfiltration from cloud storage Poison AI training data	Application Hardening (D3-AH)
Data Masking	Obscures sensitive data to protect it while maintaining usability.		Application Hardening (D3-AH)
Data Replication	Copies data across locations for consistency and reliability.	Bucket / storage ransomware Database ransomware Poison AI training data	Restore Object (D3-RO)
DDoS Protection	Shields networks from attacks that overwhelm services with traffic.		Network Traffic Analysis (D3-NTA)
DFIR	Detection, investigation, and response to cybersecurity incidents.		Platform Monitoring (D3-PM)
DLP	Prevents unauthorized data access, sharing, and leakage.
File Integrity Monitoring (FIM)	Detects changes in files indicating cyberattacks.	Create new local user	File Analysis (D3-FA)
Honeypots	Decoy systems designed to attract, hinder, and study threat actors.		Decoy Environment (D3-DE)
Host Configuration Scanning	Inspects host and app settings to detect misconfigurations.	Abusing exposed Docker socket Misconfigured Wordpress abuse Misconfigured Redis abuse Misconfigured Docker abuse Misconfigured DB abuse Misconfigured Consul abuse Misconfigured Argo abuse Misconfigured Apache Hadoop abuse Jupyter Notebook misconfig abuse Jupyter Notebook ransomware cAdvisor abuse K8s anonymous auth abuse Misconfigured Gitea Abuse	Application Hardening (D3-AH)
IAM Policies	Controls user and machine access to resources within an organization.	Valid creds abuse Abuse access to existing KMS key Abuse trust and privileges across accounts SSM-facilitated remote desktop connection IAM privilege escalation	Execution Isolation (D3-EI)Credential Hardening (D3-CH)
Key Management System (KMS)	Manages cryptographic keys for data security.	Credential theft	Credential Hardening (D3-CH)
Malware Detection	Identifies and mitigates malicious software on systems.	Public malicious container image Reverse shell Rootkit - LD_PRELOAD	File Analysis (D3-FA)Identifier Analysis (D3-ID)
Microsegmentation	Divides networks into segments to improve security and control.	Network lateral movement SSH propagation	Network Isolation (D3-NI)
Multi-Factor Authentication (MFA)	Requires multiple verification methods for access.	Password bruteforcing Password spraying Smishing (SMS phishing)	Credential Hardening (D3-CH)
Namespacing	Isolates environments/resources to avoid conflicts and improve security.	Propagation via Kubelet	Execution Isolation (D3-EI)
Network Firewall	Monitors and controls network traffic based on security rules.	Public exposure abuse	Network Traffic Analysis (D3-NTA)Network Isolation (D3-NI)
Password Policies	Sets rules for creating and maintaining strong passwords.	Password bruteforcing Password spraying Smishing (SMS phishing)	Credential Hardening (D3-CH)
Permission Boundary	Defines the maximum permissions an entity can have.	Smishing (SMS phishing)	Credential Hardening (D3-CH)
Proxy	Acts as an intermediary for requests between clients and servers.	Vulnerability exploitation Misconfigured SSH abuse	Network Isolation (D3-NI)
Quarantine Policies	Isolates compromised files/systems to limit blast radius.	Phishing	Message Analysis (D3-MA)Credential Eviction (D3-CE)
Role-Based Access Control (RBAC)	Assigns permissions based on user roles.	Credential theft	Execution Isolation (D3-EI)Credential Hardening (D3-CH)
SBOM	Lists components in a software product, enhancing transparency and security.	Supply Chain Compromise Package dependency confusion Image dependency confusion	File Analysis (D3-FA)
Secret Scanning	Detects at-risk secrets across an organization's systems.	Abuse access to existing KMS key Credential harvesting from code repository Registry secret scanning	File Analysis (D3-FA)
Secure Boot	Ensures devices boot only with trusted software.	Bootkit	Platform Hardening (D3-PH)
Security Keys	Physical/digital keys for multi-factor authentication.	Password bruteforcing Password spraying	Credential Hardening (D3-CH)
Sensitive Data Scanning	Identifies and protects sensitive information in systems.	Data exfiltration from cloud storage Retrieve EC2 Password Data Misconfigured Power Pages abuse	File Analysis (D3-FA)
SIEM	Collects and analyzes security data to detect and respond to threats.		Platform Monitoring (D3-PM)
Single Sign-On (SSO)	Allows access to multiple systems with one login.	Credential theft Credential harvesting from code repository	Credential Hardening (D3-CH)
Threat Hunting	Actively searching for threats within a network before they cause harm.		Platform Monitoring (D3-PM)
Threat Intel	Collecting and analyzing data on potential and existing threats.		Platform Monitoring (D3-PM)
User Account Control	Requires admin approval for system changes.	Cluster anonymous access Abuse trust and privileges across accounts IAM privilege escalation	Execution Isolation (D3-EI)
Virtual Private Network (VPN)	Secures connections over the Internet to a private network.	SSH propagation Network lateral movement	Network Isolation (D3-NI)
Virtualization	Creates isolated virtual computing resources while sharing hardware.	LSASS dumping	Execution Isolation (D3-EI)
Vulnerability Scanning	Identifies security weaknesses in systems and apps.	Vulnerability exploitation SSRF SQL injection	Application Hardening (D3-AH)
Weak Password Detection	Alerts on passwords not meeting security standards.	Password bruteforcing Password spraying	Credential Hardening (D3-CH)
Web Application Firewall (WAF)	Protects web apps by filtering HTTP traffic.	SQL injection	Network Isolation (D3-NI)
Workload Runtime Protection	Protects workloads in real-time during execution.	Vulnerability exploitation Webshell deployment SSRF Serverless execution SQL injection Remotely execute commands or scripts on a VM Create new local user Erase logs Execute Command on VM using Custom Script Extension Linux fileless malware	Platform Hardening (D3-PH)

Defenses

Name	TL;DR	Techniques	D3FEND Tactic
ABAC	Controls access based on user attributes, resource attributes, and environment conditions.		Execution Isolation (D3-EI)Credential Hardening (D3-CH)
Access Control List (ACL)	Defines who can access an object and what actions they can perform.	Credential theft	Execution Isolation (D3-EI)
Account Lockout Policies	Locks user accounts after a number of failed login attempts.		Credential Eviction (D3-CE)
Admission Controller	Validates and enforces policies on resources in a K8s cluster.		Application Hardening (D3-AH)
AI-SPM	Assesses and enhances an organization's AI pipeline security posture.	Malicious AI model LLMjacking LLM Prompt Injection	Application Hardening (D3-AH)
API Gateway	Manages API requests, security, and passes them to back-end services.	SQL injection	Network Traffic Analysis (D3-NTA)Network Isolation (D3-NI)
Bastion Host	A highly secured server used to access and protect internal networks.	Password bruteforcing Password spraying	Network Isolation (D3-NI)
CDN	Distributes content to users from various global servers to enhance performance.	Discover origin IP of fronted domain	Network Isolation (D3-NI)Message Hardening (D3-MH)
CI/CD Configuration Scanning		Credential harvesting from code repository Script injection into CICD workflow
Cloud Configuration Scanning	Scans cloud setups for compliance and security best practices.	Abuse of cross-job access in CI/CD system Propagation via Kubelet Public exposure abuse K8s anonymous auth abuse Azure Arc abuse Azure Run Commands abuse Azure Batch abuse Azure AD abuse Appstream abuse	Platform Hardening (D3-PH)
Cloud Log monitoring	Collects and analyzes cloud logs to detect security incidents.	Policy simulation Create new cloud user Create or modify cloud key Attach administrative role to account Abuse naming patterns to guess resource IDs or fingerprint resources Add attacker-controlled IdP via ADFS access Erase logs Linux fileless malware	Process Analysis (D3-PA)User Behavior Analysis (D3-UBA)
Confidential Computing	Protects data in use by processing it in secure, isolated environments.		Platform Hardening (D3-PH)
Containerization	Runs applications in isolated containers sharing an OS kernel.	SSH propagation	Execution Isolation (D3-EI)
Data Backups	Copies and archives data for recovery in case of loss or corruption.	Bucket / storage ransomware Database ransomware	Restore Object (D3-RO)
Data Encryption	Converts data to a coded format readable only with a key.	Data exfiltration from cloud storage Poison AI training data	Application Hardening (D3-AH)
Data Masking	Obscures sensitive data to protect it while maintaining usability.		Application Hardening (D3-AH)
Data Replication	Copies data across locations for consistency and reliability.	Bucket / storage ransomware Database ransomware Poison AI training data	Restore Object (D3-RO)
DDoS Protection	Shields networks from attacks that overwhelm services with traffic.		Network Traffic Analysis (D3-NTA)
DFIR	Detection, investigation, and response to cybersecurity incidents.		Platform Monitoring (D3-PM)
DLP	Prevents unauthorized data access, sharing, and leakage.
File Integrity Monitoring (FIM)	Detects changes in files indicating cyberattacks.	Create new local user	File Analysis (D3-FA)
Honeypots	Decoy systems designed to attract, hinder, and study threat actors.		Decoy Environment (D3-DE)
Host Configuration Scanning	Inspects host and app settings to detect misconfigurations.	Abusing exposed Docker socket Misconfigured Wordpress abuse Misconfigured Redis abuse Misconfigured Docker abuse Misconfigured DB abuse Misconfigured Consul abuse Misconfigured Argo abuse Misconfigured Apache Hadoop abuse Jupyter Notebook misconfig abuse Jupyter Notebook ransomware cAdvisor abuse K8s anonymous auth abuse Misconfigured Gitea Abuse	Application Hardening (D3-AH)
IAM Policies	Controls user and machine access to resources within an organization.	Valid creds abuse Abuse access to existing KMS key Abuse trust and privileges across accounts SSM-facilitated remote desktop connection IAM privilege escalation	Execution Isolation (D3-EI)Credential Hardening (D3-CH)
Key Management System (KMS)	Manages cryptographic keys for data security.	Credential theft	Credential Hardening (D3-CH)
Malware Detection	Identifies and mitigates malicious software on systems.	Public malicious container image Reverse shell Rootkit - LD_PRELOAD	File Analysis (D3-FA)Identifier Analysis (D3-ID)
Microsegmentation	Divides networks into segments to improve security and control.	Network lateral movement SSH propagation	Network Isolation (D3-NI)
Multi-Factor Authentication (MFA)	Requires multiple verification methods for access.	Password bruteforcing Password spraying Smishing (SMS phishing)	Credential Hardening (D3-CH)
Namespacing	Isolates environments/resources to avoid conflicts and improve security.	Propagation via Kubelet	Execution Isolation (D3-EI)
Network Firewall	Monitors and controls network traffic based on security rules.	Public exposure abuse	Network Traffic Analysis (D3-NTA)Network Isolation (D3-NI)
Password Policies	Sets rules for creating and maintaining strong passwords.	Password bruteforcing Password spraying Smishing (SMS phishing)	Credential Hardening (D3-CH)
Permission Boundary	Defines the maximum permissions an entity can have.	Smishing (SMS phishing)	Credential Hardening (D3-CH)
Proxy	Acts as an intermediary for requests between clients and servers.	Vulnerability exploitation Misconfigured SSH abuse	Network Isolation (D3-NI)
Quarantine Policies	Isolates compromised files/systems to limit blast radius.	Phishing	Message Analysis (D3-MA)Credential Eviction (D3-CE)
Role-Based Access Control (RBAC)	Assigns permissions based on user roles.	Credential theft	Execution Isolation (D3-EI)Credential Hardening (D3-CH)
SBOM	Lists components in a software product, enhancing transparency and security.	Supply Chain Compromise Package dependency confusion Image dependency confusion	File Analysis (D3-FA)
Secret Scanning	Detects at-risk secrets across an organization's systems.	Abuse access to existing KMS key Credential harvesting from code repository Registry secret scanning	File Analysis (D3-FA)
Secure Boot	Ensures devices boot only with trusted software.	Bootkit	Platform Hardening (D3-PH)
Security Keys	Physical/digital keys for multi-factor authentication.	Password bruteforcing Password spraying	Credential Hardening (D3-CH)
Sensitive Data Scanning	Identifies and protects sensitive information in systems.	Data exfiltration from cloud storage Retrieve EC2 Password Data Misconfigured Power Pages abuse	File Analysis (D3-FA)
SIEM	Collects and analyzes security data to detect and respond to threats.		Platform Monitoring (D3-PM)
Single Sign-On (SSO)	Allows access to multiple systems with one login.	Credential theft Credential harvesting from code repository	Credential Hardening (D3-CH)
Threat Hunting	Actively searching for threats within a network before they cause harm.		Platform Monitoring (D3-PM)
Threat Intel	Collecting and analyzing data on potential and existing threats.		Platform Monitoring (D3-PM)
User Account Control	Requires admin approval for system changes.	Cluster anonymous access Abuse trust and privileges across accounts IAM privilege escalation	Execution Isolation (D3-EI)
Virtual Private Network (VPN)	Secures connections over the Internet to a private network.	SSH propagation Network lateral movement	Network Isolation (D3-NI)
Virtualization	Creates isolated virtual computing resources while sharing hardware.	LSASS dumping	Execution Isolation (D3-EI)
Vulnerability Scanning	Identifies security weaknesses in systems and apps.	Vulnerability exploitation SSRF SQL injection	Application Hardening (D3-AH)
Weak Password Detection	Alerts on passwords not meeting security standards.	Password bruteforcing Password spraying	Credential Hardening (D3-CH)
Web Application Firewall (WAF)	Protects web apps by filtering HTTP traffic.	SQL injection	Network Isolation (D3-NI)
Workload Runtime Protection	Protects workloads in real-time during execution.	Vulnerability exploitation Webshell deployment SSRF Serverless execution SQL injection Remotely execute commands or scripts on a VM Create new local user Erase logs Execute Command on VM using Custom Script Extension Linux fileless malware	Platform Hardening (D3-PH)