What is MITRE D3FEND?

MITRE D3FEND is a knowledge graph of cybersecurity defensive countermeasures developed by The MITRE Corporation. It is the defensive counterpart to MITRE ATT&CK and maps defensive techniques (Harden, Detect, Isolate, Deceive, Evict) to specific ATT&CK techniques they counter.

How is D3FEND different from ATT&CK?

ATT&CK catalogs adversary techniques (offense). D3FEND catalogs defensive techniques (defense). Each D3FEND technique references the ATT&CK techniques it can counter, allowing systematic coverage analysis.

What are D3FEND's five defensive tactics?

Harden (reduce attack surface), Detect (identify adversary actions), Isolate (contain blast radius), Deceive (present misleading information), and Evict (remove adversary access and persistence). Each tactic contains multiple techniques.

Who created MITRE D3FEND?

The MITRE Corporation developed D3FEND with funding from the U.S. National Security Agency under the Department of Defense. D3FEND was first released in 2021 and continues to expand.

Is D3FEND a substitute for ATT&CK?

No, they are complements. ATT&CK is the offensive view; D3FEND is the defensive view. Mature programs use ATT&CK to understand adversary behavior and D3FEND to plan their defensive response, mapping the two together for coverage analysis.

MITRE D3FEND - Defensive Countermeasures Knowledge Graph

MITRE D3FEND is a knowledge graph of cybersecurity countermeasures, developed by The MITRE Corporation as the defensive counterpart to MITRE ATT&CK. D3FEND catalogs defensive techniques (Hardening, Detection, Isolation, Deception, Eviction) and maps them to the specific ATT&CK techniques they counter, allowing defenders to reason systematically about coverage and control gaps.

Source: d3fend.mitre.org, developed by The MITRE Corporation under U.S. government sponsorship.

D3FEND's Five Defensive Tactics

Harden: reduce attack surface and pre-emptively close vectors
Detect: identify adversary actions in progress or after the fact
Isolate: contain adversary actions, limit blast radius
Deceive: present misleading information to slow or reveal adversaries
Evict: remove adversary access and persistence

D3FEND vs ATT&CK

ATT&CK is the catalog of adversary techniques (what the attacker does). D3FEND is the catalog of defensive techniques (what the defender does in response). The two frameworks reference each other: each D3FEND technique includes the ATT&CK techniques it can counter, and each ATT&CK technique can be queried for available D3FEND countermeasures.

How D3FEND Is Used

Security architects use D3FEND to map their existing control stack against the techniques they need to counter, exposing gaps. Detection engineers use D3FEND to identify specific defensive techniques worth implementing for high-priority ATT&CK gaps. Cyber insurance applications and audits increasingly reference D3FEND to demonstrate coverage in a vendor-neutral way.

Plan response with D3FEND mapping

IR-OS supports D3FEND technique mapping to plan containment, eradication, and recovery against specific ATT&CK behaviors.

Start free

MITRE D3FEND - Defensive Countermeasures Knowledge Graph

D3FEND's Five Defensive Tactics

D3FEND vs ATT&CK

How D3FEND Is Used

Related Terms

Plan response with D3FEND mapping