Knogin
[Developers]

Attack Pattern Domain

A cyber analyst investigating a ransomware incident recognises the lateral movement technique: it maps to ATT&CK T1021.002 (SMB/Windows Admin Shares). She's seen this before, three incidents ago, the same technique appea

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsaigeospatial

Overview#

A cyber analyst investigating a ransomware incident recognises the lateral movement technique: it maps to ATT&CK T1021.002 (SMB/Windows Admin Shares). She's seen this before, three incidents ago, the same technique appeared in a different organisation. By linking both investigations to the same attack pattern profile, she can now compare TTPs across cases, confirm attribution to a known threat group, and brief the CISO on why this isn't an isolated event.

The Attack Pattern domain gives analysts the structured vocabulary and cross-case linking capability to make that comparison rigorous. It covers both cyber and physical security threats through MITRE ATT&CK integration and a complementary physical attack taxonomy, with kill chain phase mapping and defensive countermeasure recommendations built in.

Key Features#

  • MITRE ATT&CK Integration: Direct mapping to the enterprise ATT&CK framework with official tactic and technique IDs for standardised threat categorisation.
  • Physical Attack Framework: A complementary taxonomy for physical security threats covering kinetic attacks, physical breaches, and defensive countermeasures.
  • Kill Chain Phase Tracking: Maps attack patterns to Lockheed Martin Cyber Kill Chain phases for understanding attack progression from reconnaissance through actions on objectives.
  • Defensive Countermeasure Mapping: Links attack techniques to recommended defensive measures with relationship type and effectiveness strength ratings.
  • Cross-Investigation Correlation: Links attack patterns to active investigations enabling pattern recognition across cases to identify related threat campaigns.
  • Threat Actor Attribution: Associates attack patterns with known threat actor profiles to support attribution analysis.
  • Indicator Association: Links indicators of compromise (IOCs) to attack patterns for technical cross-referencing.
  • Multi-Domain Coverage: Supports cyber, physical, and hybrid threat modelling in a single unified framework.
  • Adversary Capability Assessment: Profiles adversary sophistication levels, target sectors, and known tool usage for threat profiling.
  • Security Classification: Supports multi-level security classification from unclassified through top secret for sensitive threat intelligence.

Use Cases#

Cyber threat intelligence teams create structured attack pattern profiles linked to MITRE ATT&CK techniques when analysing incidents, enabling automated correlation with similar patterns across other investigations and providing standardised reporting to peer organisations.

Physical security teams protecting critical infrastructure model threats using the physical attack taxonomy, mapping techniques, vehicle ramming, perimeter breach, insider-enabled access, to layered defensive countermeasures for security planning.

Defence analysts link multiple attack patterns to a single investigation to build a comprehensive picture of an advanced persistent threat campaign, tracking progression through kill chain phases from initial access to impact.

Government CISO offices query the defensive mapping database to identify recommended countermeasures for specific ATT&CK techniques encountered in recent incidents, supporting evidence-based decisions about where to invest in detection and prevention capabilities.

Joint investigation teams across law enforcement and intelligence agencies perform cross-case correlation to identify when the same TTPs appear in multiple investigations, potentially revealing coordinated threat campaigns against national infrastructure.

Integration#

The Attack Pattern domain integrates with the Investigation domain for linking patterns to active cases, the Threat Actor domain for attribution analysis, the Indicator domain for IOC association, and the broader Threat Intelligence framework for comprehensive threat analysis.

Open Standards#

  • MITRE ATT&CK (Enterprise): Attack patterns are directly mapped to official tactic and technique identifiers (TA0001, TA0043, T1xxx), with data ingested monthly from the MITRE CTI repository and stored for fast lookup and cross-case correlation.
  • OASIS STIX 2.1: The attack-pattern STIX Domain Object type is natively parsed and serialised; inbound STIX bundles are converted to Argus entities and outbound intelligence can be exported as conformant STIX SDOs, including TLP marking-definitions.
  • Lockheed Martin Cyber Kill Chain: The kill_chain_phases field mirrors the kill-chain-phase structure defined in STIX 2.1 (and used throughout ATT&CK), enabling kill chain progression tracking from Reconnaissance through Actions on Objectives.
  • MITRE ATLAS (Adversarial Threat Landscape for AI Systems): Adversarial machine-learning technique identifiers (AML.Txxxx) are fetched via the ATLAS client and registered as a recognised operational capability, extending coverage to AI-targeted attack patterns.
  • Sigma (SigmaHQ open detection format): Sigma YAML detection rules are parsed to extract embedded ATT&CK technique tags, which are resolved to stored attack-pattern records, linking detections to structured TTP profiles.
  • OASIS CACAO v2.0: Defensive countermeasures and response playbooks are structured and exchanged using the CACAO playbook schema, connecting attack-pattern records to executable response workflows.
  • GraphQL (June 2018 specification): All attack-pattern queries, mutations, and physical-attack taxonomy lookups are exposed exclusively through a typed GraphQL API, with camelCase field aliasing per the specification.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.