What is Threat-Informed Defense?¶
Threat-informed defense is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses.
—The Center for Threat Informed Defense
Overview¶
Threat-informed defense (TID) prioritizes threats based on the likelihood they will occur, using real-world observations of adversary tradecraft. By grounding defensive strategy in evidence—what has happened rather than what could happen—organizations focus their efforts where attackers actually operate.
To maximize the return on threat-driven investments, TID emphasizes threat information that persists across adversaries and time. Instead of reacting to easily changed indicators, TID leverages stable knowledge of adversary behavior and attack probability. This approach provides a clear lens for prioritizing security investments in people, processes, and technology.
Using adversary knowledge to guide decisions is one of the most effective ways to manage a security program. When organizations understand their adversaries, they can prioritize defenses, continuously assess themselves, and identify gaps. This shifts security from a reactive posture to a proactive one.
That shift increases the cost and difficulty of attacks. Adversaries must develop new tools, find new vulnerabilities or exploits, and discover new paths into the environment. Each change increases their investment in time, infrastructure, and personnel, and often forces them to restart their attack lifecycle. Restarting creates new opportunities for detection and response. Over time, raising adversary cost deters some attacks altogether.
Leveraging ATT&CK¶
Threat information comes in many forms and from many sources. MITRE ATT&CK® provides a widely used aggregation of publicly reported adversary tactics, techniques, and procedures (TTPs), along with guidance on detection and mitigation. ATT&CK gives the community a common language for describing adversary behavior, enabling more efficient collaboration and intelligence sharing.
By documenting activity at the TTP level, ATT&CK strikes an important balance. It is concrete enough to be actionable, yet abstract enough to remain stable across adversaries and over time. This combination supports high-return defensive investments that do not lose value as attackers rotate infrastructure or indicators.
David Bianco illustrated this concept in the “Pyramid of Pain”, which shows how difficult it is for adversaries to evade defenses informed by deeper knowledge of their tradecraft. Indicators like IP addresses and hashes are easy to change, making defenses based on them fragile. TTPs sit at the top of the pyramid because evading detection at that level requires attackers to fundamentally change how they operate.
David Bianco’s Pyramid of Pain¶
TID focuses on adversaries most relevant to an organization, based on factors such as industry and geography. ATT&CK then helps practitioners understand the specific behaviors those adversaries use. Using ATT&CK as the foundation allows teams to concentrate on a prioritized set of behaviors and TTPs, optimizing defenses against the most likely and most impactful threats.
A Continuous Process¶
Effective TID must keep pace with constant change. IT environments evolve as organizations deploy new software, apply patches, reconfigure systems, and introduce new services. These changes can reduce risk, but they can also create new attack surfaces, generate false positives, or invalidate existing detections.
Security tools and vendor capabilities evolve as well. Organizations must continuously reassess their visibility, data collection, and detection logic to ensure defenses remain effective as the environment changes.
Adversaries evolve just as quickly. They continue to use proven tradecraft as long as it works, reserving new capabilities for when defenses improve. This reality reinforces the need to proactively secure against known adversary behaviors. Doing so increases attacker cost and reduces their chances of success.
Because both defenders and adversaries constantly change, the security landscape remains dynamic. Yesterday’s assessment may already be outdated. Staying current requires understanding threat activity observed in other organizations and analyzing adversary behavior at the right level of abstraction. These practices allow defenders to keep pace with adversaries—or, in some cases, get ahead of them.