Skip to content

Summiting The Pyramid v4.0.0

The Center for Threat-Informed Defense

Site Contents

  • Detection Engineering Work Overview
    • Summiting the Pyramid Overview
    • Ambiguous Techniques Overview
    • Definitions
    • Presentations & Publications
  • Telemetry Strategy & Readiness
    • Minimum Telemetry Requirements
    • Telemetry Confidence Scoring
  • Analytic Design & Engineering
    • Components of a Robust Detection
    • How to Build a Robust Detection
    • Detection Decomposition Diagram (D3)
    • Using Context to Determine Intent
    • Chaining Analytics
  • Detection Evaluation & Validation
    • Summiting Levels
      • Level 5: Core to Sub-Technique or Technique
      • Level 4: Core to Some Implementations of (Sub-)Technique
      • Level 3: Core to Pre-Existing Tools or Inside Boundary
      • Level 2: Core to Adversary-Brought Tool or Outside Boundary
      • Level 1: Ephemeral Values
      • Column A: Application
      • Column U: User-Mode
      • Column K: Kernel-Mode
      • Column P: Payload Visibility
      • Column H: Header Visibility
      • Observables Quick Search
    • Combining Observables
    • How to Score Resistance to Adversary Evasion Over Time
  • Examples & Use Cases
    • Example Robustness Mappings
    • Analytics Repository
      • Access Token Abuse
      • ADFind
      • Executable (EXE) File Download from a WebDAV Server
      • File Creation Date Changed to Another Year
      • Link (LNK) File Download Containing a WebDAV UNC Hyperlink
      • Remote Registry Management Using Reg Utility
      • Service Registry Permissions Weakness Check
      • Scheduled Task/Job
      • Zeek DCE-RPC MITRE BZAR Execution
      • Archive Collected Data
      • Domain Account Discovery
      • File & Directory Discovery
      • LSASS Memory
    • Use Case Telemetry Confidence Scoring
      • Automation Overview
      • C2 Over Legitimate Channels
      • Credential Access and Abuse
      • Data Exfiltration via Web/Cloud
      • Execution via Scripting Languages
      • Initial Access via Spearphishing
      • Lateral Movement
      • Abuse of Native OS Features
      • Penetration Testing Tools
      • Persistence via Registry/Startup
      • Post-Exploitation Reconnaissance
  • Changelog
  1. Docs
  2. Search

The Center for Threat-Informed Defense

The Center for Threat-Informed Defense is a non-profit, privately funded research and development organization. Our mission is to advance the state of the art and the state of the practice in threat-informed defense globally.

The Center for Threat-Informed Defense

Related Sites

MITRE INFORM Sensor Mappings To ATT&CK

© 2023, 2024, 2025, 2026 MITRE. Approved for public release. Document number(s) CT0078, CT0128, 25-1550, 26-0334.