Current STIX/ATT&CK frameworks describe threat behaviors solely in terms of *what* actions are performed, omitting critical procedural semantics—such as execution order, preconditions, and environmental assumptions—hindering accurate multi-stage APT simulation. Method: We first quantitatively assess ATT&CK’s coverage of real-world campaigns and intrusion sets (only 35.6% of techniques covered) and structural reusability. Then, we propose a three-stage semantic completion framework that explicitly models the procedural logic of attack chains, integrating STIX 2.1 parsing, Longest Common Subsequence (LCS)-based sequence modeling, Caldera operation mapping, and parameterized injection. Contribution/Results: With minimal human annotation of key assumptions, our approach enables Caldera to successfully reproduce real-world APT campaigns—including ShadowRay and Soft Cell. This work identifies the critical semantic gap between descriptive cyber threat intelligence (CTI) and machine-executable CTI, establishing both theoretical foundations and practical methodology for operationalizing threat intelligence.

Cyber threat intelligence (CTI) encoded in STIX and structured according to the MITRE ATT&CK framework has become a global reference for describing adversary behavior. However, ATT&CK was designed as a descriptive knowledge base rather than a procedural model. We therefore ask whether its structured artifacts contain sufficient behavioral detail to support multi-stage adversary emulation. Through systematic measurements of the ATT&CK Enterprise bundle, we show that campaign objects encode just fragmented slices of behavior. Only 35.6% of techniques appear in at least one campaign, and neither clustering nor sequence analysis reveals any reusable behavioral structure under technique overlap or LCS-based analyses. Intrusion sets cover a broader portion of the technique space, yet omit the procedural semantics required to transform behavioral knowledge into executable chains, including ordering, preconditions, and environmental assumptions. These findings reveal a procedural semantic gap in current CTI standards: they describe what adversaries do, but not exactly how that behavior was operationalized. To assess how far this gap can be bridged in practice, we introduce a three-stage methodology that translates behavioral information from structured CTI into executable steps and makes the necessary environmental assumptions explicit. We demonstrate its viability by instantiating the resulting steps as operations in the MITRE Caldera framework. Case studies of ShadowRay and Soft Cell show that structured CTI can enable the emulation of multi-stage APT campaigns, but only when analyst-supplied parameters and assumptions are explicitly recorded. This, in turn, exposes the precise points at which current standards fail to support automation. Our results clarify the boundary between descriptive and machine-actionable CTI for adversary emulation.