security

Cybersecurity work spans threat modeling, risk assessment, vulnerability scanning, penetration testing, incident response, IAM and encryption, and running monitoring/alerting with SIEM tools; practitioners map assets to threat scenarios (MITRE ATT&CK), prioritize mitigations, and enforce policies and secure architecture patterns.

security

12-Month Skill Trend

Momentum and market value over time
Trending
Score
+20 in 12 mo
96
12 mo agoNow
Career
Value
+$12K in 12 mo
$42K/year
12 mo agoNow

Recommended Survey Paper

Quick overview of the field
View more

Must-Read Papers

Most classic and influential ideas
View more

MITRE ATT&CK Applications in Cybersecurity and The Way Forward

Feb 15, 2025
YJ
Yuning Jiang
🏛️ National University of Singapore | NCS Cyber Special Ops R&D

This paper addresses critical limitations of the MITRE ATT&CK framework—namely, poor real-world adaptability, weak cross-framework interoperability, and limited domain generalizability. Conducting the largest systematic review and empirical study to date (417 publications), we analyze TTP usage patterns, align ATT&CK with complementary frameworks (Cyber Kill Chain, NIST SP 800-53, STRIDE), and construct ATT&CK knowledge graph mappings. Our analysis reveals, for the first time, empirically grounded frequency distributions and effectiveness boundaries of high-utility TTPs. We propose a novel NLP- and ML-integrated ATT&CK enhancement paradigm enabling dynamic threat detection and response. Furthermore, we conduct the first large-scale empirical evaluation of ATT&CK’s applicability in critical domains—including industrial control systems and healthcare—identifying concrete adaptation bottlenecks and proposing actionable, deployable framework enhancements.

Analyzes MITRE ATT&CK framework applications in cybersecurityEvaluates interoperability with frameworks like NIST and STRIDEExplores integration of NLP and ML for threat detection

This study addresses the challenge faced by small and medium-sized enterprises (SMEs) in translating cyber threat intelligence into actionable security measures due to limited resources. To bridge this gap, the authors propose the first end-to-end AI-driven framework that fine-tunes the all-mpnet-base-v2 model on a dataset of 74,986 event–tactic/technique pairs to automatically construct a Cyber Catalog knowledge base. This system enables precise mapping from cyber events to MITRE ATT&CK tactics and techniques, CIS Critical Security Controls, and SMART metrics. By integrating natural language processing with knowledge graph techniques, the approach achieves state-of-the-art performance on semantic similarity tasks, with Spearman’s ρ at 0.7894, Pearson’s r at 0.8756, and MAE of 0.135—significantly outperforming baseline methods. Notably, this work presents the first systematic integration of these three major cybersecurity standards and releases both data and models to support deployment in resource-constrained environments.

Cyber Risk ManagementMITRE ATT&CKOperationalisation

This study addresses the complex cyber threats confronting airports in the digital era—including ransomware, denial-of-service attacks, and supply chain vulnerabilities—by pioneering the application of the MITRE ATT&CK matrix to the aviation domain. It systematically develops a cybersecurity risk analysis model tailored to airport environments, integrating the NIST Cybersecurity Framework and Zero Trust Architecture to identify critical vulnerabilities. The work proposes a comprehensive strategy that combines threat modeling with proactive defense mechanisms. By doing so, it delivers an actionable and systematic cybersecurity guidance framework for airports and their stakeholders, effectively filling a critical gap in the aviation industry’s capacity for structured threat analysis and coordinated defensive response.

airport cybersecurityaviation securitycyber threats

Current cybersecurity exercise scenarios suffer from limited scalability, insufficient diversity, and inadequate fidelity to real-world enterprise IT environments, thereby constraining the development of practical skills for both human experts and AI agents. This work proposes an automated approach that integrates system modeling, procedural content generation, and virtualization techniques to enable, for the first time, the generation of large-scale, multidimensionally configurable exercise scenarios—spanning scale, scope, difficulty, complexity, and diversity. The project releases an open-source simulation platform alongside a dataset comprising one hundred thousand scenario instances, significantly enhancing training coverage and scalability.

cybersecurity exerciseenterprise IT systemspractical knowledge

Existing evaluations of large language models (LLMs) in cybersecurity lack systematic, quantitative assessment—particularly for penetration testing. Method: We propose the first open-source benchmark framework specifically designed to quantify LLMs’ penetration testing capabilities. It comprises 40 real-world CTF challenges with fine-grained subtasks, a sandboxed command-execution environment, a multi-agent scaffolding architecture (including structured bash, action-only, pseudoterminal, and web-search agents), and a cross-model consistency evaluation protocol. Crucially, we introduce a subtask decomposition mechanism enabling progressive, granular diagnosis of LM agent capabilities and achieve, for the first time, fully automated and observable end-to-end penetration testing evaluation. Results: Experiments show GPT-4o and Claude 3.5 Sonnet solve human-level tasks—requiring ~11 minutes for humans—in zero-shot settings; the hardest tasks take humans over 24 hours. All code and data are publicly released.

Assessing LM agents in professional-level Capture the Flag tasksEvaluating cybersecurity capabilities of Language Model agentsMitigating cyberrisks through autonomous vulnerability identification

Latest Papers

What's happening recently
View more

This work addresses the scarcity of production-grade Security Operations Center (SOC) logs for research due to stringent privacy constraints, which has led prior studies to rely on synthetic or outdated data. To bridge this gap, the authors propose a methodology that, for the first time, transforms real-world financial-sector SIEM logs into reusable research artifacts while adhering to strict privacy boundaries. The approach preserves investigation-relevant structures through structured anonymization, mapping to the MITRE ATT&CK framework, deterministic validation, and large language model (LLM)-based behavioral compliance checks. The resulting artifact comprises 37 HIKARI challenges suitable for effective model training and demonstrates its utility by accurately identifying LLM policy violations across 200 SOCpilot incidents, thereby validating its balanced trade-off between privacy preservation and analytical fidelity.

cybersecurity artifactsdata anonymizationprivacy-preserving

This work addresses the absence of an organization-level agent runtime architecture in financial cybersecurity workflows that supports both model-agnostic operation and on-premises deployment, thereby hindering consistent enforcement of security policies across retrieval, tool invocation, and auditing stages. To bridge this gap, the paper proposes a novel architecture featuring a typed security context propagated throughout the entire workflow, integrated with SIEM/XDR systems as contextual data sources. The design incorporates a managed tool adaptation layer, structured evidence referencing, and a hierarchical human-agent collaboration mechanism. Key innovations include a shared runtime core, logically specialized sub-agents, append-only auditing, and optional extensions such as graph-based retrieval and MCP protocol support. The study defines testable architectural slices and establishes a falsifiable evaluation framework encompassing policy enforcement, evidence traceability, output quality, and observability.

auditable security operationsLLM agent architectureorganization-scoped runtime

To address the acute cybersecurity risks confronting European microenterprises—exacerbated by severe resource constraints—this study develops a lightweight, implementable governance framework. Methodologically, it integrates ENISA guidelines, ISO/IEC 27005 risk assessment principles, and NIS2 Directive requirements, informed by the Squad 2025 initiative, to propose an innovative seven-dimensional preventive model centered on security awareness as a primary lever; the model emphasizes capability appropriateness, policy transferability, and embedded maturity assessment. Contributions include: (1) the first systematic integration of regulatory compliance, organizational capacity limitations, and behavioral change pathways; (2) a generalizable security framework enabling microenterprises’ transition from security awareness to operational practice; and (3) empirically grounded insights and an actionable implementation paradigm to support EU cybersecurity policymaking and standardization.

Creating resource-aware cybersecurity governance principles for small businessesDesigning preventive cybersecurity models suitable for micro-enterprise adoptionDeveloping proportionate cybersecurity frameworks for vulnerable European micro-enterprises

Current financial Security Operations Centers (SOCs) are constrained by limited reasoning capabilities, hindering their ability to efficiently manage massive alert volumes, comprehensively cover the full spectrum of attack techniques, and meet stringent compliance requirements. This work proposes a principal-agent-coordinated hybrid multi-agent architecture that integrates specialized large language model (LLM) sub-agents to collaboratively reason over SIEM/XDR telemetry data. The platform supports privacy-preserving federated learning, quantum authentication, digital twins, and eBPF-based kernel telemetry. Designed with model-agnosticism, local deployability, multi-tenant state sharing, and skill-based agent adaptability, it enables auditable and continuously evolving collective defense. Empirical validation across four critical financial use cases—customer impersonation, anti-money laundering, banking incident response, and high-frequency trading resilience—demonstrates its effectiveness.

cybersecurityfinancial servicesreasoning capacity

Hot Scholars

DS

Dawn Song

Professor of Computer Science, UC Berkeley
Computer Security and Privacy
SJ

Shouling Ji

Professor, Zhejiang University & Georgia Institute of Technology
Data-driven SecurityAI SecuritySoftware ScurityPrivacy
MC

Mauro Conti

IEEE Fellow - Prof.@University of Padua - Wallenberg WASP Guest.Prof.@Örebro U.- Affiliate Prof.@UW
SecurityPrivacy
XJ

Xiaojun Jia

Nanyang Technological University
Explainable AIRobust AIEfficient AI
WG

Wenbo Guo

UC Santa Barbara
Machine LearningSecurity