Frequently Asked Questions

What is D3FEND?

D3FEND is a knowledge base, but more specifically a knowledge graph, of cybersecurity countermeasure techniques. In the simplest sense, it is a catalog of defensive cybersecurity techniques and their relationships to offensive/adversary techniques. The primary goal of the initial D3FEND release is to help standardize the vocabulary used to describe defensive cybersecurity technology functionality.

What is D3FEND not?

D3FEND does not prescribe specific countermeasures, it does not prioritize them, and it does not characterize their effectiveness. However, standardizing the vocabulary we use to describe technical countermeasures may help us solve those problems.

Who is D3FEND for?

D3FEND has multiple audiences. The most immediate is security systems architecture experts and technical executives making acquisition or investment decisions. If you need to understand how cyber defenses work in granular detail, D3FEND is meant to be a good starting point.

What are D3FEND use cases?

The dominant use case thus far has been to inform acquisition and investment. It can do this in two ways.

First, it can be used to compare the claimed functionality in multiple product solution sets with a common defensive technique taxonomy. This makes it possible to identify product differences and product gaps relative to desired functionality in a more precise, consistent, and repeatable manner.

Second, it can suggest a potential testing scope for the defensive techniques in terms of relevant offensive techniques. This is done by identifying a product or product set's claimed defensive techniques, then querying D3FEND for the potentially related offensive techniques. An offensive test plan can be constructed by selecting combinations of the related offensive techniques. This sort of testing can be useful to determine how well a defensive product performs its claimed functionality.

What is the maturity level of D3FEND?

D3FEND is at an early stage and is an experimental research project. The initial release is not considered comprehensive, and the defensive to offensive technique mappings (which are inferentially generated) are fundamentally generalizations. However, expert cybersecurity knowledge is often, at its essence, the application of fundamental computer system knowledge. We aim to codify this knowledge in our knowledge graph and expect improvement over time as the graph builds on itself.

How can I contribute?

The D3FEND team seeks your feedback and suggestions. We know that the first version may have inconsistencies or issues, but we felt it was useful and novel enough to release to engage the community. If you have a technique which you think should be added, or you have identified an issue, please do not hesitate to send the team an email at We will review and analyze submissions as time permits.

If you are recommending a new defensive technique, please ensure you include a public reference that explains how the technique works in sufficient engineering-level detail.

Use of the MITRE D3FEND™ Knowledge Graph and website is subject to the Terms of Use. Use of the MITRE D3FEND website is subject to the MITRE D3FEND Privacy Policy. MITRE D3FEND is funded by the National Security Agency (NSA) Cybersecurity Directorate and managed by the National Security Engineering Center (NSEC) which is operated by The MITRE Corporation. MITRE D3FEND; and the MITRE D3FEND logo are trademarks of The MITRE Corporation. MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation. MITRE ATT&CK content is subject to the MITRE ATT&CK terms of use. This software was produced for the U. S. Government under Basic Contract No. W56KGU-18-D-0004, and is subject to the Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation Clause 252.227-7014 (FEB 2012)
© 2021 The MITRE Corporation.
Approved for Public Release; Distribution Unlimited #20-2338.