For years a vulnerability-centric approach to security has been the main focus, but this keeps teams guessing whether they are protected. It's no longer enough to defend us effectively.
The growing volume and velocity of new vulnerabilities assures that even the largest and well-resourced organizations will find it difficult to keep all their systems patched against all known vulnerabilities. More than 40,000 CVEs were published in 2024 – a 38% increase from 2023. Meanwhile, the average time-to-exploit (TTE) dropped from 32 days to five days, and will continue to fall as threat actors increasingly use AI tools to research vulnerabilities and accelerate exploitation.
It’s not surprising that 56% of organizations report that their most recent data breach was caused by the exploitation of a known vulnerability that was not properly patched or addressed. Patching known, exploitable vulnerabilities relevant to the organization should be part of good cyber hygiene, but concentrating resources on chasing vulnerabilities consumes security budgets and still leaves you at risk. Efforts to mitigate vulnerabilities are being outpaced and there are other means for threat actors to gain access including spear phishing, credential stuffing, MFA fatigue, and leveraging devices and assets that go unmonitored for a variety of reasons.
It's clear we need a more manageable and effective approach to organizing defenses.
Focus on Adversary Behaviors
Grounded in the MITRE ATT&CK knowledge base, Threat-Informed Defense (TID) focuses on the underlying behaviors adversaries use to achieve their objectives. With that understanding, you can assess, shape, and test your defenses to achieve a far more practical and sustainable way to thwart threat actors. Here’s how.
In contrast to skyrocketing numbers and growth rates of vulnerabilities, the number and growth rate of adversary techniques is modest. Between the end of 2023 and the end of 2024 adversary techniques in the “Enterprise” ATT&CK matrix, grew from 607 (including 411 sub-techniques) in v14 to 656 techniques (including 453 sub-techniques) in v16. Rather than trying to boil the ocean, adopters of TID are able to focus on a relatively small and stable number of ways adversaries go about their business.
Vulnerabilities are, for the most part, only relevant to the initial access of an attack. Once inside the network, skilled adversaries are adept at using your resources against you to achieve their mission. If a threat actor can’t escalate privileges in an asset or move laterally inside the enterprise, the attack is thwarted. Spending the lion’s share of budget and time on vulnerability and patch management without understanding “then what?” leaves organizations open to compromise.
Understand Gaps and How to Close Them
Threat-Informed Defense relies on a deep understanding of adversary behaviors and uses the ATT&CK knowledge base to provide the common language to describe those behaviors. However, TID extends well beyond that, relating those behaviors with the rest of an organization’s security context. That context can include specific threat groups targeting the organization and their behaviors, and the effectiveness of defensive capabilities to protect against those behaviors.
More specifically on how Tidal Cyber delivers TID, we build on ATT&CK and curate additional threat content from open source intelligence to extend our knowledge base even further. Every week, we add new groups, software, and campaigns, along with new techniques and sub-techniques so users have the latest publicly available information. Relating that intelligence to your threat profile provides context to understand if a specific group using a specific technique, including specific vulnerabilities, is potentially targeting you.
From there, you can pivot to defensive context to see the security tools and solutions you have in place that relate to and defend against specific behaviors, as well as mitigating controls in frameworks like NIST 800-53, CIS or CMMC. Coverage Maps correlate relevant adversary behaviors and defenses and provide a Confidence Score to help you understand how well your controls are working.
When coverage gaps exist, our Recommendation Engine determines how to optimize your existing Defensive Stack and provides actionable suggestions for configuration changes or upgrades. If a new tool is genuinely required to fill a gap, the Tidal Cyber platform will make recommendations there as well.
Building Resilience
When more than half of breaches stem from exploitation of a known vulnerability, and as adversaries increasingly use AI to lower barriers to entry, it’s time to start concentrating more efforts on “then what?”. A Threat-Informed Defense is a practical, cost-effective, efficient, and sustainable way to expand your strategy to build resilience. You gain air cover from the rise in the volume and velocity of vulnerabilities, and confidence in your controls to stop or mitigate adversary behaviors post-access.
