MITRE D3FEND: Cyber Defense Technique Catalog

The D3FEND Matrix

  • Tactics: Defensive maneuvers against an adversary; the what of an action. These are Harden, Detect, Isolate, Deceive, and Evict.
  • Base techniques: Top-level techniques. For example, File Analysis is a base technique under the Detect tactic. Base techniques are also referred to as categories.
  • Techniques: The methods to achieve the tactics; specific defensive processes or technologies; the how of implementing the tactic. For example, Dynamic Analysis is a technique under the File Analysis base technique.
  • Sub-techniques: More specific, lower-level techniques fitting under their parent technique. For example, the Certificate Analysis technique has the sub-techniques Active Certificate Analysis and Passive Certificate Analysis.
  • Definition
  • Technique Overview
  • Digital Artifact Relationships: how the technique relates to artifacts (digital objects that cyber actors interact with, such as pointers and process segments)
  • Technique Subclasses: sub-techniques of the technique you’re viewing (if any)
  • Related ATT&CK Techniques
  • Definition
  • How it works
  • Considerations: important things to know about using the technique, such as caveats or limitations
  • Digital Artifact Relationships
  • Technique Subclasses (if any)
  • References: external resources about the technique

D3FEND Tactics

  • Harden: make network exploitation more difficult and costly
  • Detect: identify adversary access or activity
  • Isolate: create logical or physical barriers to restrict adversary access
  • Deceive: lure potential attackers and allow them access to an observed or controlled environment
  • Evict: remove adversary from the network

D3FEND Base Techniques

  • Application Hardening
  • Credential Hardening
  • Message Hardening
  • Platform Hardening
  • File Analysis
  • Identifier Analysis
  • Message Analysis
  • Network Traffic Analysis
  • Platform Monitoring
  • Process Analysis
  • User Behavior Analysis
  • Execution Isolation
  • Network Isolation
  • Decoy Environment
  • Decoy Object
  • Credential Eviction
  • Process Eviction

Additional Information



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Chad Warner


Cyber threat intelligence (CTI), OSINT, & cybersecurity enthusiast. Seeking a CTI job. Bookworm. Fan of Tolkien & LEGO.