Discover inherent risk

Most organizations maintain long lists of IT and OT assets, and compliance teams track equally long lists of controls. Yet when adversaries strike, these lists rarely translate into meaningful defense.

The reason is simple: attackers do not target “assets” in the abstract, and they do not care about control frameworks in isolation. They use specific techniques, applied against real systems, in real environments.

Traditional approaches — generic risk matrices, static compliance checklists, and disconnected asset inventories — fail because they cannot express how adversary behaviors map to actual business systems. The result:

  • Asset owners remain disengaged.
  • Risk managers are overwhelmed.
  • Security teams are left responsible for defense without the mandate to act.

Mapping changes this equation. By linking adversary techniques from MITRE ATT&CK directly to IT and OT assets, Attestor.ai creates a defensible, actionable foundation for cybersecurity. This is where effective defense begins.

Challenge One: Intelligence Without Action

Organizations collect cyber threat intelligence (CTI) from many sources — CISA advisories, vendor alerts, premium threat feeds. But much of it remains unused because responsibilities are vague and communication is fragmented.

Business and process owners often consider cybersecurity “too technical.” They leave it to IT and the CISO, assuming it sits outside their domain. This leaves security professionals responsible but without authority.

Attestor.ai reframes the discussion in the language of risk.

  • Risk is something business leaders already understand.
  • AI makes risks measurable and comparable, so they can be prioritized like any other business risk.
  • Asset owners are engaged not as operators of controls, but as contributors of essential insights.
  • Cybersecurity teams gain the mandate to act, backed by clear business ownership.

The result: cybersecurity becomes a shared management responsibility, not a siloed technical function.

Challenge Two: Controls Without Context

Frameworks like NIST SP 800-53, ISO/IEC 27001 Annex A, and CIS Controls describe control capabilities in detail. Yet they rarely explain how those controls should be applied in a given business environment. Without the context provided by asset owners, controls often remain incomplete or ineffective.

Consider a few examples:

  • Segregation of Duties (SOD): The control framework specifies how to enforce SOD. But unless business owners define which access combinations are risky, the control has no practical value.
  • SIEM Systems: These have powerful monitoring capabilities, but asset owners must define which logs are needed to reconstruct event chains in their systems.
  • Continuity Planning: Security, business continuity, and IT continuity plans must align — something only possible when business and IT stakeholders contribute jointly.

These examples highlight why engaging asset owners early in mapping is essential. It ensures that mitigations are not abstract, but tailored to the actual risks of the systems they depend on.

The Attestor.ai Model for Mapping

Attestor.ai’s approach begins with mapping:

  • Scopes group assets into logical units such as ERP systems, OT environments, or cloud services.
  • Threats capture adversary behaviors, expressed as MITRE ATT&CK techniques.
  • The Statement of Applicability (SOA)* links the two, declaring which Threats are relevant for each Scope and defining the exposure profile.

These mappings provide the foundation for mitigation planning. For each relevant technique, a mitigation plan is created with detailed guidance and references to frameworks like NIST SP 800-53, ISO/IEC 27001 Annex A, and CIS Controls.

From there, Attestor.ai automatically consolidates all mitigation items into a unified System Security Plan (SSP) for each Scope. The SSP:

  • Includes all required mitigations for the Scope.
  • Eliminates duplicates and overlaps across techniques.
  • Serves as the authoritative execution plan for control operators.

In practice, this means asset owners are accountable for ensuring the necessary controls are acquired, while security teams operate them and CISOs oversee compliance.

This process transforms threat mapping into a clear, actionable, and audit-ready defense plan. The deeper orchestration of mitigation and governance workflows is covered in the next stage: Continuously Improve Defenses.

How Mapping Drives Defense

Engages Asset Owners in Risk
Mapping connects technical intelligence with business reality. Asset owners provide critical input on their systems, while security teams translate those inputs into defense actions.

Anchors Controls in Operational Context
Controls are no longer generic — they are matched to adversary techniques and adjusted with business-specific parameters.

Supports Continuous Adaptation
Threat mappings are refreshed with every new intelligence feed, ensuring that defense remains aligned with the adversary landscape.

Creates Shared Visibility
Dashboards in Power BI provide a transparent view of risks, controls, and deviations — accessible to executives, asset owners, and technical teams alike.

Mapping in Practice

In practice, mapping unfolds as a structured sequence:

  1. Define the Scope – Identify a group of assets that support a business process (e.g., ERP system, OT environment, or cloud service).
  2. Apply the SOA – Determine which adversary Threats (collections of MITRE ATT&CK techniques) are relevant to the Scope. The SOA is the formal declaration of these applicable Threats.
  3. Design Mitigation Plans – For each technique in the SOA, create a mitigation plan. Each plan specifies the mitigation items required, with detailed references to frameworks such as NIST SP 800-53, ISO/IEC 27001 Annex A, and CIS Controls.
  4. Generate the Unified SSP – Consolidate all mitigation plans into a single Scope-specific System Security Plan (SSP). This SSP eliminates duplicates and overlaps, and serves as the authoritative execution plan for control operators.
  5. Engage Stakeholders – Asset owners validate the exposure, commit to acquiring the necessary controls, IT operates them, and the CISO ensures compliance.

Through this process, mappings evolve into clear, scope-specific defense blueprints that are current, actionable, and owned by the right stakeholders.

Conclusion

Mapping is the foundation of modern cyber defense. By linking adversary techniques to actual assets, Attestor.ai ensures that:

  • Threat intelligence becomes actionable.
  • Controls are applied with context and precision.
  • Cybersecurity teams gain the mandate to act.

This is how mapping drives defense: not as a static list of controls, but as a living system of accountability, relevance, and measurable protection.


*Traditionally, a Statement of Applicability (SoA) in standards such as ISO/IEC 27001 declares which security controls are relevant to an organization. In our model, the SoA is extended: it first declares which threats and adversary techniques are relevant to each scope. Just as controls can be deemed applicable or not applicable, so too can threats. This reframing transforms the SoA from a compliance checklist into a living map of adversary behaviors — ensuring that control selection is always anchored in real exposure.

© 2025 Digibator Oy. All rights reserved
Terms Of UsePrivacy Policy