Understanding Attack Chains is key to both anticipating and interrupting malicious activity. But in a world where attackers constantly adapt, static models fall short. That’s where the MITRE ATT&CK® Framework and Cyver comes in.
Activate the Attack Chains
At Cyver, you can bring the narrative of an attack easier than ever from initial access to achieving your goals. Here is how:
1. Add the Attack chains tab in the Project settings (or directly in the Project Template), for the tab to be visible in the Pentester Portal:
Create your first Attack Chain
2. Create at least one scenario to start:
3. Add a new Attack Step.
An attack step can be a Blank One, or Link to a Finding:
Blank Step fields:
- Title
- Description
- Assets
- Severity
- MITRE ATT&CK Tactics
- MITRE ATT&CK Techniques
- Findings
- Mitigated By
- Next Attack step
- Facts
- Reach Goal
- Timestamp
Link to Finding fields:
- Linked Finding
- Mitigated By
- Next Attack step
- Facts
- Reach Goal
- Timestamp
4. Add Mitigation, a blank one, or link to finding:
Blank Steps Fields:
- Title
- Description
- Assets
- MITRE ATT&CK Mitigations
- Findings
- Response to Attack
- Next Attack step
- Facts
- Reach Goal
- Timestamp
Link to Finding fields:
- Linked Finding
- Response to Attack
- Next Attack step
- Facts
- Reach Goal
- Timestamp
5. Add Goals:
- Title
- Description
- Assets
6.Add Facts:
- Title
- Description
- Assets
- Mitigated By
- Next Attack step
- Reach Goal
Attack Chain Diagram
All this information and the links between them generated a Diagram that can be shown here:
For example:
Basic Components
When building Attack Chains in Cyver, each element represents a specific part of the attacker narrative. These components help structure how an attack unfolds, how defenses respond, and how objectives are ultimately reached.
Understanding how each component is used makes Attack Chains easier to read, maintain, and communicate across technical and non-technical audiences.
Scenarios
Scenarios represent a specific attack narrative selected for the project. A scenario defines the scope, assumptions, and flow of the Attack Chain.
How Scenarios Are Used
Define the primary attack narrative for the project
Establish the context and scope for attack steps, mitigations, facts, and goals
Provide a structured way to model attacker behavior within the selected scenario
Improve clarity and consistency of the Attack Chain
Attack Steps
Attack Steps describe actions performed by an attacker during an engagement. These actions typically form a sequence, where one step enables the next.
How Attack Steps Are Used
Model attacker behavior from initial access through progression
Represent exploitation, abuse, or misuse of systems
Can be linked directly to Findings or created as standalone steps
Commonly mapped to MITRE ATT&CK® Tactics and Techniques
Attack Steps form the backbone of the Attack Chain.
Mitigations
Mitigations describe defensive controls or responses that limit, detect, or prevent attacker actions.
How Mitigations Are Used
Show how existing controls impact attacker progression
Document security measures such as authentication, monitoring, or segmentation
Can interrupt, delay, or force attackers to change strategy
Mitigations help explain why an attack succeeded or failed and where defenses are effective or insufficient.
Goals
Goals define the intended outcome of the attacker, representing what success looks like from the attacker’s perspective.
How Goals Are Used
Anchor the Attack Chain to a clear objective
Show how individual attack steps contribute to a final outcome
Help stakeholders understand business and security impact
All meaningful Attack Chains should ultimately lead toward one or more Goals.
Facts
Facts describe conditions or properties of the environment that influence the attack but are not actions taken by either attackers or defenders.
How Facts Are Used
Capture assumptions or environmental realities
Provide context for why an Attack Step is possible
Explain constraints, misconfigurations, or architectural characteristics
Examples include exposed services, trust relationships, or configuration states.
Relationships Between Components
Attack Chain components are connected to reflect how actions and conditions influence each other:
Attack Steps can lead to other Attack Steps
Mitigations can respond to Attack Steps
Attackers may adapt their behavior in response to Mitigations
Facts can enable or constrain multiple parts of the chain
These relationships are visualized in the Attack Chain Diagram, making attack progression and decision points easy to follow.
Attack Chain Report Tokens
The diagram, the attack steps details, the timestamp and everything can be used in the report via Report Tokens.
- Attack Chain Attack Steps
View syntax here.
- Attack Chain Details
View syntax here.
- Attack Chain Diagram
- Attack Chain Timelog
View syntax here.