Key Takeaways
- Tidal Cyber has separated MITRE ATT&CK framework data from its proprietary cyber‑threat intelligence (CTI) to create a clearer, procedure‑focused intelligence layer.
- The update aligns with MITRE ATT&CK Version 19 (V19), which retires the “Defense Evasion” tactic and splits it into Stealth and Impair Defenses, reflecting modern adversary behavior.
- By isolating ATT&CK (the structural technique taxonomy) from Tidal Cyber CTI (procedure‑level execution details), organizations can move beyond abstract technique mapping to actionable, execution‑level defense decisions.
- The new architecture eliminates fragmented intelligence, provides clear source attribution, and enables security teams to prioritize defenses based on how attacks actually succeed or fail, reducing attacker success and residual risk.
- Tidal Cyber’s unified model now ingests vulnerability data, maps its impact on specific procedures, and translates intelligence into procedure‑led security actions that are directly tied to an organization’s defensive stack.
Introduction to the Platform Advancement
Tidal Cyber announced a major enhancement to its threat‑intelligence platform that formally distinguishes the industry‑standard MITRE ATT&CK framework from its own proprietary cyber‑threat intelligence (CTI). This separation is designed to give security teams a clearer view of how adversaries actually execute attacks, rather than relying solely on the abstract technique classifications that ATT&CK provides. By delineating the two intelligence layers, Tidal Cyber aims to bridge the long‑standing gap between technique‑level mapping and operational, actionable defense. The announcement coincides with the release of MITRE ATT&CK Version 19 (V19), a update that introduces substantive changes to the framework’s structure and reflects evolving adversary tactics.
Why Separating ATT&CK from CTI Matters
According to Rick Gordon, CEO and co‑founder of Tidal Cyber, the cybersecurity market has reached a point where the ATT&CK framework’s structural value alone is insufficient to stop modern threats. As threat volume and sophistication increase, organizations need intelligence that shows how attacks are carried out, not just what techniques are implicated. The new architecture operationalizes procedure‑level CTI, giving defenders insight into the specific steps adversaries take, where defenses are likely to fail, and what concrete actions can disrupt the attack chain. This shift from passive mapping to active, execution‑focused analysis enables faster, more informed decision‑making.
Details of MITRE ATT&CK Version 19
The release of ATT&CK V19 introduces a significant structural shift: the legacy “Defense Evasion” tactic has been retired and its constituent behaviors re‑organized into two distinct tactics—Stealth and Impair Defenses. Stealth captures activities aimed at avoiding detection (e.g., obfuscation, masquerading), while Impair Defenses covers actions that actively degrade or disable security controls (e.g., disabling antivirus, tampering with logs). This bifurcation mirrors the observed pattern in contemporary intrusions, where attackers first conceal their presence and then systematically weaken defenses before pursuing their objectives. The change improves the fidelity of adversary behavior categorization but also adds operational complexity for security teams that must update detection rules, playbooks, and workflows to align with the new taxonomy.
Operational Impact of the ATT&CK V19 Update
While ATT&CK V19 offers a more nuanced view of adversary behavior, it also demands that organizations revisit and potentially overhaul existing detection strategies. Security teams must map their current controls to the new Stealth and Impair Defenses tactics, adjust correlation rules, and ensure that threat‑intelligence feeds are correctly tagged. Failure to do so can lead to gaps in coverage or an overreliance on outdated technique mappings that no longer reflect the latest adversary trade‑offs. Tidal Cyber’s platform addresses this challenge by providing a clear, up‑to‑date translation of ATT&CK V19 changes into procedure‑level intelligence that can be directly consumed by security operations centers (SOCs) and detection engineering teams.
Tidal Cyber’s Procedure‑Centric Philosophy
Frank Duff, Chief Innovation Officer and co‑founder of Tidal Cyber, emphasized that the company’s foundation has always been built on understanding how adversaries execute attacks. By separating MITRE ATT&CK (the technique taxonomy) from Tidal Cyber CTI (the procedure‑level execution details), the platform elevates procedures as the core unit of analysis. This approach gives teams the granularity needed to pinpoint exactly where their defenses break, understand the likelihood of success for each adversary step, and prioritize mitigations based on real‑world attack flow rather than abstract severity scores. The result is a defense posture that is rooted in the actual mechanics of intrusion, not just a checklist of techniques.
Unified Modeling of Threats, Vulnerabilities, Assets, and Defenses
Tidal Cyber’s platform now integrates four critical data domains into a single, coherent model: threat intelligence (including both ATT&CK and proprietary CTI), procedure‑level execution details, vulnerability information, asset inventories, and defensive control configurations. This unified model enables organizations to ingest vulnerability data and assess its direct impact on specific attack procedures, calculate the likelihood of exploitation based on adversary behavior, and visualize where defensive controls are most likely to fail during an actual attack. By linking vulnerabilities to procedures rather than isolated techniques, the platform provides a more realistic risk picture that reflects the true exploitability of assets in the context of adversary tactics.
From Visibility to Defensible Outcomes
Historically, security teams have struggled with fragmented threat intelligence sources, the manual effort required to reconcile ATT&CK mappings across multiple feeds, and technique‑level data that lacks context about how attacks unfold in practice. Tidal Cyber’s new architecture resolves these pain points by delivering clear source attribution—distinguishing intelligence originating from MITRE, Tidal Cyber, and other third‑party feeds—ensuring that the information is trustworthy, consistent, and ready for immediate use. The platform shifts the focus from merely gaining visibility into threats to producing defensible outcomes: security teams can now prioritize actions that directly reduce attacker success rates and lower residual risk based on proven execution pathways.
Practical Benefits for Security Operations
In day‑to‑day operations, the separation of ATT&CK and CTI translates into several tangible benefits. Analysts can quickly see which specific procedures (e.g., “Credential Dumping via LSASS Memory”) are associated with observed vulnerabilities on critical assets, enabling targeted patching or configuration changes. Detection engineers receive procedure‑based signatures that are more likely to trigger on genuine malicious activity while reducing false positives stemming from overly broad technique matches. Incident responders gain a step‑by‑step view of an attack’s progression, allowing them to isolate compromised systems at the exact point where a defense failed and apply remediation that prevents further lateral movement. Overall, the platform empowers a more proactive, intelligence‑driven security posture.
Conclusion and Future Outlook
Tidal Cyber’s latest release marks a strategic evolution in how threat intelligence is operationalized. By cleanly separating the standardized MITRE ATT&CK framework from its proprietary procedure‑level CTI—and aligning this split with the structural advancements of ATT&CK V19—the company provides organizations with the clarity and granularity needed to move beyond theoretical mapping to practical, execution‑focused defense. As adversaries continue to refine their tactics, the ability to understand and interrupt attacks at the procedure level will become increasingly vital. Tidal Cyber’s unified model, enriched with vulnerability and asset context, positions security teams to achieve measurable reductions in attacker success and to transform threat intelligence into a decisive, actionable advantage.