Skip to content

About the Application Attack Matrix

Why We Built the Matrix

Modern applications power today’s digital businesses—and adversaries know it. As organizations shift to cloud-native architectures, APIs, and microservices, attackers are increasingly bypassing traditional network and endpoint defenses to target the application layer. Yet most security frameworks were never designed for these new realities. They focus on infrastructure and endpoints, leaving a critical knowledge gap for application-layer attacks.

The Gap: What Was Missing

Before the Application Attack Matrix, there was no open, community-driven resource specifically cataloging how real-world attackers compromise applications and APIs. Security teams had to adapt infrastructure-focused frameworks, often missing modern threats like software supply chain compromises, advanced API abuse, or dependency poisoning. Without a common language or taxonomy, sharing knowledge or coordinating defenses was difficult—and attackers took advantage.

What’s New: A Community-Driven Solution

The Application Attack Matrix, created by Oligo Security and a growing community, fills this gap. It’s the first comprehensive, living framework mapping the tactics, techniques, and procedures (TTPs) used by adversaries against applications. Inspired by MITRE ATT&CK®, but tailored for modern app environments—web, cloud-native, mobile, microservices, and APIs—it brings together:

  • Stages spanning the full attack lifecycle
  • Tactics representing adversary objectives at each phase
  • Techniques detailing exactly how attackers achieve their goals
  • Real-world attack examples showing how these threats play out in practice

The matrix is continuously updated by the community to stay current as threats evolve. Security teams, researchers, vendors, and defenders can use it to:

  • Identify and prioritize application-specific risks
  • Guide incident response and defense strategies
  • Benchmark AppSec tools and operations
  • Build a shared understanding of the application threat landscape

How to Read This Matrix

The Application Attack Matrix is structured to help everyone—practitioners, leaders, researchers—systematically understand the application attack surface.

1. Attack Lifecycle Stages:
Attacks are organized across four key stages: - Pre-Intrusion - Intrusion - Post-Intrusion - Impact

2. Tactics:
Each stage features distinct tactics—the underlying adversarial objectives (e.g., Reconnaissance, Resource Development, Payload Delivery, Deepening Control, Impact).

3. Techniques:
Tactics are broken down into techniques: specific methods attackers use, such as supply chain compromise, authentication bypass, injection exploitation, or runtime protection disablement.

4. Real-World Attack Mapping:
Major incidents (Log4Shell, SolarWinds, XZ-Utils Backdoor, and more) are mapped to relevant tactics and techniques for practical, scenario-based learning.

5. Detection & Mitigation:
For each technique, the matrix provides guidance on detection, prevention, and incident response—so teams can take informed action right away.

6. Always Evolving:
As new threats emerge, the community updates the matrix, ensuring it remains a trusted, authoritative resource for the latest in application-layer security.

Tip: Start by identifying the tactics and techniques most relevant to your environment. Use attack mappings and detection guidance to assess your current defenses, prioritize improvements, and educate your team.

Open Invitation: Join, Contribute, and Adopt

The Application Attack Matrix is for everyone passionate about AppSec—practitioners, students, researchers, vendors, and more. Your insights, attack data, detection techniques, and remediation advice help everyone stay safer.

Why contribute? - Collaborate with a global community of experts and peers - Earn recognition for your research and real-world experience - Advance your career and deepen your AppSec expertise

Adopt the matrix! Use it to shape red, blue, and purple team exercises; guide product development; improve threat modeling; or simply learn how modern attackers target applications.

For the latest version and resources, visit app-attack-matrix.com.