About the Application Attack Matrix
What is the Application Attack Matrix
The Application Attack Matrix is the first comprehensive, community-driven framework specifically designed to map the tactics, techniques, and procedures (TTPs) used by adversaries against modern applications. Inspired by MITRE ATT&CK®, but tailored for today's app environments - web applications, cloud-native architectures, mobile apps, microservices, and APIs - it provides a structured approach to understanding and defending against application-layer threats.
Unlike traditional security frameworks that focus primarily on infrastructure and endpoints, the Application Attack Matrix addresses the unique attack vectors that target applications directly. It catalogs real-world attack methods across the complete application attack lifecycle, from initial reconnaissance through final impact, giving security teams a common language and comprehensive reference for application-specific threats.
The matrix brings together stages, tactics, techniques, and real-world attack examples to help security professionals identify risks, guide incident response, benchmark security tools, and build effective application security strategies.
Why We Built the Matrix
Modern applications power today's digital businesses - and adversaries know it. As organizations shift to cloud-native architectures, APIs, and microservices, attackers are increasingly bypassing traditional network and endpoint defenses to target the application layer. Yet most security frameworks were never designed for these new realities. They focus on infrastructure and endpoints, leaving a critical knowledge gap for application-layer attacks.
What Does the Application Attack Matrix Cover That Others Don't?
While frameworks like MITRE ATT&CK® provide excellent coverage for infrastructure and endpoint security, they primarily focus on:
- Operating Systems: Windows, macOS, Linux
- Network Infrastructure: Network devices and protocols
- Cloud Infrastructure: IaaS, SaaS, Office Suite, Identity Providers
- Mobile Devices: Android and iOS platforms
- Containers: Container runtime environments
The Application Attack Matrix fills the critical gaps by specifically addressing threats that target:
- Application Discovery and Reconnaissance: Fuzzing API endpoints, extracting API schemas, scraping package manifests, analyzing software bill of materials, discovering feature flags, and fingerprinting application frameworks
- Software Supply Chain Attacks: Manipulating build pipelines, tampering with build scripts, poisoning container registries, hijacking dependencies, backdooring open-source libraries, and exploiting dependency confusion.
- Application-Layer Initial Access: Bypassing authentication through race conditions, manipulating authentication flows, exploiting protocol vulnerabilities, injecting malicious content through man-in-the-middle attacks, and brute forcing passwords
- Code Execution Through Applications: Exploiting insecure deserialization, dynamic code evaluation, memory buffer overflows, command injection, template injection, expression language injection, cross-site request forgery, and server-side request forgery
- Application Runtime Manipulation: Bypassing security hooks, tampering with runtime configurations, terminating protection services, abusing system capabilities, exploiting symlink attacks, and deploying web shells or stored procedures
- Service-to-Service Attacks: Stealing authentication tokens, exploiting overprivileged service accounts, replaying or reusing tokens, exploiting API misconfigurations, and abusing service-to-service trust relationships
- Business Logic and Data Targeting: Manipulating business workflows, hijacking computational resources for cryptomining, corrupting data through overwriting, destroying backups, manipulating transmitted data, defacing website content, and executing financial theft
These application-centric attack vectors often bypass traditional security controls because they exploit the application's intended functionality and trust relationships rather than infrastructure vulnerabilities. For example, a business logic flaw that allows unlimited password reset attempts won't be detected by network firewalls or endpoint detection systems - but it can lead to account takeovers and data breaches.
The Gap: What Was Missing
Before the Application Attack Matrix, there was no open, community-driven resource specifically cataloging how real-world attackers compromise applications and APIs. Security teams had to adapt infrastructure-focused frameworks, often missing modern threats like software supply chain compromises, advanced API abuse, or dependency poisoning. Without a common language or taxonomy, sharing knowledge or coordinating defenses was difficult - and attackers took advantage.
What's New: A Community-Driven Solution
The Application Attack Matrix, created by Oligo Security and a growing community, fills this gap. It's the first comprehensive, living framework mapping the tactics, techniques, and procedures (TTPs) used by adversaries against applications. Inspired by MITRE ATT&CK®, but tailored for modern app environments - web, cloud-native, mobile, microservices, and APIs - it brings together:
- Stages spanning the full attack lifecycle
- Tactics representing adversary objectives at each phase
- Techniques detailing exactly how attackers achieve their goals
- Real-world attack examples showing how these threats play out in practice
The matrix is continuously updated by the community to stay current as threats evolve. Security teams, researchers, vendors, and defenders can use it to:
- Identify and prioritize application-specific risks
- Guide incident response and defense strategies
- Benchmark AppSec tools and operations
- Build a shared understanding of the application threat landscape
How to Read This Matrix
The Application Attack Matrix is structured to help everyone - practitioners, leaders, researchers - systematically understand the application attack surface.
1. Attack Lifecycle Stages:
Attacks are organized across four key stages:
- Pre-Intrusion
- Intrusion
- Post-Intrusion
- Impact
2. Tactics:
Each stage features distinct tactics - the underlying adversarial objectives (e.g., Reconnaissance, Resource Development, Payload Delivery, Deepening Control, Impact).
3. Techniques:
Tactics are broken down into techniques: specific methods attackers use, such as supply chain compromise, authentication bypass, injection exploitation, or runtime protection disablement.
4. Real-World Attack Mapping:
Major incidents (Log4Shell, SolarWinds, XZ-Utils Backdoor, and more) are mapped to relevant tactics and techniques for practical, scenario-based learning.
5. Detection & Mitigation:
For each technique, the matrix provides guidance on detection, prevention, and incident response - so teams can take informed action right away.
6. Always Evolving:
As new threats emerge, the community updates the matrix, ensuring it remains a trusted, authoritative resource for the latest in application-layer security.
Tip: Start by identifying the tactics and techniques most relevant to your environment. Use attack mappings and detection guidance to assess your current defenses, prioritize improvements, and educate your team.
Open Invitation: Join, Contribute, and Adopt
The Application Attack Matrix is for everyone passionate about AppSec - practitioners, students, researchers, vendors, and more. Your insights, attack data, detection techniques, and remediation advice help everyone stay safer.
Why contribute? - Collaborate with a global community of experts and peers - Earn recognition for your research and real-world experience - Advance your career and deepen your AppSec expertise
Adopt the matrix! Use it to shape red, blue, and purple team exercises; guide product development; improve threat modeling; or simply learn how modern attackers target applications.
For the latest version and resources, visit app-attack-matrix.com.