Threat-led defence security approach that aligns detection, response, and validation activities to real adversary behaviours, ensuring defenses are prioritised based on actual threats rather than theoretical vulnerabilities.
It's an important emerging discipline that operationalises MITRE ATT&CK by mapping defences to TTPs and adversary behaviour that unites threat intelligence, detection engineering, and control validation based on adversary behaviours and the (Sub-)Techniques they use to execute attacks.
Existing tech stacks are mapped to MITRE ATT&CK and other relevant frameworks to assess whether they can defend against the latest threats, adversary groups, campaigns, and software relevant to their sector and environment. The result is a Confidence Score and actionable improvements such as detections to implement, configurations to harden, and tests to execute.
All of this is measured against ATT&CK-mapped coverage to clearly demonstrate risk reduction. This turns action into impact, where defenders no longer need to guess whether their defences can defend against the threats and adversary behaviour that matters most.
Also, Threat-Led Defense can show where there is tool overlap, underperformance, or redundancy to improve operational efficiencies and investment spend.
Simply put, it:
- Operationalises ATT&CK across your environment - no spreadsheets or guesswork.
- Measures “defensive coverage” against relevant threats and adversary behavior by asset, control, and use case.
- Prioritises gaps with evidence - what threats matter for your sector, your attack surface, and your current stack.
- Turns findings into change-detection content, control configurations, validation tasks, and board-ready reporting.
- Stays current - as adversaries shift, your coverage and action plan update with them.
The Powerhouse Behind Tidal Cyber
Tidal Cyber was founded by three of the most influential minds in threat-informed defence: Their combined leadership at MITRE helped shape the cybersecurity landscape as we know it.
Together, their deep domain expertise and pioneering work at MITRE form the backbone of Tidal Cyber’s Threat-Led Defense unique implementation of, threat-informed defense, enhanced with procedure-level granularity to make CTI not just relevant, but actionable and scalable for every organisation.
Rick Gordon | CEO and Co-Founder
Scaled foundational programs like the Center for Threat-Informed Defense, ATT&CK® Evaluations, and MITRE ATT&CK Defender (MAD) Training, driving the operationalisation of ATT&CK across the industry.
Richard Struse | CTO and Co-Founder
Co-founder of the Center for Threat-Informed Defense and creator of the STIX and TAXII standards, brought global collaboration and technical rigour to cyber threat intelligence sharing.
Frank Duff, CINO and Co-founder
The founder of ATT&CK Evaluations, and has set the benchmark for assessing detection and deception technologies, and led advanced adversary emulation research for U.S. Government missions.
More in Tidal Cyber
Between techniques & reality
Book your discovery call now.
When 'Good' looks THIS GOOD!
(and why you probably don't have it yet).
You can keep blocking yesterday’s hash, or you can start defending against tomorrow’s behaviour.
Share this story
