What Is MITRE D3FEND? How Can It Be Used By MSSPs?

When you read the words MITRE D3FEND, you probably have one of these reactions:

“I just wrapped my head around MITRE ATT&CK and now there’s another one?”

“I don’t have the time to figure out how to use that.”


We’ve been helping MSSPs and internal security teams operationalize MITRE ATT&CK for several years now, so we get it. MITRE provides an incredible amount of valuable knowledge, but figuring out how to put that knowledge to use can feel overwhelming.

Lots of MSSPs are using MITRE ATT&CK to improve their services and unlock new revenue streams, but then along came MITRE D3FEND in 2021 with a whole other framework to learn. So, in this article, we’ll tell you what D3FEND is and how MSSPs can leverage it in their services.


As it was only released two years ago, lots of people aren’t yet familiar with MITRE D3FEND. Like it’s better-known sibling, ATT&CK, it’s a project of the MITRE Corporation, a not-for-profit organization that supports American government and industries with a focus on technology.

ATT&CK was first made public in 2015. It’s a framework for documenting adversary tactics, techniques, and procedures (TTPs). In its current iteration, ATT&CK consists of matrices for enterprise, mobile, and industrial control systems (ICS). The most widely used matrix is ATT&CK for Enterprise, which contains close to 200 techniques divided across 14 tactics. Techniques are the specific behaviors an adversary might use in an attack, and the tactics represent what they are trying to accomplish, and can also be understood as the stages of an incident.

Now, let’s look at D3FEND. Where ATT&CK describes the offensive techniques of adversaries, D3FEND describes defensive techniques and strategies that security teams can use against those adversaries. D3FEND has its own matrix, with six defensive tactics:

  1. Model
  2. Harden
  3. Detect
  4. Isolate
  5. Deceive
  6. Evict

As in ATT&CK, D3FEND tactics represent stages, each with techniques to accomplish the larger goal. For example, the Deceive tactic includes techniques to mislead adversaries and make it challenging for them to identify genuine assets or vulnerabilities. Techniques in the Deceive stage include Connected Honeynet and Decoy User Credentials.

Within D3FEND, specific ATT&CK techniques can be looked up to show what D3FEND techniques could be used to defend against them.


Just as ATT&CK did, D3FEND presents myriad opportunities for MSSPs to improve clients’ security, implement new services, and measure improvements to security posture. Because of D3FEND’s focus on defensive actions, its knowledgebase can act as a steppingstone to MDR services for MSSPs. Here are a few ideas for how MSSPs can utilize D3FEND.

  1. Build detection and response playbooks in your SOAR or XDR platform that leverage D3FEND recommendations to properly defend against common ATT&CK techniques. An example can be found here.
  2. Provide packaged recommendations for your clients to implement, specifically in the Model, Harden, and Detect stages.
  3. Visualize the coverage provided by a client’s existing tool stack, identify gaps, and measure the impact of new tools.
  4. Set benchmarks for improving coverage over time. Just as you might use coverage of ATT&CK techniques to measure your ability to detect incidents, you can use D3FEND to measure the percentage of defensive measures you’re able to execute.

About D3 Smart SOAR for MSSPs

D3 Security supports MSSPs around the world and enables high-value services with our Smart SOAR platform. D3 Security supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, we’re vendor-agnostic and independent, so no matter what tools your clients use, our unlimited integrations will meet their needs. D3’s Event Pipeline can automate the alert-handling capacity of dozens of analysts, while reducing alert volume by 90% or more. Watch our case study video with Trifork Security to see how a successful MSSP uses Smart SOAR.

Guest blog courtesy of D3 Security. Read more D3 Security guest blogs hereRegularly contributed guest blogs are part of MSSP Alert’s sponsorship program.