Applications have become the primary battleground for attackers. As organizations continue to embrace cloud-native architectures, microservices, and API-driven development, traditional security frameworks struggle to adequately address the unique threats targeting modern applications.
The Application Attack Matrix is the first comprehensive, community-driven framework specifically designed to map the tactics, techniques, and procedures (TTPs) used by adversaries against modern applications. Inspired by MITRE ATT&CK®, but tailored for today's app environments - web applications, cloud-native architectures, microservices, and APIs - it provides a structured approach to understanding and defending against application-layer threats.
Why Now?
The urgency behind this initiative is reinforced by the latest data: vulnerability exploits have remained one of the top methods used by attackers to gain access to organizations for the past 5 years in Mandiant investigations. This reflects a broader reality: attackers are operating where they know detection is weakest - inside the application layer. This is not just a gap; it's the primary battleground of today’s threat landscape. Applications are where business logic lives, where APIs expose functionality, and where attackers can move stealthily, often undetected by traditional security controls.
The application layer is the most impactful, least understood, and least protected component of the modern cloud applications. It’s not just the last mile of risk - it’s the first frontier adversaries are breaching before escalating to workloads or infrastructure. It’s time defenders shift their attention to where the fight truly begins.
Why We Built the Application Attack Matrix
Existing security frameworks like MITRE ATT&CK® have served the industry well, but they primarily focus on infrastructure and endpoint security. This leaves significant blind spots when it comes to application-centric attack vectors:
- Infrastructure ≠ Application: Traditional matrices end at the operating system and network layer, overlooking critical application-layer techniques that are increasingly used by attackers.
- Supply Chain Blind Spots: Modern pipelines, dependencies, and actions introduce new, overlooked threat vectors.
- Runtime Black Boxes: Applications have fundamentally changed - especially in the era of AI, microservices, and cloud-native development. They now evolve continuously, with each build and deployment introducing new behaviors. Legacy tools, built for static, on-prem environments, weren’t designed to handle this pace or complexity. As a result, they miss critical signals at the application layer, where attackers increasingly operate.
- Application & Logic Abuse: AI-driven development and modern app architectures have expanded the attack surface in ways traditional tools can’t handle. Logic now spans APIs, services, and delegated AI calls, making it harder to detect abuse. While API security tools focus on network traffic, they miss in-app threats like business logic abuse and misuse of legitimate flows - where attackers increasingly operate undetected.
This gap led us to develop the first Application Attack Matrix - a comprehensive framework designed specifically to map real-world threats that happened against cloud applications in the wild and provide actionable guidance for defenders against threat actors.
The Four Phases of Application Attacks
The Application Attack Matrix organizes techniques into four distinct phases that map the complete attack lifecycle:
1. Pre-Intrusion
The attacker prepares, gathering information and building tools to compromise applications.
- Reconnaissance: Application API specification harvesting, application dependency mapping, public source code analysis
- Resource Development: Compromised Code Signing, Third-Party Dependency Poisoning
2. Intrusion
This phase marks the initial compromise and execution of malicious code within the application environment.
Initial Access:: Supply chain compromise, authentication bypass, API misuse
Payload Execution: Remote code execution (RCE), injection attacks, server-side request forgery (SSRF)
3. Post-Intrusion
Once inside, attackers establish persistence and expand control.
- Deepening Control: Exploitation for Privilege Escalation, C2 over App-Protocols, Disable Runtime Protection
- Expanding Reach: Service-to-Service trust abuse, exploitation of remote services
4. Impact
The attacker executes their objectives to disrupt operations and is hard to detect at the infrastructure level.
- Impact: Service disruption, data destruction, encryption or exfiltration, abuse of existing business logic, or compromising the integrity of the application to manipulate the business logic.
This structure highlights that applications are targeted at every stage of the attack chain. Attacks do not stop at infrastructure - they exploit the logic, data, and behavior inside of applications.
Real-World Incidents That Shaped the Matrix
Several high-profile breaches and vulnerabilities over the past five years played a key role in shaping the foundation of the Application Attack Matrix. These are just a few of the notable examples that made headlines - but they represent only a fraction of what’s out there. Many more real-world techniques have already been documented in the matrix through our own research and contributions from the broader security community. And as new attack methods continue to emerge, the need for a living, application-focused framework like this becomes even more critical.
These incidents exposed critical gaps in existing security models and underscored the need for an application-focused attack framework.
Bybit 1.5B Crypto theft: A vulnerable open-source library led to the largest known crypto heists in history.
Log4Shell: Exploited Log4j’s JNDI feature - completely invisible to network-based defenses, Cloud Workload Protection Platforms (CWPP), and security tools monitoring workloads, web servers, or host-level activity.
SolarWinds: Demonstrated sophisticated supply chain compromise techniques
XZ-Utils backdoor: Showed how malware could be shipped through trusted build processes.
MOVEit Transfer: Highlighted how application vulnerabilities can lead to massive data breaches
GitHub Actions supply-chain attacks: Revealed new vectors for compromising development pipelines
How to Use the Application Attack Matrix
The Application Attack Matrix is not simply a taxonomy - it is a practical tool to strengthen your security posture and enable your business across different roles and functions.
Below is how different teams can operationalize it.
For Application Security Teams
- Threat Modeling with depth: Trace your applications, APIs, and pipelines across the matrix to identify potential blind spots that traditional models miss.
- Security Testing: Use the matrix to develop comprehensive test cases that cover the full spectrum of application threats, not just initial access.
- Control Validation: Assess whether your existing security controls address the techniques outlined in the matrix.
For CISOs and Security Leaders
- Risk Assessment: Identify which application attack vectors pose the greatest risk to your organization.
- Resource Allocation: Prioritize security investments based on the most relevant threats to your application portfolio.
- Security Strategy: Develop a comprehensive application security strategy that addresses all phases of the attack lifecycle.
For Security Analysts and Incident Responders
- Detection Engineering: Build detection rules that target application-specific TTPs, not just generic exploits.
- Incident Investigation: Use the matrix to guide your analysis of potential application compromises and uncover how initial access led to impact.
- Purple Team Exercises: Create realistic attack scenarios based on the techniques in the matrix to stress-test your detection and response capabilities.
A Living Framework, Powered by the Community
The Application Attack Matrix isn’t static. It is designed to be a living framework that evolves with the threat landscape. As new attack techniques emerge and existing ones evolve, the matrix will be updated to reflect these changes. We encourage security practitioners to contribute their knowledge and experiences to help make this resource as valuable as possible for the entire community.
Why This Matters
As applications continue to be the primary target for attackers, security teams need frameworks that specifically address application-level threats. The Application Attack Matrix provides a comprehensive, structured approach to understanding and mitigating these threats across the entire attack lifecycle. By adopting this framework, organizations can better protect their critical applications and the valuable data they process.
Whether you're an application security professional, a CISO, or a security analyst, the Application Attack Matrix offers valuable insights and practical guidance for defending against the most sophisticated application attacks. We invite you to explore the matrix, apply it to your security program, and join us in evolving this important resource for the security community.
Join our Discord community: https://www.oligo.security/lp/oligo-application-attack-matrix
Check out the Application Attack Matrix: https://app-attack-matrix.com/
Special Thanks
Thank you to all of the security leaders that were early contributors to this community project for their feedback and collaboration.
