Attack Flow.

A MITRE Engenuity Center for Threat-Informed Defense language and toolset for describing how adversaries chain techniques into multi-step operations, complementing ATT&CK's per-technique catalog with sequencing and decision logic. It belongs to the Defense & Operations category of cybersecurity.

A MITRE Engenuity Center for Threat-Informed Defense language and toolset for describing how adversaries chain techniques into multi-step operations, complementing ATT&CK's per-technique catalog with sequencing and decision logic.

Attack Flow is a STIX-extensible language and authoring tooling released by MITRE Engenuity's Center for Threat-Informed Defense in 2022, with version 2 in 2023. Its goal is to capture the missing piece between ATT&CK techniques and full incident narratives: how an adversary actually sequences techniques across an intrusion, including conditions, branches, and parallel paths. An Attack Flow document models an operation as a directed graph of `attack-action` (a technique execution) and `attack-condition` nodes, with linked `attack-asset` (targeted resources) and `attack-operator` (AND/OR/XOR) elements. The CTID publishes a public corpus of Attack Flows for real incidents (Conti, SolarWinds, NotPetya, Triton, REvil, etc.) and ships a web-based authoring tool (Attack Flow Builder). Use cases include threat-intelligence sharing in a machine-readable form richer than ATT&CK alone, building synthetic intrusion narratives for detection engineering, and helping defenders reason about which techniques to disrupt to break a likely chain.

Defences for Attack Flow typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: MITRE Attack Flow, Attack Flow Language.