CAPEC
What is CAPEC?
CAPECCommon Attack Pattern Enumeration and Classification, a MITRE-maintained public catalogue of attack patterns used by adversaries to exploit known weaknesses.
CAPEC (Common Attack Pattern Enumeration and Classification) is a MITRE-stewarded community resource that describes common patterns adversaries use to exploit software, hardware, and operational weaknesses. Each entry has a unique CAPEC-ID, a description, prerequisites, attack steps, related weaknesses (CWE), and mitigations, organized into hierarchies such as Mechanisms of Attack and Domains of Attack (Software, Hardware, Supply Chain, Communications, Social Engineering, Physical). CAPEC complements CWE (weaknesses), CVE (vulnerabilities), and ATT&CK (real-world adversary techniques), and is widely used by threat modelers, secure-design reviewers, red teams, and pentest scoping to enumerate concrete attack scenarios.
● Examples
- 01
Mapping CAPEC-66 (SQL Injection) to specific application entry points during a PASTA threat-modeling workshop.
- 02
A secure-design checklist that requires controls for every CAPEC pattern relevant to authentication flows.
● Frequently asked questions
What is CAPEC?
Common Attack Pattern Enumeration and Classification, a MITRE-maintained public catalogue of attack patterns used by adversaries to exploit known weaknesses. It belongs to the Compliance & Frameworks category of cybersecurity.
What does CAPEC mean?
Common Attack Pattern Enumeration and Classification, a MITRE-maintained public catalogue of attack patterns used by adversaries to exploit known weaknesses.
How does CAPEC work?
CAPEC (Common Attack Pattern Enumeration and Classification) is a MITRE-stewarded community resource that describes common patterns adversaries use to exploit software, hardware, and operational weaknesses. Each entry has a unique CAPEC-ID, a description, prerequisites, attack steps, related weaknesses (CWE), and mitigations, organized into hierarchies such as Mechanisms of Attack and Domains of Attack (Software, Hardware, Supply Chain, Communications, Social Engineering, Physical). CAPEC complements CWE (weaknesses), CVE (vulnerabilities), and ATT&CK (real-world adversary techniques), and is widely used by threat modelers, secure-design reviewers, red teams, and pentest scoping to enumerate concrete attack scenarios.
How do you defend against CAPEC?
Defences for CAPEC typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CAPEC?
Common alternative names include: Common Attack Pattern Enumeration and Classification, CAPEC.
● Related terms
- appsec№ 1150
Threat Modeling
A structured analysis that identifies the assets, threats, vulnerabilities and mitigations of a system so security can be designed in rather than bolted on.
- compliance№ 801
PASTA Threat Model
Process for Attack Simulation and Threat Analysis, a seven-stage risk-centric threat-modeling methodology that aligns technical threats with business impact.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- vulnerabilities№ 262
CWE (Common Weakness Enumeration)
A community-developed taxonomy of software and hardware weakness types — the underlying flaw classes that lead to vulnerabilities.
- vulnerabilities№ 259
CVE (Common Vulnerabilities and Exposures)
A public catalogue that assigns a unique identifier to each disclosed software or hardware vulnerability so they can be referenced unambiguously across the industry.
- compliance№ 775
OWASP ASVS
The OWASP Application Security Verification Standard, a catalogue of testable security requirements for designing, building, and verifying web applications and APIs.