Press release

AttackIQ Security Optimization Platform Validates NIST 800-53 Security Controls Against MITRE ATT&CK®, Verifying Effective Compliance and Aligning Preeminent Cybersecurity Frameworks

Sponsored by Businesswire

AttackIQ, the leading independent vendor of Breach and Attack Simulation (BAS) systems, today announced that its Security Optimization Platform can test the NIST 800-53 family of security controls against the MITRE ATT&CK framework, measuring security control effectiveness and providing security teams with real data about NIST 800-53 compliance. In addition to NIST 800-53 compliance, the AttackIQ Security Optimization platform can now test security controls under the U.S. Department of Defense Cybersecurity Maturity Model (CMMC), many of which stem from NIST 800-53, to validate CMMC compliance and security control effectiveness.

In making these product innovations, AttackIQ is building on the work of MITRE Engenuity’s Center for Threat-Informed Defense, which today released an important body of research mapping the MITRE ATT&CK matrix to the NIST 800-53 family of security controls. As a result, security leaders can now align the known threat behaviors of ATT&CK to measure and test security effectiveness against NIST 800-53. AttackIQ uses this research to provide organizations with increased certainty about their compliance effectiveness with NIST 800-53 and the DoD CMMC.

“The Center was created to accelerate innovation in threat-informed defense across the global cybersecurity community,” said Richard Struse, Director of the Center for Threat-Informed Defense. “Our members saw the clear value to the cybersecurity community in aligning ATT&CK to security control framework such as NIST 800-53 and we’re pleased to make these mappings freely-available.”

The NIST 800-53 family of security controls has become a global standard for security control regulation in a wide range of organizations. It is a catalog of security and privacy controls for federal IT systems originally published in 2005; in 2012, the Obama Administration simplified the NIST 800-53 family as the NIST Cybersecurity Framework. The Center for Threat-Informed Defense recognized that mapping ATT&CK to NIST 800-53 would create a baseline that organizations can use to evaluate their security posture.

AttackIQ leverages research from the Center for Threat-Informed Defense for its customers and the broader cybersecurity community. “Our close partnership with MITRE and the Center for Threat-Informed Defense has allowed us to stay informed of emerging best practices in cybersecurity,” said Brett Galloway, CEO of AttackIQ. “This research helps organizations close the loop between ATT&CK and NIST 800-53. We are glad to support the Center in its research and to bring its research findings to bear for our customers through the Security Optimization Platform.”

New AttackIQ Security Optimization Platform Capabilities

AttackIQ is a founding Research Partner of the Center for Threat-Informed Defense, and AttackIQ’s Security Optimization Platform deploys ATT&CK-aligned scenarios against an organization’s NIST 800-53 security controls and DoD CMMC to validate control effectiveness. Red, blue and white teams each play a part in compliance mapping and enforcement, and the Security Optimization Platform helps each team perform its roles and responsibilities. With real data about security control performance, cybersecurity teams can show their leadership and boards how effective they are in meeting NIST and CMMC requirements, moving beyond simple compliance to a measurable improvement in their overall security posture.

New AttackIQ Academy Course & CISO Guide to NIST Security Control Compliance

In conjunction with the release of the Center’s research, AttackIQ is introducing a new AttackIQ Academy course on aligning MITRE ATT&CK to NIST 800-53. The new course is called “Uniting Threat and Risk Management with NIST 800-53 & MITRE ATT&CK” and educates the broader community about how to increase cybersecurity effectiveness and improve NIST compliance, shifting security teams from a fortress mentality to a strategic focus on countering known threats under ATT&CK. By focusing on known threats and deploying scenarios against NIST controls, security teams can improve their cybersecurity posture and compliance effectiveness. In addition to the course, AttackIQ has also created a CISO’s Guide to NIST Security Control Compliance, to help security teams improve their cyberdefense posture.


  • To register for the new AttackIQ Academy course “Uniting Threat and Risk Management with NIST 800-53 & MITRE ATT&CK” visit
  • To download the CISO’s Guide to NIST Security Control Compliance, click here.
  • To learn more about the Center for Threat-Informed Defense, visit here.

About AttackIQ

AttackIQ, the leading independent vendor of breach and attack simulation solutions, built the industry’s first Security Optimization Platform for continuous security control validation and improving security program effectiveness and efficiency. AttackIQ is trusted by leading organizations worldwide to plan security improvements and verify that cyberdefenses work as expected, aligned with the MITRE ATT&CK framework. The Company is committed to giving back to the cybersecurity community through its free AttackIQ Academy, open Preactive Security Exchange, and partnership with MITRE Engenuity’s Center for Threat Informed Defense. For more information visit Follow AttackIQ on Twitter, Facebook, LinkedIn, and YouTube.