Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
How is your organization adopting AI technologies? Take this short survey to help us identify key trends and risks across FSI →

Bridging the Gap Between Cloud Security Controls and Adversary Behaviors: A CSA–MITRE Collaboration

Published 02/02/2026

Home
Industry Insights
Bridging the Gap Between Cloud Security Controls and Adversary Behaviors: A CSA–MITRE Collaboration
Written by Eleftherios Skoutaris, AVP of GRC Solutions, CSA EMEA.

As cloud adoption accelerates across industries, the complexity and volume of cloud-specific threats have grown in parallel. Security professionals are increasingly turning to standardized frameworks and methodologies to guide their defense strategies. The MITRE ATT&CK® framework provides a detailed knowledge base of adversary tactics and techniques, while the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) defines robust, domain-specific control objectives to secure cloud environments.

However, a critical disconnect remains.

 

The Challenge

While CSA’s CCM offers robust controls designed to counter well-known top threats and MITRE ATT&CK delivers the technological foundation showing how adversaries realize these threats through specific techniques, a critical gap remains: there is no authoritative, standardized mapping linking these two powerful resources. This disconnect gives rise to several operational and strategic issues:

  • Control Effectiveness Ambiguity: Security teams often struggle to demonstrate how their implemented CCM controls address specific ATT&CK techniques and tactics.
  • Potential Defense Gaps: Without a clear understanding of which controls mitigate which adversarial behaviors, organizations risk deploying controls that do not adequately cover real-world threats.
  • Quantifying Risk Reduction: There is no systematic way to articulate how much risk is reduced by specific CCM controls in the context of ATT&CK-described threats.
  • Lack of a Unified Assessment Foundation: The industry lacks a technical foundation for conducting threat-informed cyber assessments based on widely used cloud security process models like the CCM and CSA STAR program.

 

A Joint Solution: CSA and MITRE Collaboration

To address this gap, CSA collaborated with MITRE’s Center for Threat-Informed Defense (CTID) on a strategic project to map CCM v4.1 to adversary behaviors described in the MITRE ATT&CK framework. This project applies CTID’s Security Capability Mapping Methodology, providing a common technical foundation for aligning cloud-native security controls with real-world adversary behavior.

By connecting specific CCM control objectives to ATT&CK techniques and sub-techniques, this initiative empowers cloud service providers and their customers to conduct rigorous, threat-informed assessments and reinforce cloud environments’ defenses with greater clarity and precision.

This mapping will be embedded into the CCM and the CAIQ security questionnaire, helping organizations apply security controls based on real-world threat considerations and assess their effectiveness in a more focused way.

 

Value Proposition

This collaboration delivers concrete benefits across the cloud security ecosystem, to service providers, internal assessors and auditors, GRC teams, and security practitioners:

  • Enhanced Threat-Informed Defense: Organizations can align their controls directly with known attacker tactics and techniques.
  • Improved Threat Visibility: Gaps in the security posture become evident when unmapped ATT&CK techniques are identified.
  • Prioritized Control Implementation: Security teams can focus on implementing high-impact controls that mitigate the most pressing risk-based threats.
  • Stronger Security Assurance and Certification: Integrating ATT&CK insights into CCM assessments enhances the credibility and depth of CSP audits and STAR certifications.
  • Industry Reciprocity at Scale: This mapping creates a common language for threat-informed defense and assessments, paving the way for broader reciprocity in cloud security and across compliance and certification programs, ultimately reducing compliance costs and overhead across the industry.

 

Conclusion

As the cloud threat landscape evolves, so too must the methodologies we use to defend against it. By bridging the gap between threat frameworks (MITRE ATT&CK) and control frameworks (CSA CCM), this project brings forward a shared, threat-informed approach to cloud security assessments.

This partnership not only strengthens the value of the CCM and STAR program but also sets a new precedent for practical, threat-informed cloud security guidance.

Download the mapping today.

StandardsThreat IntelligenceRisk ManagementCAIQCloud Controls Matrix

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
CCM v4.1 Is Here: The Updated Global Framework for Cloud Security
Threat-Informed Defense for Cloud Security
The State of Non-Human Identity and AI Security
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Enhance your cloud security skills with CSA's online training options.
Related Articles:
Why SaaS and AI Security Will Look Very Different in 2026

Published: 01/29/2026

Leveling Up Autonomy in Agentic AI

Published: 01/28/2026

AI Governance Framework Adoption in Cloud-Native AI Systems: Phased Approach and Considerations

Published: 01/27/2026

Agentic AI Pen Testing: Speed at Scale, Certainty with Humans

Published: 01/26/2026