Application Attack Matrix

Pre-Intrusion		Intrusion		Post-Intrusion		Impact
Reconnaissance	Resource Development	Gain Access	Payload Execution	Deepening Control	Expanding Control	Impact
Application API Specification Harvesting	Compromised Code Signing and Build Infrastructure	Authentication Bypass	Execution Using Standard Applicative Flow	C2 over App-Protocols	Cloud Service Discovery	Service Disruption
Application Dependencies Mapping	Develop Capabilities	Content Injection (Network traffic)	Injection Exploitations	Disable Runtime Protection Service	Exploitation for Credential Access	Data Destruction
Gather Application Configuration Information	Obtain Capabilities	External Remote Services	Remote Code Execution Exploitation	Exploitation for Defense Evasion	Exploitation of Remote Services	Data Manipulation
Public Source Code and Artifacts Analysis	Third-Party Dependency Poisoning	Service Standard API	Request Forgery	Exploitation for Privilege Escalation	Service-to-Service Trust Abuse	Data Encryption
Reverse Engineering		Supply Chain Compromise		Implant Internal Image	Internal Data Harvesting	Data Exfiltration
		Valid Accounts		Masquerading		Business Logic Manipulation
				Scheduled Task		Resource Hijacking
				Server Software Component		Defacement
						Financial Theft

Disclaimer

Application Security Tactics & Techniques Matrix is a community initiative to educate readers on the potential of application-level tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them.

Source Frameworks

Techniques in this matrix are derived from and cross-referenced to:

• OWASP Top 10:2025, the foundational web application security risk taxonomy. Cells with this badge map primarily to an OWASP Top 10:2025 risk class. Every technique and sub-technique page carries an explicit OWASP Mapping field, and the full inverse mapping is in OWASP Top 10:2025 Mapping.
• MITRE ATT&CK Enterprise, for techniques that originate in or extend the ATT&CK Enterprise matrix. Mitre-originated technique pages carry an explicit MITRE Mapping field, and the full inverse mapping is in MITRE ATT&CK Enterprise Mapping.
• matrix-original application-layer techniques not yet present in either source framework, derived from published real-world incident analysis (see Attacks and the Bybit Campaign).