---
id: framework:mitre-d3fend
type: framework
title: MITRE D3FEND
status: active
confidence: 0.5
sources:
  - 2026-05-09-cybersec-library-overview.md
  - 2026-05-09-cybersec-attack-coverage.md
created: 2026-05-09
updated: 2026-05-09
updated_log:
  - 2026-05-09: created
tiers: semantic
half_life_days: 180
tags: [framework, d3fend, defense, countermeasures]
---

# MITRE D3FEND

## Summary

[MITRE D3FEND](https://d3fend.mitre.org/) is an NSA-funded knowledge graph of **defensive countermeasures** — the inverse of [[framework:mitre-attack]]. Where ATT&CK catalogs how adversaries attack, D3FEND catalogs how defenders harden, detect, isolate, deceive, evict, and restore. Built on OWL 2 ontology with a shared Digital Artifact layer, it bidirectionally maps defensive countermeasures to ATT&CK offensive techniques. The [[concept:cybersec-skill-library]] uses D3FEND IDs in skill frontmatter (`d3fend_techniques`) to recommend specific countermeasures for detected threats.

> **Source-coverage caveat:** D3FEND gets one paragraph in our raw sources (the library README's framework deep-dive). No captured `mappings/d3fend/` README. Treat technique-level claims with low confidence.

## Claims

- D3FEND v1.3 contains **267 defensive techniques** organized across **7 tactical categories**: Model, Harden, Detect, Isolate, Deceive, Evict, Restore. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.6}`
- D3FEND is built on OWL 2 ontology with a shared Digital Artifact layer that bidirectionally maps defensive countermeasures to offensive ATT&CK techniques — making it the natural pairing framework for ATT&CK mappings. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.55}`
- The library currently maps **11 skills** to D3FEND defensive countermeasures — the smallest-mapped of the five frameworks. `[src: raw/2026-05-09-cybersec-attack-coverage.md] {conf: 0.65}`
- Each skill's `d3fend_techniques` field lists the top 5 most relevant defensive countermeasures derived from the skill's ATT&CK technique tags — i.e. D3FEND mappings are derived from ATT&CK mappings, not authored independently. `[src: raw/2026-05-09-cybersec-attack-coverage.md] {conf: 0.65}`
- Skills tagged with D3FEND identifiers let agents recommend specific countermeasures for detected threats. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.55}`

## Relationships

- defends-against → [[framework:mitre-attack]] `{conf: 0.7}`
- complements → [[framework:mitre-attack]] `{conf: 0.7}`
- maps-to → [[concept:cybersec-skill-library]] `{conf: 0.5}`

## Open questions

- [ ] **Source-coverage gap:** Library overview README is the only direct D3FEND source; we lack `mappings/d3fend/README.md` and any per-technique tables. The 11-skill count and derivation methodology need primary-source confirmation.
- [ ] Is the `d3fend_techniques` field populated with friendly names or D3FEND IDs? In `analyzing-threat-actor-ttps-with-mitre-attack` the field uses friendly names ("Executable Denylisting"), in the README example it uses IDs ("D3-MA, D3-PSMD"). Inconsistent in the wild.

## Changelog

- 2026-05-09 — created