A new initiative is attempting to address persistent blind spots in cybersecurity caused by application-level attacks, which commonly evade traditional detection methods. Oligo Security, a Tel Aviv-based company established in 2022, has developed the Application Attack Matrix—an open-source taxonomy designed to catalogue application-centric threats and mitigation techniques. Increased reliance on complex software systems and the proliferation of cloud applications have intensified the need for more precise and actionable frameworks to help organizations secure the application layer. While many organizations rely on the established MITRE ATT&CK framework to understand attacker behavior, practical experience has revealed several deficiencies in it when applied to real-world application-based intrusions.
Similar efforts over the past few years have highlighted gaps in current threat modeling, especially related to attacks within the software supply chain and application runtime environments. Researchers and practitioners have debated the effectiveness of broad frameworks like MITRE’s, as these sometimes group disparate threats under general headings. Initiatives parallel to Oligo Security’s have also called for greater specificity and community collaboration, but few have focused exclusively on dissecting application-layer tactics across various deployment architectures such as containers, serverless, and hybrid cloud setups.
What Sets the Application Attack Matrix Apart?
Whereas the MITRE ATT&CK framework outlines tactics and techniques at a broad level—often encompassing a variety of application attacks under single entries—the Application Attack Matrix aims to deliver a more nuanced breakdown. According to Oligo Security’s co-founder and CTO, Gal Elbaz, this matrix dissects incidents down to the root behaviors within the application environment.
“Most of the approaches that we know today are focused on the post-exploit technique, and on the infrastructure and endpoint,”
he said, explaining that this method often leaves gaps in understanding the true intrusion paths attackers exploit.
How Does the Matrix Address App-Layer Blind Spots?
By mapping pre-intrusion, intrusion, post-intrusion, and impact phases, the matrix distinguishes specific exploitation methods at the application level, such as command injection, Lightweight Directory Access Protocol (LDAP) injection, XML injection, and SQL injection. These techniques are often hidden within catch-all MITRE categories, making precise detection and response difficult. The matrix also differentiates between issues like exploited vulnerabilities, bypassed controls, unauthorized logins, or compromises originating from the software supply chain, including vulnerable packages for Python, Java, Go, or Node.
Is Community Collaboration Central to This Approach?
Oligo Security positions the Application Attack Matrix as a collaborative, ongoing project with contributions welcomed from the broader security community. The company indicates that support from threat intelligence experts, enterprise security leaders, and organizations including MITRE has shaped the framework’s early development. According to Avi Lumelsky, an AI security researcher at Oligo Security, the matrix deconstructs attack techniques for various environments, from regular servers to Kubernetes containers, without tying itself to specific platforms or service providers.
Oligo’s focus on open sourcing the Application Attack Matrix through platforms such as GitHub reflects a trend toward community-developed security resources. The framework serves not only as a tool for categorizing application-layer threats but also as a foundation for developing more targeted threat intelligence, incident response playbooks, and defense strategies. By centering on real-world application attack scenarios, including attacks like Log4Shell, MOVEit, and the SolarWinds incident, stakeholders can better understand attacker tactics that typically go undetected by traditional security controls.
Deployment of this new matrix can potentially shift organizations’ focus from solely infrastructure and endpoint defense to encompassing deeper application-layer visibility. As escalating application complexity introduces new vulnerabilities, a refined understanding of intrusions at the software layer becomes increasingly relevant. The matrix offers organizations the means to more accurately distinguish classes of attack and tie mitigations to the underlying techniques, potentially reducing incident impact and improving detection. For security professionals, adopting frameworks like the Application Attack Matrix may reveal previously unrecognized risks, especially in cloud-native and microservice-heavy architectures. Evaluating and adapting to new frameworks in cooperation with the security community could be valuable for organizations seeking to strengthen app-focused defense strategies.
