MITRE D3FEND
MITRE D3FEND is a knowledge graph of cybersecurity countermeasure techniques. It is useful for acquisition, architecture comparison, and explaining what a defensive product does in a common vocabulary.
Buyer question
“Which defensive techniques does WWKG naturally support, and where do we still need separate security products?”
WWKG fit
| Assessment area | WWKG fit | Status |
|---|---|---|
| Data integrity | Content addressing, signed commits, branch history, and validation rules support integrity-focused countermeasures. | Native fit |
| Access mediation | Workspace encryption, membership, and delegation provide strong data-access boundaries. | Native fit |
| Isolation | Branches isolate untrusted work from production data; staging branches isolate incomplete imports and agent work. | Native fit |
| Detection and investigation | Events, provenance, validation reports, and commit history provide evidence for investigation. | Partial fit |
| Endpoint and network defense | Host hardening, EDR, SIEM, identity-provider security, and network monitoring remain separate controls. | External responsibility |
What WWKG can say
WWKG is a good D3FEND mapping candidate because D3FEND itself is graph structured. WWKG controls can be described in defensive-technique terms without flattening them into vague security claims.
For example:
- Branch isolation maps to defensive isolation patterns.
- Commit signatures and content hashes map to integrity verification.
- SHACL validation maps to data validation and misuse prevention.
- Encrypted blocks map to data confidentiality.
- Provenance and event trails map to investigation and accountability.
Assessment boundary
D3FEND is a taxonomy and knowledge graph, not a product API. WWKG’s native controls can be mapped to D3FEND countermeasure techniques for procurement, architecture review, and security assessment.
Endpoint defense, network monitoring, identity-provider hardening, and security operations remain separate parts of the buyer’s defensive architecture.