Attack Models

Home / Composer

Attack Model Composer

The composer is a scenario builder that turns selected context into a structured attack model. It is designed for defenders and researchers: you get prerequisites, a high level step sequence, observables, detection hypotheses, and mitigation actions. You can export the result to JSON or Markdown and share it as a link.

Standards for defensible, testable generated models

Attack models are most useful when they are specific enough to test, but abstract enough to generalize across environments. The Composer generates structured, defensive models that translate your selected industry, asset, and interface into a chain of prerequisites, actions, observables, mitigations, and measurable outcomes. This structure is the point.

Scope, assumptions, and trust boundaries: A defensible model states what it assumes about zones and conduits, access paths, identity and role requirements, and monitoring coverage. It makes dependencies explicit, such as jump hosts, engineering workstations, remote access brokers, and which segments are assumed reachable. This is what turns a scenario into a repeatable test plan.

Cyber-physical constraints, including physics-informed plausibility: In cyber-physical systems, what is plausible is constrained by process dynamics and safety envelopes, not just cyber access. Strong models reflect protocol semantics and control behavior, such as setpoints versus measurements, write permissions, scan-cycle timing, rate limits, interlocks, and fail-safe states. They also acknowledge physics-informed constraints and invariants that defenders can use as consistency checks, such as conservation relationships, operating ranges, ramp limits, protective thresholds, and agreement between redundant sensors and estimators. These constraints shape which attacker steps are feasible, which are noisy, and what a stealthy path must preserve to avoid obvious alarms.

Dependencies, coupling, and impact propagation: OT environments are interdependent. A single control change can propagate through upstream and downstream units, trigger protective logic, alter operating margins, or create cascading operational effects across connected subsystems. Adversaries can exploit these couplings with coordinated sequences that distribute intent across multiple small actions, while even simple actions can cause multi-step consequences that only become visible later. A defensible model links each action to its likely impact surface, where impact can spread, and how that spread would manifest.

Indicators, evidence, and outputs defenders can execute: Each step should imply what defenders can measure and how to validate it. That includes authentication and remote access traces, endpoint and engineering tool activity, network flows between zones, configuration drift, and process telemetry patterns in the historian. Good models turn constraints and dependencies into concrete indicators, safe validation tests, and actionable next steps, such as hardening tasks, detection gaps to close, and recovery readiness checks.

These generated models are abstractions intended for education, planning, and hypothesis generation. They do not automatically validate feasibility, asset reachability, safety constraints, or site-specific configuration. The Composer remains useful without site data because it produces a consistent structure that teams can review, annotate, and test. When environment data is available, our tooling using latent methods builds on the same structure to extend models with reachability and dependency checks, constraint-aware step refinement, and physics-informed consistency signals that help prioritize indicators, impacts, and validation tasks. The research and tooling behind this Composer are maintained by us, and we welcome feedback and collaboration via contact@attackmodels.com