CybersecurityConnected & Cyber-Physical DevicesD3FEND

MITRE D3FEND

MITRE's knowledge graph of defensive cybersecurity countermeasures, explicitly mapped to the ATT&CK techniques they mitigate.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed June 20, 2026

Definition

D3FEND is a knowledge graph and matrix of defensive countermeasures developed by MITRE under NSA funding. Where ATT&CK catalogs what attackers do, D3FEND catalogs what defenders can do, organized by tactic (Harden, Detect, Isolate, Deceive, Evict, Restore) and broken into specific defensive techniques with clear ontological relationships to the digital artifacts they affect. Each D3FEND technique is explicitly mapped to the ATT&CK techniques it counters, giving security teams an evidence-based bridge from threat to control.

What the regulation says

Not directly cited by FDA, but referenced in the HSCC Medical Device and Health IT Joint Security Plan and increasingly used by notified bodies reviewing EU MDR Annex I cyber requirements to evidence that selected controls actually counter identified threats.

What this means in practice

For MedTech, D3FEND lets you justify a control library against the threats in your threat model. If your model identifies T1190 (Exploit Public-Facing Application) as a credible threat, D3FEND points you to specific defensive techniques (Application Hardening, Network Traffic Filtering, Process Spawn Analysis) and connects each to measurable design elements that can appear in your security architecture, IEC 81001-5-1 conformance evidence, or premarket cybersecurity submission.

Common pitfalls

•Treating D3FEND as a control catalog and ignoring its ontology, the value is in the typed relationships between artifact, technique, and digital effect.
•Mapping controls to D3FEND in isolation without first mapping threats to ATT&CK, the bridge breaks both ways.
•Expecting 1:1 coverage, many ATT&CK techniques have multiple D3FEND counters, and some have none.

Primary references

3 sources

Link health: 3 verified· last checked 2026-06-20

MITRE·2HSCC·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: D3FEND
Sources: 3
Updated: 6/20/2026

Compare with another term

Learn in 60 seconds

MITRE's knowledge graph of defensive cybersecurity countermeasures, explicitly mapped to the ATT&CK techniques they mitigate.

·For MedTech, D3FEND lets you justify a control library against the threats in your threat model.
·Each D3FEND technique is explicitly mapped to the ATT&CK techniques it counters, giving security teams an evidence-based bridge from threat to control.

Remember this

Watch out: Treating D3FEND as a control catalog and ignoring its ontology, the value is in the typed relationships between artifact, technique, and digital effect.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.