14 frameworks127 controls

CROSSWALKFramework crosswalk

14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.

Cells coloured by Jaccard similarity of technique sets.

01

	DORA	ISO 27001	PCI DSS v4	CIS v8	NIS2	OWASP API Top 10	OWASP LLM Top 10	OWASP Top 10	ISO 27701	EU AI Act	GDPR	NIST CSF	TIBER-EU
DORA		0.40	0.36	0.48	0.54	0.23	0.31	0.33	0.29	0.26	0.45	0.46	0.19
ISO 27001	0.40		0.33	0.53	0.44	0.30	0.29	0.34	0.28	0.25	0.40	0.36	0.14
PCI DSS v4	0.36	0.33		0.41	0.41	0.33	0.35	0.33	0.39	0.40	0.30	0.33	0.29
CIS v8	0.48	0.53	0.41		0.54	0.33	0.33	0.39	0.29	0.30	0.51	0.48	0.19
NIS2	0.54	0.44	0.41	0.54		0.33	0.36	0.32	0.32	0.27	0.45	0.47	0.22
OWASP API Top 10	0.23	0.30	0.33	0.33	0.33		0.36	0.35	0.26	0.20	0.25	0.31	0.11
OWASP LLM Top 10	0.31	0.29	0.35	0.33	0.36	0.36		0.39	0.39	0.31	0.37	0.39	0.21
OWASP Top 10	0.33	0.34	0.33	0.39	0.32	0.35	0.39		0.28	0.27	0.31	0.35	0.17
ISO 27701	0.29	0.28	0.39	0.29	0.32	0.26	0.39	0.28		0.30	0.38	0.26	0.29
EU AI Act	0.26	0.25	0.40	0.30	0.27	0.20	0.31	0.27	0.30		0.40	0.31	0.27
GDPR	0.45	0.40	0.30	0.51	0.45	0.25	0.37	0.31	0.38	0.40		0.44	0.21
NIST CSF	0.46	0.36	0.33	0.48	0.47	0.31	0.39	0.35	0.26	0.31	0.44		0.18
EU CRA
TIBER-EU	0.19	0.14	0.29	0.19	0.22	0.11	0.21	0.17	0.29	0.27	0.21	0.18

PCI DSS v4 ↔ EU AI Act — 19 shared techniques

Clear ✕

Control A	Control B	Shared	Examples
Requirement 3 Protect Stored Account Data	Art. 10 Data and data governance	10	T1190, T1566, T1003, T1083
Requirement 11 Test Security of Systems and Networks Regularly	Art. 10 Data and data governance	9	T1190, T1083, T1068, T1003
Requirement 11 Test Security of Systems and Networks Regularly	Art. 15 Accuracy, robustness and cybersecurity	9	T1190, T1087, T1083, T1068
Requirement 3 Protect Stored Account Data	Art. 15 Accuracy, robustness and cybersecurity	9	T1190, T1566, T1003, T1083
Requirement 4 Protect Cardholder Data with Strong Cryptograph…	Art. 10 Data and data governance	8	T1190, T1078, T1068, T1005
Requirement 4 Protect Cardholder Data with Strong Cryptograph…	Art. 15 Accuracy, robustness and cybersecurity	8	T1190, T1078, T1068, T1005
Requirement 10 Log and Monitor All Access to System Components…	Art. 10 Data and data governance	7	T1078, T1003, T1005, T1041
Requirement 10 Log and Monitor All Access to System Components…	Art. 15 Accuracy, robustness and cybersecurity	7	T1078, T1003, T1005, T1041
Requirement 10 Log and Monitor All Access to System Components…	Art. 12 Record keeping	6	T1070.001, T1070.002, T1003, T1041
Requirement 11 Test Security of Systems and Networks Regularly	Art. 12 Record keeping	5	T1087, T1003, T1071, T1041
Requirement 3 Protect Stored Account Data	Art. 12 Record keeping	5	T1003, T1041, T1485, T1070.004
Requirement 8 Identify Users and Authenticate Access to Syste…	Art. 15 Accuracy, robustness and cybersecurity	4	T1078, T1003, T1087, T1071
Requirement 4 Protect Cardholder Data with Strong Cryptograph…	Art. 12 Record keeping	3	T1071, T1041, T1003
Requirement 8 Identify Users and Authenticate Access to Syste…	Art. 10 Data and data governance	3	T1078, T1003, T1071
Requirement 8 Identify Users and Authenticate Access to Syste…	Art. 12 Record keeping	3	T1003, T1087, T1071

Show non-overlap — PCI DSS v4 techniques NOT covered by EU AI Act (20)

T1018, T1020, T1021, T1039, T1040, T1046, T1055, T1056, T1098, T1110, T1133, T1136, T1543.003, T1550, T1552, T1555, T1562, T1562.002, T1567, T1572

Sourced from cs-graph compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.