14 frameworks127 controls

CROSSWALKFramework crosswalk

14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.

Cells coloured by Jaccard similarity of technique sets.

01

	DORA	ISO 27001	PCI DSS v4	CIS v8	NIS2	OWASP API Top 10	OWASP LLM Top 10	OWASP Top 10	ISO 27701	EU AI Act	GDPR	NIST CSF	TIBER-EU
DORA		0.40	0.36	0.48	0.54	0.23	0.31	0.33	0.29	0.26	0.45	0.46	0.19
ISO 27001	0.40		0.33	0.53	0.44	0.30	0.29	0.34	0.28	0.25	0.40	0.36	0.14
PCI DSS v4	0.36	0.33		0.41	0.41	0.33	0.35	0.33	0.39	0.40	0.30	0.33	0.29
CIS v8	0.48	0.53	0.41		0.54	0.33	0.33	0.39	0.29	0.30	0.51	0.48	0.19
NIS2	0.54	0.44	0.41	0.54		0.33	0.36	0.32	0.32	0.27	0.45	0.47	0.22
OWASP API Top 10	0.23	0.30	0.33	0.33	0.33		0.36	0.35	0.26	0.20	0.25	0.31	0.11
OWASP LLM Top 10	0.31	0.29	0.35	0.33	0.36	0.36		0.39	0.39	0.31	0.37	0.39	0.21
OWASP Top 10	0.33	0.34	0.33	0.39	0.32	0.35	0.39		0.28	0.27	0.31	0.35	0.17
ISO 27701	0.29	0.28	0.39	0.29	0.32	0.26	0.39	0.28		0.30	0.38	0.26	0.29
EU AI Act	0.26	0.25	0.40	0.30	0.27	0.20	0.31	0.27	0.30		0.40	0.31	0.27
GDPR	0.45	0.40	0.30	0.51	0.45	0.25	0.37	0.31	0.38	0.40		0.44	0.21
NIST CSF	0.46	0.36	0.33	0.48	0.47	0.31	0.39	0.35	0.26	0.31	0.44		0.18
EU CRA
TIBER-EU	0.19	0.14	0.29	0.19	0.22	0.11	0.21	0.17	0.29	0.27	0.21	0.18

OWASP LLM Top 10 ↔ ISO 27701 — 23 shared techniques

Clear ✕

Control A	Control B	Shared	Examples
LLM02:2025 Sensitive Information Disclosure	A.7.4.5 PII de-identification and deletion at the end o…	8	T1005, T1530, T1560, T1041
LLM04:2025 Data and Model Poisoning	A.7.5.1 Identify basis for PII transfer between jurisdi…	8	T1078, T1068, T1003, T1082
LLM04:2025 Data and Model Poisoning	A.7.4.1 Limit collection	7	T1068, T1003, T1082, T1083
LLM04:2025 Data and Model Poisoning	A.7.4.5 PII de-identification and deletion at the end o…	7	T1078, T1003, T1083, T1005
LLM05:2025 Improper Output Handling	A.7.4.1 Limit collection	7	T1190, T1068, T1003, T1083
LLM02:2025 Sensitive Information Disclosure	A.7.4.1 Limit collection	6	T1005, T1119, T1530, T1041
LLM05:2025 Improper Output Handling	A.7.4.5 PII de-identification and deletion at the end o…	6	T1059, T1003, T1083, T1021
LLM05:2025 Improper Output Handling	A.7.5.1 Identify basis for PII transfer between jurisdi…	6	T1068, T1027, T1003, T1071
LLM06:2025 Excessive Agency	A.7.5.1 Identify basis for PII transfer between jurisdi…	6	T1485, T1486, T1068, T1005
LLM07:2025 System Prompt Leakage	A.7.4.1 Limit collection	6	T1190, T1083, T1003, T1005
LLM03:2025 Supply Chain	A.7.4.1 Limit collection	5	T1068, T1082, T1083, T1005
LLM03:2025 Supply Chain	A.7.5.1 Identify basis for PII transfer between jurisdi…	5	T1068, T1082, T1005, T1041
LLM06:2025 Excessive Agency	A.7.4.1 Limit collection	5	T1486, T1068, T1005, T1039
LLM07:2025 System Prompt Leakage	A.7.4.5 PII de-identification and deletion at the end o…	5	T1083, T1552, T1003, T1005
LLM07:2025 System Prompt Leakage	A.7.5.1 Identify basis for PII transfer between jurisdi…	5	T1003, T1027, T1005, T1039
LLM02:2025 Sensitive Information Disclosure	A.7.5.1 Identify basis for PII transfer between jurisdi…	3	T1005, T1041, T1027
LLM03:2025 Supply Chain	A.7.4.5 PII de-identification and deletion at the end o…	3	T1083, T1005, T1041
LLM06:2025 Excessive Agency	A.7.4.5 PII de-identification and deletion at the end o…	1	T1005

Show non-overlap — OWASP LLM Top 10 techniques NOT covered by ISO 27701 (30)

T1021.001, T1036, T1056, T1059.001, T1059.003, T1059.004, T1070.004, T1074, T1087, T1105, T1195, T1195.001, T1195.002, T1203, T1490, T1497.001, T1499, T1531, T1547, T1547.001, T1562, T1562.001, T1565.001, T1566.001, T1567.002, T1592, T1592.002, T1592.004, T1595, T1598

Sourced from cs-graph compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.