14 frameworks127 controls

CROSSWALKFramework crosswalk

14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.

Cells coloured by Jaccard similarity of technique sets.

01

	DORA	ISO 27001	PCI DSS v4	CIS v8	NIS2	OWASP API Top 10	OWASP LLM Top 10	OWASP Top 10	ISO 27701	EU AI Act	GDPR	NIST CSF	TIBER-EU
DORA		0.40	0.36	0.48	0.54	0.23	0.31	0.33	0.29	0.26	0.45	0.46	0.19
ISO 27001	0.40		0.33	0.53	0.44	0.30	0.29	0.34	0.28	0.25	0.40	0.36	0.14
PCI DSS v4	0.36	0.33		0.41	0.41	0.33	0.35	0.33	0.39	0.40	0.30	0.33	0.29
CIS v8	0.48	0.53	0.41		0.54	0.33	0.33	0.39	0.29	0.30	0.51	0.48	0.19
NIS2	0.54	0.44	0.41	0.54		0.33	0.36	0.32	0.32	0.27	0.45	0.47	0.22
OWASP API Top 10	0.23	0.30	0.33	0.33	0.33		0.36	0.35	0.26	0.20	0.25	0.31	0.11
OWASP LLM Top 10	0.31	0.29	0.35	0.33	0.36	0.36		0.39	0.39	0.31	0.37	0.39	0.21
OWASP Top 10	0.33	0.34	0.33	0.39	0.32	0.35	0.39		0.28	0.27	0.31	0.35	0.17
ISO 27701	0.29	0.28	0.39	0.29	0.32	0.26	0.39	0.28		0.30	0.38	0.26	0.29
EU AI Act	0.26	0.25	0.40	0.30	0.27	0.20	0.31	0.27	0.30		0.40	0.31	0.27
GDPR	0.45	0.40	0.30	0.51	0.45	0.25	0.37	0.31	0.38	0.40		0.44	0.21
NIST CSF	0.46	0.36	0.33	0.48	0.47	0.31	0.39	0.35	0.26	0.31	0.44		0.18
EU CRA
TIBER-EU	0.19	0.14	0.29	0.19	0.22	0.11	0.21	0.17	0.29	0.27	0.21	0.18

ISO 27701 ↔ OWASP API Top 10 — 18 shared techniques

Clear ✕

Control A	Control B	Shared	Examples
A.7.4.1 Limit collection	API1:2023 Broken Object Level Authorization (BOLA)	7	T1005, T1041, T1083, T1119
A.7.4.5 PII de-identification and deletion at the end o…	API1:2023 Broken Object Level Authorization (BOLA)	7	T1083, T1005, T1041, T1530
A.7.4.5 PII de-identification and deletion at the end o…	API3:2023 Broken Object Property Level Authorization (BOPLA)	6	T1083, T1530, T1567, T1078
A.7.5.1 Identify basis for PII transfer between jurisdi…	API1:2023 Broken Object Level Authorization (BOLA)	6	T1078, T1005, T1041, T1485
A.7.4.1 Limit collection	API7:2023 Server-Side Request Forgery (SSRF)	5	T1005, T1041, T1071.001, T1190
A.7.4.1 Limit collection	API8:2023 Security Misconfiguration	5	T1041, T1071.001, T1119, T1190
A.7.4.5 PII de-identification and deletion at the end o…	API6:2023 Unrestricted Access to Sensitive Business Flows	5	T1005, T1567, T1078, T1071
A.7.4.1 Limit collection	API3:2023 Broken Object Property Level Authorization (BOPLA)	4	T1083, T1530, T1567, T1003
A.7.4.1 Limit collection	API6:2023 Unrestricted Access to Sensitive Business Flows	4	T1005, T1567, T1190, T1068
A.7.5.1 Identify basis for PII transfer between jurisdi…	API6:2023 Unrestricted Access to Sensitive Business Flows	4	T1078, T1005, T1068, T1071
A.7.4.5 PII de-identification and deletion at the end o…	API7:2023 Server-Side Request Forgery (SSRF)	3	T1005, T1041, T1018
A.7.5.1 Identify basis for PII transfer between jurisdi…	API3:2023 Broken Object Property Level Authorization (BOPLA)	3	T1078, T1003, T1485
A.7.5.1 Identify basis for PII transfer between jurisdi…	API7:2023 Server-Side Request Forgery (SSRF)	3	T1082, T1005, T1041
A.7.5.1 Identify basis for PII transfer between jurisdi…	API8:2023 Security Misconfiguration	3	T1041, T1068, T1133
A.7.5.1 Identify basis for PII transfer between jurisdi…	API2:2023 Broken Authentication	2	T1078, T1068
A.7.4.1 Limit collection	API2:2023 Broken Authentication	1	T1068
A.7.4.5 PII de-identification and deletion at the end o…	API2:2023 Broken Authentication	1	T1078
A.7.4.5 PII de-identification and deletion at the end o…	API8:2023 Security Misconfiguration	1	T1041

Show non-overlap — ISO 27701 techniques NOT covered by OWASP API Top 10 (11)

T1021, T1025, T1027, T1039, T1048, T1053, T1486, T1555, T1560, T1566, T1573

Sourced from cs-graph compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.