14 frameworks127 controls
CROSSWALKFramework crosswalk
14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.
Cells coloured by Jaccard similarity of technique sets.
01
| DORA | ISO 27001 | PCI DSS v4 | CIS v8 | NIS2 | OWASP API Top 10 | OWASP LLM Top 10 | OWASP Top 10 | ISO 27701 | EU AI Act | GDPR | NIST CSF | EU CRA | TIBER-EU | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DORA | 0.40 | 0.36 | 0.48 | 0.54 | 0.23 | 0.31 | 0.33 | 0.29 | 0.26 | 0.45 | 0.46 | 0.19 | ||
| ISO 27001 | 0.40 | 0.33 | 0.53 | 0.44 | 0.30 | 0.29 | 0.34 | 0.28 | 0.25 | 0.40 | 0.36 | 0.14 | ||
| PCI DSS v4 | 0.36 | 0.33 | 0.41 | 0.41 | 0.33 | 0.35 | 0.33 | 0.39 | 0.40 | 0.30 | 0.33 | 0.29 | ||
| CIS v8 | 0.48 | 0.53 | 0.41 | 0.54 | 0.33 | 0.33 | 0.39 | 0.29 | 0.30 | 0.51 | 0.48 | 0.19 | ||
| NIS2 | 0.54 | 0.44 | 0.41 | 0.54 | 0.33 | 0.36 | 0.32 | 0.32 | 0.27 | 0.45 | 0.47 | 0.22 | ||
| OWASP API Top 10 | 0.23 | 0.30 | 0.33 | 0.33 | 0.33 | 0.36 | 0.35 | 0.26 | 0.20 | 0.25 | 0.31 | 0.11 | ||
| OWASP LLM Top 10 | 0.31 | 0.29 | 0.35 | 0.33 | 0.36 | 0.36 | 0.39 | 0.39 | 0.31 | 0.37 | 0.39 | 0.21 | ||
| OWASP Top 10 | 0.33 | 0.34 | 0.33 | 0.39 | 0.32 | 0.35 | 0.39 | 0.28 | 0.27 | 0.31 | 0.35 | 0.17 | ||
| ISO 27701 | 0.29 | 0.28 | 0.39 | 0.29 | 0.32 | 0.26 | 0.39 | 0.28 | 0.30 | 0.38 | 0.26 | 0.29 | ||
| EU AI Act | 0.26 | 0.25 | 0.40 | 0.30 | 0.27 | 0.20 | 0.31 | 0.27 | 0.30 | 0.40 | 0.31 | 0.27 | ||
| GDPR | 0.45 | 0.40 | 0.30 | 0.51 | 0.45 | 0.25 | 0.37 | 0.31 | 0.38 | 0.40 | 0.44 | 0.21 | ||
| NIST CSF | 0.46 | 0.36 | 0.33 | 0.48 | 0.47 | 0.31 | 0.39 | 0.35 | 0.26 | 0.31 | 0.44 | 0.18 | ||
| EU CRA | ||||||||||||||
| TIBER-EU | 0.19 | 0.14 | 0.29 | 0.19 | 0.22 | 0.11 | 0.21 | 0.17 | 0.29 | 0.27 | 0.21 | 0.18 |
PCI DSS v4 ↔ OWASP API Top 10 — 24 shared techniques
Clear ✕| Control A | Control B | Shared | Examples |
|---|---|---|---|
| Requirement 11 Test Security of Systems and Networks Regularly | API6:2023 Unrestricted Access to Sensitive Business Flows | 7 | T1190, T1046, T1087, T1068 |
| Requirement 3 Protect Stored Account Data | API1:2023 Broken Object Level Authorization (BOLA) | 7 | T1552, T1083, T1005, T1041 |
| Requirement 10 Log and Monitor All Access to System Components… | API6:2023 Unrestricted Access to Sensitive Business Flows | 6 | T1078, T1136, T1005, T1087 |
| Requirement 11 Test Security of Systems and Networks Regularly | API1:2023 Broken Object Level Authorization (BOLA) | 6 | T1083, T1068, T1552, T1005 |
| Requirement 11 Test Security of Systems and Networks Regularly | API7:2023 Server-Side Request Forgery (SSRF) | 6 | T1190, T1046, T1005, T1041 |
| Requirement 4 Protect Cardholder Data with Strong Cryptograph… | API1:2023 Broken Object Level Authorization (BOLA) | 6 | T1133, T1078, T1068, T1005 |
| Requirement 4 Protect Cardholder Data with Strong Cryptograph… | API6:2023 Unrestricted Access to Sensitive Business Flows | 6 | T1190, T1078, T1068, T1046 |
| Requirement 4 Protect Cardholder Data with Strong Cryptograph… | API7:2023 Server-Side Request Forgery (SSRF) | 5 | T1190, T1046, T1005, T1041 |
| Requirement 4 Protect Cardholder Data with Strong Cryptograph… | API8:2023 Security Misconfiguration | 5 | T1133, T1190, T1068, T1046 |
| Requirement 10 Log and Monitor All Access to System Components… | API1:2023 Broken Object Level Authorization (BOLA) | 4 | T1078, T1136, T1005, T1041 |
| Requirement 11 Test Security of Systems and Networks Regularly | API3:2023 Broken Object Property Level Authorization (BOPLA) | 4 | T1087, T1083, T1003, T1490 |
| Requirement 11 Test Security of Systems and Networks Regularly | API8:2023 Security Misconfiguration | 4 | T1190, T1046, T1068, T1041 |
| Requirement 3 Protect Stored Account Data | API3:2023 Broken Object Property Level Authorization (BOPLA) | 4 | T1003, T1083, T1567, T1485 |
| Requirement 3 Protect Stored Account Data | API6:2023 Unrestricted Access to Sensitive Business Flows | 4 | T1190, T1005, T1567, T1068 |
| Requirement 3 Protect Stored Account Data | API8:2023 Security Misconfiguration | 4 | T1190, T1041, T1070.004, T1068 |
| Requirement 8 Identify Users and Authenticate Access to Syste… | API3:2023 Broken Object Property Level Authorization (BOPLA) | 4 | T1078, T1098, T1003, T1087 |
| Requirement 8 Identify Users and Authenticate Access to Syste… | API6:2023 Unrestricted Access to Sensitive Business Flows | 4 | T1078, T1110, T1087, T1071 |
| Requirement 10 Log and Monitor All Access to System Components… | API3:2023 Broken Object Property Level Authorization (BOPLA) | 3 | T1078, T1003, T1087 |
| Requirement 10 Log and Monitor All Access to System Components… | API7:2023 Server-Side Request Forgery (SSRF) | 3 | T1005, T1041, T1190 |
| Requirement 10 Log and Monitor All Access to System Components… | API8:2023 Security Misconfiguration | 3 | T1055, T1041, T1190 |
| Requirement 3 Protect Stored Account Data | API7:2023 Server-Side Request Forgery (SSRF) | 3 | T1190, T1005, T1041 |
| Requirement 4 Protect Cardholder Data with Strong Cryptograph… | API3:2023 Broken Object Property Level Authorization (BOPLA) | 3 | T1078, T1020, T1003 |
| Requirement 4 Protect Cardholder Data with Strong Cryptograph… | API2:2023 Broken Authentication | 2 | T1078, T1068 |
| Requirement 8 Identify Users and Authenticate Access to Syste… | API1:2023 Broken Object Level Authorization (BOLA) | 2 | T1078, T1133 |
| Requirement 8 Identify Users and Authenticate Access to Syste… | API2:2023 Broken Authentication | 2 | T1078, T1098 |
Showing top 25 of 29 control pairs.
Show non-overlap — PCI DSS v4 techniques NOT covered by OWASP API Top 10 (15)
T1021, T1027, T1039, T1040, T1056, T1070.001, T1070.002, T1486, T1543.003, T1547, T1547.001, T1550, T1555, T1562.002, T1566
compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.