14 frameworks127 controls

CROSSWALKFramework crosswalk

14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.

Cells coloured by Jaccard similarity of technique sets.

01

	DORA	ISO 27001	PCI DSS v4	CIS v8	NIS2	OWASP API Top 10	OWASP LLM Top 10	OWASP Top 10	ISO 27701	EU AI Act	GDPR	NIST CSF	TIBER-EU
DORA		0.40	0.36	0.48	0.54	0.23	0.31	0.33	0.29	0.26	0.45	0.46	0.19
ISO 27001	0.40		0.33	0.53	0.44	0.30	0.29	0.34	0.28	0.25	0.40	0.36	0.14
PCI DSS v4	0.36	0.33		0.41	0.41	0.33	0.35	0.33	0.39	0.40	0.30	0.33	0.29
CIS v8	0.48	0.53	0.41		0.54	0.33	0.33	0.39	0.29	0.30	0.51	0.48	0.19
NIS2	0.54	0.44	0.41	0.54		0.33	0.36	0.32	0.32	0.27	0.45	0.47	0.22
OWASP API Top 10	0.23	0.30	0.33	0.33	0.33		0.36	0.35	0.26	0.20	0.25	0.31	0.11
OWASP LLM Top 10	0.31	0.29	0.35	0.33	0.36	0.36		0.39	0.39	0.31	0.37	0.39	0.21
OWASP Top 10	0.33	0.34	0.33	0.39	0.32	0.35	0.39		0.28	0.27	0.31	0.35	0.17
ISO 27701	0.29	0.28	0.39	0.29	0.32	0.26	0.39	0.28		0.30	0.38	0.26	0.29
EU AI Act	0.26	0.25	0.40	0.30	0.27	0.20	0.31	0.27	0.30		0.40	0.31	0.27
GDPR	0.45	0.40	0.30	0.51	0.45	0.25	0.37	0.31	0.38	0.40		0.44	0.21
NIST CSF	0.46	0.36	0.33	0.48	0.47	0.31	0.39	0.35	0.26	0.31	0.44		0.18
EU CRA
TIBER-EU	0.19	0.14	0.29	0.19	0.22	0.11	0.21	0.17	0.29	0.27	0.21	0.18

OWASP API Top 10 ↔ OWASP LLM Top 10 — 29 shared techniques

Clear ✕

Control A	Control B	Shared	Examples
API1:2023 Broken Object Level Authorization (BOLA)	LLM02:2025 Sensitive Information Disclosure	9	T1592, T1595, T1005, T1119
API1:2023 Broken Object Level Authorization (BOLA)	LLM03:2025 Supply Chain	6	T1005, T1041, T1485, T1490
API1:2023 Broken Object Level Authorization (BOLA)	LLM04:2025 Data and Model Poisoning	6	T1005, T1041, T1490, T1078
API1:2023 Broken Object Level Authorization (BOLA)	LLM05:2025 Improper Output Handling	5	T1119, T1041, T1490, T1068
API1:2023 Broken Object Level Authorization (BOLA)	LLM06:2025 Excessive Agency	5	T1005, T1485, T1490, T1133
API1:2023 Broken Object Level Authorization (BOLA)	LLM07:2025 System Prompt Leakage	5	T1005, T1041, T1490, T1552
API6:2023 Unrestricted Access to Sensitive Business Flows	LLM04:2025 Data and Model Poisoning	5	T1078, T1068, T1005, T1071
API6:2023 Unrestricted Access to Sensitive Business Flows	LLM05:2025 Improper Output Handling	5	T1190, T1059, T1068, T1071
API7:2023 Server-Side Request Forgery (SSRF)	LLM04:2025 Data and Model Poisoning	5	T1082, T1005, T1041, T1499
API8:2023 Security Misconfiguration	LLM05:2025 Improper Output Handling	5	T1190, T1068, T1119, T1041
API8:2023 Security Misconfiguration	LLM06:2025 Excessive Agency	5	T1133, T1059.003, T1068, T1070.004
API3:2023 Broken Object Property Level Authorization (BOPLA)	LLM02:2025 Sensitive Information Disclosure	4	T1087, T1530, T1567, T1083
API3:2023 Broken Object Property Level Authorization (BOPLA)	LLM03:2025 Supply Chain	4	T1485, T1490, T1565.001, T1083
API3:2023 Broken Object Property Level Authorization (BOPLA)	LLM04:2025 Data and Model Poisoning	4	T1078, T1490, T1003, T1083
API3:2023 Broken Object Property Level Authorization (BOPLA)	LLM05:2025 Improper Output Handling	4	T1490, T1003, T1083, T1059
API6:2023 Unrestricted Access to Sensitive Business Flows	LLM02:2025 Sensitive Information Disclosure	4	T1087, T1005, T1074, T1567
API7:2023 Server-Side Request Forgery (SSRF)	LLM03:2025 Supply Chain	4	T1082, T1005, T1041, T1490
API7:2023 Server-Side Request Forgery (SSRF)	LLM05:2025 Improper Output Handling	4	T1190, T1041, T1499, T1490
API7:2023 Server-Side Request Forgery (SSRF)	LLM07:2025 System Prompt Leakage	4	T1190, T1005, T1041, T1490
API8:2023 Security Misconfiguration	LLM03:2025 Supply Chain	4	T1059.003, T1068, T1021.001, T1041
API3:2023 Broken Object Property Level Authorization (BOPLA)	LLM07:2025 System Prompt Leakage	3	T1490, T1003, T1083
API6:2023 Unrestricted Access to Sensitive Business Flows	LLM06:2025 Excessive Agency	3	T1068, T1562, T1005
API7:2023 Server-Side Request Forgery (SSRF)	LLM02:2025 Sensitive Information Disclosure	3	T1018, T1005, T1041
API7:2023 Server-Side Request Forgery (SSRF)	LLM06:2025 Excessive Agency	3	T1005, T1071.001, T1490
API8:2023 Security Misconfiguration	LLM04:2025 Data and Model Poisoning	3	T1068, T1041, T1499

Showing top 25 of 34 control pairs.

Show non-overlap — OWASP API Top 10 techniques NOT covered by OWASP LLM Top 10 (28)

T1003.001, T1003.008, T1020, T1046, T1055, T1074.001, T1078.004, T1087.001, T1087.004, T1090.003, T1098, T1098.005, T1110, T1110.003, T1110.004, T1136, T1498, T1498.001, T1537, T1539, T1550.001, T1550.004, T1552.001, T1552.007, T1552.008, T1556.006, T1572, T1595.002

Sourced from cs-graph compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.