This repository provides a concise mapping between Software Supply Chain Exploit Chains (SCEC) and the MITRE ATT&CK® framework, helping DevSecOps and platform engineering teams understand how supply chain attacks propagate across CI/CD pipelines and live production systems.
Maintained as part of the Ortelius open-source ecosystem.
MITRE ATT&CK defines adversary behavior but does not explicitly model software supply chain attack paths.
The SCEC model describes attacker movement through:
- Source repositories
- Build systems
- CI/CD workflows
- Artifact registries
- Deployment pipelines
- Runtime environments
This repository maps each SCEC phase to relevant MITRE ATT&CK tactics and techniques to support consistent threat modeling and analysis.
SCEC → MITRE ATT&CK mappings
Machine-readable formats for automation
Example SCEC Phase MITRE ATT&CK
- Source Compromise T1195 – Supply Chain Compromise
- Build Manipulation T1554 – Compromise Software Binary
- Artifact Poisoning T1027 – Obfuscated / Tampered Files
- Runtime Exploitation T1059 – Command Execution
Most security tooling focuses on pre-deployment detection. Many high-impact incidents occur after deployment, when new vulnerabilities are disclosed and teams lack visibility into what is actually running.
This mapping supports post-deployment vulnerability defense and improved remediation prioritization.
- Ortelius focuses on:
- SBOM-to-runtime correlation
- Digital twin modeling of deployed systems
- Detection of newly disclosed vulnerabilities impacting live assets
- Website: https://ortelius.io
- GitHub: https://github.com/ortelius
- Discord: https://discord.gg/ortelius
Maintained by the Ortelius open-source community.