Irish Information Security Forum

Decider Tool

Understanding malicious behavior is often the first step to protecting networks and data. Understanding malicious behavior can also improve network defenders’ success in detecting and mitigating malicious cyber operations.

CISA consistently encourages incident responders and analysts to leverage the MITRE ATT&CK framework in mapping observed threat actor activity to defined tactics and techniques.


MITRE ATT&CK is a free knowledge-based repository of cyber actors’ tactics and techniques based on real-world observations. These tactics and techniques include known exploits used on cloud systems, such as Create Account: Cloud Account [T1136.003] and Cloud Infrastructure Discovery [T1580]. Understanding the techniques cyber threat actors use to compromise cloud environments can help defenders better target detections and mitigations to those techniques. This understanding can also assist network defenders in identifying tailored defenses. This framework provides an abundance of information for organizations of any size to leverage in their respective organizations.


Network defenders can leverage ATT&CK to identify defensive gaps, assess security tool capabilities, organize detections, hunt for threats, engage in red team activities, or validate mitigation controls.


On March 1, 2023, CISA, together with the Homeland Security Systems Engineering and Design Institute (HSSEDI), operated by the MITRE Corporation, released Decider. Decider assists incident responders and analysts in mapping observed activity to the MITRE ATT&CK framework. The tool makes mapping to ATT&CK easier by providing step-by-step guidance, including techniques used against cloud systems.


decider question tree

Decider starts with a series of questions to help network defenders properly identify adversary tactics, techniques, or sub techniques. With Decider, users can filter queries relevant to user analysis to determine the best possible identification
method. After gaining proper mapping accuracy, users are then able to:


  • Export results to tables, such as ATT&CK Navigator heatmaps.
  • Publish threat intelligence reports.
  • Identify and execute mitigation and/or detection procedures.
  • Prevent exploitation from occurring by identifying threats early.


For guidance on how to properly use Decider, see CISA’s Decider Fact Sheet, video, and blog. CISA encourages analysts and incident responders to use the tool in conjunction with the recently updated Best Practices for MITRE ATT&CK®
Mapping guide.


Note: This factsheet provides examples of tools for informational purposes only. CISA does not endorse any commercial
product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services does not constitute or imply their endorsement, recommendation, or favoring by CISA


If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland



We would like to thank these generous sponsors for their support. 

crowdstrike logo

zscaler logo



Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more


secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy Statement  - Sponsorship  - Cybersecurity News Topics  - Cybersecurity Resources  - Produced by
LinkedIn Twitter