PR3TACK: The Preemptive Tactics & Countermeasures Knowledgebase

By Vishal Thakur (Atlassian, AU)
July 8, 2026

The Preemptive Tactics & Countermeasures Knowledgebase (PR3TACK) is an openly accessible framework designed to catalogue plausible but unobserved adversary tactics, techniques, and procedures (TTPs). Whereas existing knowledge bases such as MITRE ATT&CK and MITRE D3FEND are constructed retrospectively from observed adversarial activity, PR3TACK seeks to bridge the anticipatory gap. It provides a structured means of conceptualising techniques that adversaries could plausibly develop and deploy, based on the convergence of known system vulnerabilities, adversarial innovation patterns, and technological affordances. In so doing, PR3TACK offers defenders a strategic advantage: the ability to harden environments preemptively, before exploitation occurs. This paper outlines the rationale, structure, and prospective impact of PR3TACK, situating it within ongoing debates about proactive defence, resilience engineering, and the epistemology of cyber threat intelligence.

1. Introduction

The practice of cybersecurity has long been characterised by a fundamental asymmetry. Adversaries require only a single successful exploit to achieve their objectives, whereas defenders must anticipate and mitigate a potentially unbounded set of threats. This asymmetry is compounded by the reactive nature of most defensive frameworks: defenders typically learn from observed compromises, codify adversarial behaviours, and then attempt to prevent recurrence. The result is a persistent latency between adversary innovation and defensive adaptation—a latency that adversaries exploit to maintain an operational edge.

The creation of structured knowledge bases such as MITRE ATT&CK has represented a significant advance in systematising defender knowledge. By cataloguing observed tactics, techniques, and procedures, ATT&CK has allowed security teams to align detection engineering, incident response, and red-team exercises to a common reference model. Yet ATT&CK's retrospective design also defines its limitation: it can only describe what has already been done. Emerging or plausible-but-unobserved techniques remain absent until empirical confirmation is available.

PR3TACK—the Preemptive Tactics & Countermeasures Knowledgebase—emerges in response to this limitation. It is premised on the belief that defenders must not only document the past but also anticipate the future. Drawing inspiration from foresight methodologies in strategic studies, resilience engineering, and speculative design, PR3TACK systematises a domain that has until now been informal and fragmented: the catalogue of technically plausible, but as yet unobserved, adversary techniques.

Aspect Description
Name PR3TACK - Preemptive Tactics & Countermeasures Knowledgebase
Mission Catalogue plausible but undisclosed/unobserved TTPs to help security teams proactively harden and secure their environments
Audience Blue Teams, Red Teams, SOCs, EDR vendors, Academia, Forward-thinking Executive Leadership
Goal Industry-wide impact: Fill the gap left by ATT&CK by documenting hypothetical, proven TTPs (POC'd) and mapping them to mitigations

Table 1: PR3TACK Aspects

2. Conceptual Foundations

2.1 From Reactive to Preemptive Defence

The dominant defensive paradigm in cybersecurity has been reactive. Breach occurs; analysis follows; mitigations are deployed. While this cycle has value in codifying empirical fact, it leaves defenders continually in arrears. PR3TACK introduces a forward-looking dimension: rather than waiting for confirmation, it codifies the adjacent possible—attack vectors that could emerge given current technological affordances. In this sense, PR3TACK does not replace reactive defence but augments it with an anticipatory layer.

2.2 Plausibility, Not Speculation

PR3TACK is not a repository of science fiction. It relies on demonstrable plausibility, grounded in proof-of-concept research, adversarial innovation trends, and the technical properties of modern systems. A submission to PR3TACK must therefore meet one of three thresholds:

This tiered structure ensures that PR3TACK is speculative in orientation but anchored in defensible technical reasoning.

2.3 Complementarity with Existing Frameworks

PR3TACK is explicitly designed to complement, rather than compete with, frameworks such as MITRE ATT&CK and MITRE D3FEND. ATT&CK catalogues what is known to have occurred; PR3TACK catalogues what is plausible but not yet observed. D3FEND specifies defensive measures against documented techniques; PR3TACK extends this by suggesting preemptive countermeasures against as-yet-unrealised threats. Together, these frameworks create a layered epistemology of defence: empirical, reactive, and anticipatory.

3. Framework Overview

3.1 Tactics and Techniques

PR3TACK organises its knowledge base around a set of tactics, many overlapping with existing taxonomies (e.g., Execution, Persistence, Lateral Movement), and others introduced uniquely by this framework (e.g., Pre-Positioning, Resilience Erosion, Governance Subversion, Cognitive Manipulation, Digital Exhaust Manipulation).

Each tactic is subdivided into techniques, which are described, assessed for feasibility, and mapped to preemptive defences. For instance:

The Seed Matrix (v0.1) currently enumerates tactics across seventeen categories, with more to be added through ongoing research and community contribution.

3.2 Unique Tactics

Of particular note are the tactics that PR3TACK introduces as novel analytical categories:

Full list of tactics in Appendix 7.1

By including such tactics, PR3TACK recognises that modern adversarial activity extends beyond code execution into governance, cognition, and sociotechnical domains.

3.3 PR3TACK Matrix

The PR3TACK Matrix provides an interactive way to explore the Seed Matrix of preemptive tactics and countermeasures. Unlike MITRE ATT&CK, which catalogs techniques confirmed to be used by adversaries, PR3TACK focuses on plausible but unobserved techniques—the "what could happen next" layer of threat modeling.

Seed Matrix v1.0 in Appendix 7.2

This navigator loads the Seed Matrix into a visual, column-based grid where each tactic is represented as a column and the related techniques are listed beneath. Users can:

The goal is to make PR3TACK more usable for defenders: analysts, detection engineers, and incident responders can quickly scan for unobserved but possible techniques, map them to their environment, and get ahead of adversaries. By providing this navigable interface, the framework shifts from being a static reference to a living tool for proactive defense.

PR3TACK also provides a Navigator for security teams to map their findings to the framework for detections, incident response and research.

Figure 1: PR3TACK Navigator Tool

4. Strategic Value

4.1 Organisational Benefits

For individual organisations, PR3TACK provides a structured means of identifying gaps that adversaries have not yet exploited. This enables:

4.2 Industry-wide Implications

At an industry level, PR3TACK establishes a common vocabulary for discussing emergent threats. Vendors can use the framework to guide product development; researchers can use it to test hypotheses about attacker innovation; policymakers can reference it when crafting forward-looking regulation.

4.3 Academic Contribution

From an academic standpoint, PR3TACK contributes to the epistemology of cyber threat intelligence. It formalises an often-overlooked category: the plausible unknown. In doing so, it offers a bridge between empirical security research and speculative foresight studies.

5. Community Participation

PR3TACK was released during FIRSTCON26.

If you're interested in contributing, collaborating, or joining as a participating CSIRT, we'd love to have you involved.
join@pr3tack.org

PR3TACK is intended as a collaborative project. Contributions are invited from practitioners, academics, and organisations worldwide. The intake process requires submission of contributor details, technique description, feasibility assessment, potential impact, and suggested preemptive defences. Supporting documentation—such as proof-of-concept code or related research—is strongly encouraged.

Contributors may elect to be recognised publicly or remain anonymous. The Core Team curates submissions, ensuring quality and coherence, while maintaining openness to diverse perspectives.

ttp@pr3tack.org

6. Conclusion

The history of cybersecurity has been one of reaction: defenders observe, record, and respond. While this reactive paradigm remains necessary, it is insufficient in an era of accelerating adversarial innovation. PR3TACK proposes a shift. By cataloguing what could plausibly happen next, it enables defenders to move from reaction to preemption.

PR3TACK is not a crystal ball; it will never predict every innovation. Its value lies instead in shaping a culture of anticipatory defence, in which the global community of practitioners and researchers treat the "adjacent possible" as seriously as the empirically observed. By doing so, we may reduce adversarial advantage, close the latency gap, and contribute to a more resilient digital ecosystem.

PR3TACK is not a crystal ball; it will never predict every innovation. Its value lies instead in shaping a culture of anticipatory defence, in which the global community of practitioners and researchers treat the "adjacent possible" as seriously as the empirically observed. By doing so, we may reduce adversarial advantage, close the latency gap, and contribute to a more resilient digital ecosystem.

Key Takeaways

PR3TACK closes the gaps where attackers innovate.
It captures plausible, working attack techniques — such as Atom Table abuse and Revix's "kill-all-VMs" tactic — that never made it into ATT&CK but caused real-world harm.

Organizational impact: We reduce risk, strengthen detection and incident response, and avoid being tomorrow's case study.

Industry-wide impact: By adopting and championing PR3TACK, we position ourselves as leaders who move cybersecurity from reactive to predictive — influencing the global defensive posture, not just our own.

7. Appendix

7.1 List of PR3TACK Tactics

Tactics covered and defined by PR3TACK include widely known tactics that are included in frameworks such as MITRE AT&CK and some tactics that are exclusive to PR3TACK.

PR3TACK exclusive tactics have been identified and defined as part of this project and based upon the research and hypotheses of the author. The Core Team will add more tactics as they are discovered.

Execution
Actions and mechanisms that cause code or effects to run on a target system or device. This covers anything from user-land process launches to boot/firmware triggers and peripheral firmware activation that produce behavior an attacker wants executed.
Persistence
Techniques used to maintain a foothold across reboots, updates, and user sessions. This includes covert registries, hidden services, OS artefacts, or other mechanisms designed to survive normal system lifecycle events.
Privilege Escalation
Methods that give an actor more authority inside a system or environment—moving from user to admin, or from userland to kernel—so they can perform actions otherwise restricted by policy or platform controls.
Defense Evasion
Techniques intended to avoid detection or thwart monitoring and response. This includes manipulation or suppression of telemetry, abusing platform metadata/services, and altering evidence so typical detection logic misses the activity.
Command & Control
Channels and protocols used to send instructions to compromised assets and receive data back. These can be overt or covert (network tunnelling, unconventional peripheral channels, blended DoH traffic, etc.) and are chosen to blend with normal communications.
Discovery
Actions to enumerate and map the target environment: services, software, identity relationships, federation points, extension surfaces, and other artifacts that inform later stages of an operation.
Collection
The capture and aggregation of target data for later use or exfiltration. This includes direct reads of data stores, screen buffers, clipboards, accessibility interfaces, and other local reservoirs of information.
Exfiltration
Moving collected data out of the target environment to an attacker-controlled location. Exfiltration can be overt or hidden (staged in third-party cloud buckets, piggybacked on benign channels, or using accessibility APIs).
Lateral Movement
Techniques that let an actor move from an initial compromised host or business unit to other systems, services, or organizational units—whether through technical channels (updates, delegated trusts) or by abusing cross-unit policies.
Pre-Positioning
Long-lead activities that shape future attackability before a hands-on-keyboard phase. Examples include sleeper commits in OSS, defensive credential seeding, registered look-alike domains, and other anticipatory actions intended to be activated later.
Resilience Erosion
Attacks aimed at degrading the organization's ability to recover or respond—corrupting backups, undermining recovery exercises, or creating operational fatigue so normal resilience mechanisms are unreliable when needed.
Governance Subversion
Manipulating policy, standards, procurement, or legal processes to create systemic weaknesses—whether by influencing standards bodies, establishing trusted procurement accounts, or inserting insecure clauses into contracts.
Cognitive Manipulation
Targeting human decision-makers and analysts by changing their perception and judgment—through habituation, deception in logs/alerts, adversarial chat interactions, or crafted content that biases response choices.
Operational Tempo Manipulation
Shaping the timing of operations to maximize defender disruption or minimize coverage—attacks timed for holidays, travel windows, large events, billing cycles, or automated cost-saving processes.
AI/ML Subversion
Actions that target machine learning and AI pipelines—poisoning training data, biasing public datasets, crafting adversarial inputs, or otherwise causing models and automated workflows to produce incorrect or exploitable outputs.
Sociotechnical Pressure
Using social, media, investor, or partner ecosystems to coerce organizational change or induce risky decisions—coordinated narratives, activist pressure, or vendor influence campaigns that force security-impacting tradeoffs.
Digital Exhaust Manipulation
Weaponising the traces organizations rely on—telemetry, threat feeds, IOC databases, public metadata, ESG reports—by polluting, overwhelming, or corrupting those signals so defenders are misled or overwhelmed.

Table 2: PR3TACK Tactics

7.2 Seed Matrix (v0.1)



Table 3: PR3TACK Seed Matrix v1