By Vishal Thakur (Atlassian, AU)
July 8, 2026
The Preemptive Tactics & Countermeasures Knowledgebase (PR3TACK) is an openly accessible framework designed to catalogue plausible but unobserved adversary tactics, techniques, and procedures (TTPs). Whereas existing knowledge bases such as MITRE ATT&CK and MITRE D3FEND are constructed retrospectively from observed adversarial activity, PR3TACK seeks to bridge the anticipatory gap. It provides a structured means of conceptualising techniques that adversaries could plausibly develop and deploy, based on the convergence of known system vulnerabilities, adversarial innovation patterns, and technological affordances. In so doing, PR3TACK offers defenders a strategic advantage: the ability to harden environments preemptively, before exploitation occurs. This paper outlines the rationale, structure, and prospective impact of PR3TACK, situating it within ongoing debates about proactive defence, resilience engineering, and the epistemology of cyber threat intelligence.
The practice of cybersecurity has long been characterised by a fundamental asymmetry. Adversaries require only a single successful exploit to achieve their objectives, whereas defenders must anticipate and mitigate a potentially unbounded set of threats. This asymmetry is compounded by the reactive nature of most defensive frameworks: defenders typically learn from observed compromises, codify adversarial behaviours, and then attempt to prevent recurrence. The result is a persistent latency between adversary innovation and defensive adaptation—a latency that adversaries exploit to maintain an operational edge.
The creation of structured knowledge bases such as MITRE ATT&CK has represented a significant advance in systematising defender knowledge. By cataloguing observed tactics, techniques, and procedures, ATT&CK has allowed security teams to align detection engineering, incident response, and red-team exercises to a common reference model. Yet ATT&CK's retrospective design also defines its limitation: it can only describe what has already been done. Emerging or plausible-but-unobserved techniques remain absent until empirical confirmation is available.
PR3TACK—the Preemptive Tactics & Countermeasures Knowledgebase—emerges in response to this limitation. It is premised on the belief that defenders must not only document the past but also anticipate the future. Drawing inspiration from foresight methodologies in strategic studies, resilience engineering, and speculative design, PR3TACK systematises a domain that has until now been informal and fragmented: the catalogue of technically plausible, but as yet unobserved, adversary techniques.
| Aspect | Description |
|---|---|
| Name | PR3TACK - Preemptive Tactics & Countermeasures Knowledgebase |
| Mission | Catalogue plausible but undisclosed/unobserved TTPs to help security teams proactively harden and secure their environments |
| Audience | Blue Teams, Red Teams, SOCs, EDR vendors, Academia, Forward-thinking Executive Leadership |
| Goal | Industry-wide impact: Fill the gap left by ATT&CK by documenting hypothetical, proven TTPs (POC'd) and mapping them to mitigations |
Table 1: PR3TACK Aspects
The dominant defensive paradigm in cybersecurity has been reactive. Breach occurs; analysis follows; mitigations are deployed. While this cycle has value in codifying empirical fact, it leaves defenders continually in arrears. PR3TACK introduces a forward-looking dimension: rather than waiting for confirmation, it codifies the adjacent possible—attack vectors that could emerge given current technological affordances. In this sense, PR3TACK does not replace reactive defence but augments it with an anticipatory layer.
PR3TACK is not a repository of science fiction. It relies on demonstrable plausibility, grounded in proof-of-concept research, adversarial innovation trends, and the technical properties of modern systems. A submission to PR3TACK must therefore meet one of three thresholds:
High priority: TTPs demonstrated through proof-of-concept implementations.
Medium priority: TTPs hypothesised with technical reasoning, awaiting validation.
Low priority: TTPs emerging from academic research or ongoing investigation.
This tiered structure ensures that PR3TACK is speculative in orientation but anchored in defensible technical reasoning.
PR3TACK is explicitly designed to complement, rather than compete with, frameworks such as MITRE ATT&CK and MITRE D3FEND. ATT&CK catalogues what is known to have occurred; PR3TACK catalogues what is plausible but not yet observed. D3FEND specifies defensive measures against documented techniques; PR3TACK extends this by suggesting preemptive countermeasures against as-yet-unrealised threats. Together, these frameworks create a layered epistemology of defence: empirical, reactive, and anticipatory.
PR3TACK organises its knowledge base around a set of tactics, many overlapping with existing taxonomies (e.g., Execution, Persistence, Lateral Movement), and others introduced uniquely by this framework (e.g., Pre-Positioning, Resilience Erosion, Governance Subversion, Cognitive Manipulation, Digital Exhaust Manipulation).
Each tactic is subdivided into techniques, which are described, assessed for feasibility, and mapped to preemptive defences. For instance:
Execution via Peripheral Firmware Stagers: leveraging benign-seeming peripheral firmware to stage payloads when connected. Feasibility: Medium. Preemptive Defence: firmware verification, device attestation, allowlisting of vendors.
Governance Subversion via Procurement Account Establishment: creating "trusted" vendor identities as long-term footholds. Feasibility: Medium. Preemptive Defence: stringent supplier verification, contractual security clauses, procurement audits.
The Seed Matrix (v0.1) currently enumerates tactics across seventeen categories, with more to be added through ongoing research and community contribution.
Of particular note are the tactics that PR3TACK introduces as novel analytical categories:
Pre-Positioning: adversary actions that prepare the environment for future compromise, often long before exploitation (e.g., sleeper commits in open-source projects).
Resilience Erosion: attempts to degrade an organisation's ability to recover, through means such as corrupting backups or exhausting patch-management processes.
Governance Subversion: manipulation of policy, procurement, or standards processes to create systemic vulnerabilities.
Cognitive Manipulation: altering defender perceptions, whether by flooding analysts with habituating alerts or crafting adversarial logs.
Digital Exhaust Manipulation: weaponising telemetry, IOCs, and metadata to mislead defenders or degrade the quality of intelligence.
By including such tactics, PR3TACK recognises that modern adversarial activity extends beyond code execution into governance, cognition, and sociotechnical domains.
The PR3TACK Matrix provides an interactive way to explore the Seed Matrix of preemptive tactics and countermeasures. Unlike MITRE ATT&CK, which catalogs techniques confirmed to be used by adversaries, PR3TACK focuses on plausible but unobserved techniques—the "what could happen next" layer of threat modeling.
This navigator loads the Seed Matrix into a visual, column-based grid where each tactic is represented as a column and the related techniques are listed beneath. Users can:
Search and filter across tactics, techniques, platforms, and status.
Click into techniques to view details such as detection ideas, mitigations, and relevant tags.
Upload custom JSON files to extend or replace the Seed Matrix with community contributions.
The goal is to make PR3TACK more usable for defenders: analysts, detection engineers, and incident responders can quickly scan for unobserved but possible techniques, map them to their environment, and get ahead of adversaries. By providing this navigable interface, the framework shifts from being a static reference to a living tool for proactive defense.
PR3TACK also provides a Navigator for security teams to map their findings to the framework for detections, incident response and research.
Figure 1: PR3TACK Navigator ToolFor individual organisations, PR3TACK provides a structured means of identifying gaps that adversaries have not yet exploited. This enables:
Proactive Posture: mitigating vulnerabilities before they are operationalised.
Detection Innovation: using unobserved techniques to guide red/purple team exercises and refine detection logic.
Enterprise Resilience: anticipating not only technical compromise but also erosion of recovery capacity.
At an industry level, PR3TACK establishes a common vocabulary for discussing emergent threats. Vendors can use the framework to guide product development; researchers can use it to test hypotheses about attacker innovation; policymakers can reference it when crafting forward-looking regulation.
From an academic standpoint, PR3TACK contributes to the epistemology of cyber threat intelligence. It formalises an often-overlooked category: the plausible unknown. In doing so, it offers a bridge between empirical security research and speculative foresight studies.
PR3TACK was released during FIRSTCON26.
If you're interested in contributing, collaborating, or joining as a
participating CSIRT, we'd love to have you involved.
join@pr3tack.org
PR3TACK is intended as a collaborative project. Contributions are invited from practitioners, academics, and organisations worldwide. The intake process requires submission of contributor details, technique description, feasibility assessment, potential impact, and suggested preemptive defences. Supporting documentation—such as proof-of-concept code or related research—is strongly encouraged.
Contributors may elect to be recognised publicly or remain anonymous. The Core Team curates submissions, ensuring quality and coherence, while maintaining openness to diverse perspectives.
The history of cybersecurity has been one of reaction: defenders observe, record, and respond. While this reactive paradigm remains necessary, it is insufficient in an era of accelerating adversarial innovation. PR3TACK proposes a shift. By cataloguing what could plausibly happen next, it enables defenders to move from reaction to preemption.
PR3TACK is not a crystal ball; it will never predict every innovation. Its value lies instead in shaping a culture of anticipatory defence, in which the global community of practitioners and researchers treat the "adjacent possible" as seriously as the empirically observed. By doing so, we may reduce adversarial advantage, close the latency gap, and contribute to a more resilient digital ecosystem.
PR3TACK is not a crystal ball; it will never predict every innovation. Its value lies instead in shaping a culture of anticipatory defence, in which the global community of practitioners and researchers treat the "adjacent possible" as seriously as the empirically observed. By doing so, we may reduce adversarial advantage, close the latency gap, and contribute to a more resilient digital ecosystem.
PR3TACK closes the gaps where attackers innovate.
It captures plausible, working attack techniques — such as Atom
Table abuse and Revix's "kill-all-VMs" tactic — that never made it
into ATT&CK but caused real-world harm.
Organizational impact: We reduce risk, strengthen detection and incident response, and avoid being tomorrow's case study.
Industry-wide impact: By adopting and championing PR3TACK, we position ourselves as leaders who move cybersecurity from reactive to predictive — influencing the global defensive posture, not just our own.
Tactics covered and defined by PR3TACK include widely known tactics that are included in frameworks such as MITRE AT&CK and some tactics that are exclusive to PR3TACK.
PR3TACK exclusive tactics have been identified and defined as part of this project and based upon the research and hypotheses of the author. The Core Team will add more tactics as they are discovered.
| Execution |
|---|
| Actions and mechanisms that cause code or effects to run on a target system or device. This covers anything from user-land process launches to boot/firmware triggers and peripheral firmware activation that produce behavior an attacker wants executed. |
| Persistence |
|---|
| Techniques used to maintain a foothold across reboots, updates, and user sessions. This includes covert registries, hidden services, OS artefacts, or other mechanisms designed to survive normal system lifecycle events. |
| Privilege Escalation |
|---|
| Methods that give an actor more authority inside a system or environment—moving from user to admin, or from userland to kernel—so they can perform actions otherwise restricted by policy or platform controls. |
| Defense Evasion |
|---|
| Techniques intended to avoid detection or thwart monitoring and response. This includes manipulation or suppression of telemetry, abusing platform metadata/services, and altering evidence so typical detection logic misses the activity. |
| Command & Control |
|---|
| Channels and protocols used to send instructions to compromised assets and receive data back. These can be overt or covert (network tunnelling, unconventional peripheral channels, blended DoH traffic, etc.) and are chosen to blend with normal communications. |
| Discovery |
|---|
| Actions to enumerate and map the target environment: services, software, identity relationships, federation points, extension surfaces, and other artifacts that inform later stages of an operation. |
| Collection |
|---|
| The capture and aggregation of target data for later use or exfiltration. This includes direct reads of data stores, screen buffers, clipboards, accessibility interfaces, and other local reservoirs of information. |
| Exfiltration |
|---|
| Moving collected data out of the target environment to an attacker-controlled location. Exfiltration can be overt or hidden (staged in third-party cloud buckets, piggybacked on benign channels, or using accessibility APIs). |
| Lateral Movement |
|---|
| Techniques that let an actor move from an initial compromised host or business unit to other systems, services, or organizational units—whether through technical channels (updates, delegated trusts) or by abusing cross-unit policies. |
| Pre-Positioning |
|---|
| Long-lead activities that shape future attackability before a hands-on-keyboard phase. Examples include sleeper commits in OSS, defensive credential seeding, registered look-alike domains, and other anticipatory actions intended to be activated later. |
| Resilience Erosion |
|---|
| Attacks aimed at degrading the organization's ability to recover or respond—corrupting backups, undermining recovery exercises, or creating operational fatigue so normal resilience mechanisms are unreliable when needed. |
| Governance Subversion |
|---|
| Manipulating policy, standards, procurement, or legal processes to create systemic weaknesses—whether by influencing standards bodies, establishing trusted procurement accounts, or inserting insecure clauses into contracts. |
| Cognitive Manipulation |
|---|
| Targeting human decision-makers and analysts by changing their perception and judgment—through habituation, deception in logs/alerts, adversarial chat interactions, or crafted content that biases response choices. |
| Operational Tempo Manipulation |
|---|
| Shaping the timing of operations to maximize defender disruption or minimize coverage—attacks timed for holidays, travel windows, large events, billing cycles, or automated cost-saving processes. |
| AI/ML Subversion |
|---|
| Actions that target machine learning and AI pipelines—poisoning training data, biasing public datasets, crafting adversarial inputs, or otherwise causing models and automated workflows to produce incorrect or exploitable outputs. |
| Sociotechnical Pressure |
|---|
| Using social, media, investor, or partner ecosystems to coerce organizational change or induce risky decisions—coordinated narratives, activist pressure, or vendor influence campaigns that force security-impacting tradeoffs. |
| Digital Exhaust Manipulation |
|---|
| Weaponising the traces organizations rely on—telemetry, threat feeds, IOC databases, public metadata, ESG reports—by polluting, overwhelming, or corrupting those signals so defenders are misled or overwhelmed. |
Table 2: PR3TACK Tactics


Table 3: PR3TACK Seed Matrix v1