Claus Cramon Houmann1d ago

RE: https://infosec.exchange/@letswastetime/116448373357473541

Now port these hunts to #OpenTide format and help the world.

Show threadClaus Cramon HoumannApr 4
@hyd3 @wr imagine if these were mapped to #OpenTide @0xrawsec ;). That would rock.
Show threadClaus Cramon HoumannJan 21
@timb_machine I kind of like your post about how you threat model for customers in Cisco, it would be cool if you then extended the service to provide #OpenTide mapped threat graphs mapped to detections for them, as (some unnamed consulting houses) are doing.
Show threadClaus Cramon HoumannJan 21
@timb_machine One day when we read links like https://br0k3nlab.com/resources/axioms-of-security-and-rule-based-capabilities/ people will have read the #OpenTide white paper and realized how it changes the conversation about #detectioncoverage but this day was not today.
Axioms of Security and Rule-Based Capabilities

Security efficacy has diminishing value, at some point, as rule quantity grows Rule count is not an absolute measure of successful coverage Coverage is not an absolute measure of security Alert count has an inverse relationship with their manageability Threats are not static Security posture is temporal and so only instantaneously representative

Claus Cramon HoumannJan 6
@infosecb thanks for adding #OpenTide to the awesome list!
Claus Cramon HoumannDec 10

Despite the promising title of this blog post by John Vester 'Why the MITRE ATT&CK Framework Actually Works', its a load of crock.

You can't and shouldn't use MITRE #ATT&CK to prove any sort of detection coverage or 'strong points'. At best, you can prove total absence in certain subtechniques.

If you want to do any sort of data driven #detectioncoverage you need #OpenTide -> there's no way around it.

https://levelup.gitconnected.com/why-the-mitre-att-ck-framework-actually-works-29ac26d2d20c

ATT&CK is still ♥️ 😍 tho.

#SOC #blueteam #detectionEngineering

Why the MITRE ATT&CK Framework Actually Works

The alert goes off at 2:17 p.m.

Medium
Show threadClaus Cramon HoumannNov 1, 2025

@merill drop a few links too please. Did you (they) consider releasing the work also in #OpenTide format to increase actionability? OpenTide recently released the OpenTide version of the ATRM -> threat vectors only for now. Having this alongside would be huge.

Also have been praising your newsletter to regional MS folks, don’t know if any of that filtered back to you. If not, thank you!

Claus Cramon HoumannOct 31, 2025
This #detection #SOC post #detectfyi is very good, and I agree fully up to a point. Where my opinion, and #OpenTIDE starts to diverge is for the final paragraph on coverage discussions and documentation. Its possible to do better than this now. And detection depth as a number of detection points along an attack path is....not bad, actually innovative compared to most who don't even use a graph view, it may just not be the optimal type of detections to deploy in this case https://detect.fyi/critical-asset-analysis-for-detection-engineering-72b8051df149
Critical Asset Analysis for Detection Engineering

Understanding what your detection team should work on

Medium
Show threadClaus Cramon HoumannOct 2, 2025

@lojikil @circl Can I be honest?

I hope I can and will presume it. This framework is not bad at all, but its inferior to #OpenTIDE by a lot :).

Claus Cramon HoumannSep 19, 2025

Don't you wish we could also collaborate defensively, become force multipliers for each other?

We can. Check out #OpenTIDE