Security framework cross-walks
A two-way, extent-rated, independently QA'd map between the security frameworks that matter — weaknesses, attack techniques, and controls. Every pairing is rated in both directions on a four-level scale (full / mostly / partial / none), drafted by an LLM, re-rated by a second model, and adjudicated by hand. Several of these mappings have no public equivalent.
Cumulative coverage
How completely do our mapped controls collectively cover a target framework? We report the strongest single inbound mapping per control (never inflating overlapping partials into "full") plus the breadth behind it.
NIST 800-53 r5
CWE
The portfolio
| Framework pairing | Mappings | Coverage mix |
|---|---|---|
| CWE ↔ MITRE ATT&CKno public equivalent | 4,376 | |
| CAPEC ↔ CWEtwo-way | 2,078 | |
| NIST 800-53 r5 ↔ NIST CSF 2.0two-way | 1,874 | |
| CWE ↔ OWASP ASVS 5.0two-way | 1,344 | |
| NIST 800-53 r5 ↔ OWASP ASVS 5.0two-way | 1,254 | |
| CWE ↔ OWASP Web Top 10 (2025)two-way | 516 | |
| CWE ↔ DISA STIG Oracle Linux 8two-way | 370 | |
| CWE ↔ NIST CSF 2.0two-way | 290 | |
| CWE ↔ DISA STIG Rhel 7two-way | 172 | |
| CWE ↔ DISA STIG Rhel 8two-way | 170 | |
| CWE ↔ DISA STIG Oracle Linux 9two-way | 138 | |
| CWE ↔ DISA STIG Windows Server 2016two-way | 82 | |
| NIST 800-53 r5 ↔ OWASP Web Top 10 (2025)two-way | 82 | |
| CWE ↔ DISA STIG Ubuntu 22 04two-way | 74 | |
| CWE ↔ DISA STIG Windows 10two-way | 70 | |
| CWE ↔ DISA STIG Windows Server 2019two-way | 68 | |
| CWE ↔ DISA STIG Ubuntu 24 04two-way | 60 | |
| CWE ↔ DISA STIG Windows Server 2022two-way | 58 | |
| CWE ↔ DISA STIG Rhel 9two-way | 54 | |
| CWE ↔ DISA STIG Windows 11two-way | 40 |
Counts are authoritative mappings only (LLM-drafted → second-model re-rated → hand-adjudicated; unverified drafts excluded). Coverage is directional — a pairing can cover more in one direction than the other.
Use it, freely
The full dataset is open — download the CSV/JSON, no sign-up. Attribution requested ("Cross-walk mappings: security-resilience.ai"). The mappings are re-QA'd continuously, so two optional extras:
Get an email when we publish new mappings (new frameworks / pairings) or re-QA existing ones. No spam, unsubscribe anytime. Sign in to subscribe →
An API key for pulling the mappings into your own tooling. Request an API key →