Cyber Resilience

Security framework cross-walks

A two-way, extent-rated, independently QA'd map between the security frameworks that matter — weaknesses, attack techniques, and controls. Every pairing is rated in both directions on a four-level scale (full / mostly / partial / none), drafted by an LLM, re-rated by a second model, and adjudicated by hand. Several of these mappings have no public equivalent.

13,170
QA'd directional mappings
20
framework pairings
19
frameworks
2-way
+ extent-rated

Cumulative coverage

How completely do our mapped controls collectively cover a target framework? We report the strongest single inbound mapping per control (never inflating overlapping partials into "full") plus the breadth behind it.

NIST 800-53 r5

cumulative inbound coverage
≥partial inbound coverage on 63.9% of 324 controls · ≥mostly on 31.8%

CWE

cumulative inbound coverage
666 of 969 items carry authoritative coverage

The portfolio

Framework pairingMappingsCoverage mix
CWE ↔ MITRE ATT&CKno public equivalent4,376
CAPEC ↔ CWEtwo-way2,078
NIST 800-53 r5 ↔ NIST CSF 2.0two-way1,874
CWE ↔ OWASP ASVS 5.0two-way1,344
NIST 800-53 r5 ↔ OWASP ASVS 5.0two-way1,254
CWE ↔ OWASP Web Top 10 (2025)two-way516
CWE ↔ DISA STIG Oracle Linux 8two-way370
CWE ↔ NIST CSF 2.0two-way290
CWE ↔ DISA STIG Rhel 7two-way172
CWE ↔ DISA STIG Rhel 8two-way170
CWE ↔ DISA STIG Oracle Linux 9two-way138
CWE ↔ DISA STIG Windows Server 2016two-way82
NIST 800-53 r5 ↔ OWASP Web Top 10 (2025)two-way82
CWE ↔ DISA STIG Ubuntu 22 04two-way74
CWE ↔ DISA STIG Windows 10two-way70
CWE ↔ DISA STIG Windows Server 2019two-way68
CWE ↔ DISA STIG Ubuntu 24 04two-way60
CWE ↔ DISA STIG Windows Server 2022two-way58
CWE ↔ DISA STIG Rhel 9two-way54
CWE ↔ DISA STIG Windows 11two-way40

Counts are authoritative mappings only (LLM-drafted → second-model re-rated → hand-adjudicated; unverified drafts excluded). Coverage is directional — a pairing can cover more in one direction than the other.

Use it, freely

The full dataset is open — download the CSV/JSON, no sign-up. Attribution requested ("Cross-walk mappings: security-resilience.ai"). The mappings are re-QA'd continuously, so two optional extras:

Notify me about mappings
Get an email when we publish new mappings (new frameworks / pairings) or re-QA existing ones. No spam, unsubscribe anytime. Sign in to subscribe →
Programmatic / bulk access
An API key for pulling the mappings into your own tooling. Request an API key →