How our cross-walks compare
An honest survey of where security-framework cross-walks come from — public/official sources and commercial vendors — and how ours compare. Sourced from public documentation; vendor claims are self-reported and often product-locked (marked as such). We aim to be fair: most public mappings are authored by the framework owners themselves, which is an authority we do not claim.
What sets ours apart
- Cumulative coverage: none of the 22 sources surveyed compute 'do these controls collectively satisfy X'. We do (best-attested per control + breadth).
- Two-way with per-direction extent (none/partial/mostly/full) is rare publicly — only SCF (numeric strength) and NIST OLIR (set-theory) go beyond binary, and neither authors two independent directional extents.
- Direct, not chained: we map CWE→ATT&CK directly; the public CWE→CAPEC→ATT&CK chain is sparse (~25-34% linkage) and drops top weaknesses (XSS, SQLi).
- Currency: MITRE's Mappings Explorer tops out at ATT&CK v16.1; our ATT&CK mappings track the current release and are re-QA'd continuously.
security-resilience.ai (this site)cumulative
LLM-drafted → second-model re-rated → human-adjudicated, 30-day resample
Being fair
- Public sources (NIST, MITRE, OWASP, CIS) are human-expert authored, usually by the framework owner — an authority advantage over any LLM-drafted approach.
- NIST OLIR (IR 8477 set-theory + rationale) and SCF (STRM strength score) use a more formally rigorous relationship model than a four-level extent scale. We claim breadth, directionality, currency, and cumulative coverage — not superior method rigor.
- We are open with attribution; several vendors' mappings are product-locked and not independently verifiable, so we describe them honestly rather than scoring them.
Public & official sources
MITRE CTID — Mappings Explorerno cumulative
Best-in-class ATT&CK-centric control coverage with machine-readable output; binary, single-anchor, lags current ATT&CK. source ↗
NIST National OLIRno cumulative
The most methodologically rigorous public approach (formal set-theory + rationale, directional); coverage uneven (volunteer-submitted), not a percentage extent, no cumulative. source ↗
NIST CSF 2.0 Informative Referencesno cumulative
Authoritative and current for CSF↔800-53 with clean CPRT exports, but the flagship crosswalk is binary and CSF-anchored. source ↗
MITRE CWE / CAPEC chainno cumulative
Classic chain is sparse and lossy (~25-34% linkage); drops most top CWEs. Useful connective tissue, weak as a complete crosswalk. source ↗
OWASP (Top 10, ASVS)no cumulative
Current and openly versioned, but binary CWE lists, app-sec-scoped, and in flux (ASVS moving links toward the maturing CRE hub). source ↗
CIS Controls v8.1no cumulative
Broad, current, well-maintained multi-framework coverage; mostly binary, always CIS-anchored. source ↗
NIST 800-53 r5 ↔ ISO 27001 crosswalkno cumulative
Authoritative and bidirectional in presentation, but binary, table-format, and NIST warns against treating it as equivalence. source ↗
Secure Controls Framework (SCF)no cumulative
The only public source combining a relationship type AND a numeric strength score across many frameworks; limitations are hub-mediated indirection, an undocumented strength scale, and an Excel paywall. source ↗
Commercial vendors
Most vendor mappings are inside the paid product and not independently verifiable; we describe their approach honestly rather than scoring locked data.
Vantapartial
The only GRC vendor publishing a machine-readable, openly-licensed control→requirement mapping; one-way, binary, hub-and-spoke. source ↗
Drata / Secureframe / OneTrust / AuditBoard / Thoropasspartial
Standard common-control crosswalks; functionally similar; mapping content and method locked in the paid product, no published extent rating or QA methodology. source ↗
Hyperproofpartial
Most transparent about method in the GRC group — and that method is the lossy shared-topic indirection our directly-authored two-way edges improve on. source ↗
Sprinto (UCF-based)partial
The closest marketed analog to LLM-authored mapping, but binary, product-locked, built on proprietary UCF, with no published human-QA or extent methodology. source ↗
Tenable / Qualys / Rapid7 / Microsoft Defender / Wizpartial
Configuration-check-to-standard cross-referencing and ATT&CK tagging, binary and product-locked; not CVE/CWE→control extent-rated mapping. Several vendors honestly note coverage is selective. source ↗
CrowdStrikeno cumulative
Best-in-class detection→ATT&CK tagging, but that is detection-to-technique tagging, not framework crosswalking — largely out of scope for compliance cross-mapping. source ↗
Survey compiled 2026-06-28 from public documentation; vendor claims are self-reported. Corrections welcome.