Cyber Resilience

How our cross-walks compare

An honest survey of where security-framework cross-walks come from — public/official sources and commercial vendors — and how ours compare. Sourced from public documentation; vendor claims are self-reported and often product-locked (marked as such). We aim to be fair: most public mappings are authored by the framework owners themselves, which is an authority we do not claim.

← All cross-walks

What sets ours apart

security-resilience.ai (this site)cumulative

Pairs: CWE↔ATT&CK, CWE↔CAPEC, CSF 2.0↔800-53 r5, ASVS 5.0↔CWE/800-53, OWASP-Web↔CWE/800-53, 12×DISA STIG→800-53
Direction: two-way (each direction authored independently)
Method: direct (no chaining)
Quality: four-level extent per direction (none/partial/mostly/full)
Current version: current (ATT&CK current, CSF 2.0, 800-53 r5, ASVS 5.0, OWASP Top 10 2025)
Access: open (CSV/JSON), attribution requested
LLM-drafted → second-model re-rated → human-adjudicated, 30-day resample

Being fair

Public & official sources

MITRE CTID — Mappings Explorerno cumulative

Pairs: ATT&CK↔800-53; ATT&CK↔cloud controls; ATT&CK→CVE
Direction: one-way (navigable both)
Method: direct
Quality: binary
Current version: ATT&CK v16.1 (not v17+), 800-53 r4/r5
Access: open (Apache-2.0; JSON/STIX/Navigator)
Best-in-class ATT&CK-centric control coverage with machine-readable output; binary, single-anchor, lags current ATT&CK. source ↗

NIST National OLIRno cumulative

Pairs: many references → CSF/800-53/etc.; 800-53↔ISO 27001
Direction: one-way (directional by design)
Method: direct
Quality: set-theory relationship + rationale (richer than binary)
Current version: mixed (depends on submitter)
Access: open (Excel)
The most methodologically rigorous public approach (formal set-theory + rationale, directional); coverage uneven (volunteer-submitted), not a percentage extent, no cumulative. source ↗

NIST CSF 2.0 Informative Referencesno cumulative

Pairs: CSF 2.0↔800-53 r5 (+50 docs)
Direction: one-way per assertion
Method: direct
Quality: binary (flagship xlsx); OLIR versions richer
Current version: current (CSF 2.0, 800-53 r5)
Access: open (Excel/CPRT JSON)
Authoritative and current for CSF↔800-53 with clean CPRT exports, but the flagship crosswalk is binary and CSF-anchored. source ↗

MITRE CWE / CAPEC chainno cumulative

Pairs: CWE↔CAPEC, CAPEC↔ATT&CK, CWE→CWE→ATT&CK
Direction: two-way links
Method: multi-step / chained for CWE→ATT&CK
Quality: binary
Current version: current CWE/CAPEC; ATT&CK lags CAPEC refresh
Access: open (XML/CSV)
Classic chain is sparse and lossy (~25-34% linkage); drops most top CWEs. Useful connective tissue, weak as a complete crosswalk. source ↗

OWASP (Top 10, ASVS)no cumulative

Pairs: Top 10:2025↔CWE; ASVS 5.0↔CWE; CRE hub
Direction: one-way
Method: direct (CRE is hub-and-spoke)
Quality: binary (CWE list membership)
Current version: current (Top 10 2025, ASVS 5.0)
Access: open (GitHub/CC)
Current and openly versioned, but binary CWE lists, app-sec-scoped, and in flux (ASVS moving links toward the maturing CRE hub). source ↗

CIS Controls v8.1no cumulative

Pairs: CIS↔CSF 2.0/800-53 r5/800-171/ISO 27001:2022
Direction: one-way (navigable)
Method: direct
Quality: mostly binary (newer CSF maps use OLIR-style typing)
Current version: current
Access: free (registration; Excel/Navigator)
Broad, current, well-maintained multi-framework coverage; mostly binary, always CIS-anchored. source ↗

NIST 800-53 r5 ↔ ISO 27001 crosswalkno cumulative

Pairs: 800-53 r5↔ISO 27001:2022
Direction: both directions (separate tables)
Method: direct
Quality: binary ('general indication of coverage')
Current version: current (r5↔27001:2022, 2023)
Access: open (DOCX/PDF)
Authoritative and bidirectional in presentation, but binary, table-format, and NIST warns against treating it as equivalence. source ↗

Secure Controls Framework (SCF)no cumulative

Pairs: SCF spine ↔ 100+ frameworks
Direction: one-way (hub-and-spoke)
Method: direct to spine; cross-framework is indirect
Quality: set-theory type + numeric strength (1-10)
Current version: current (2025.x)
Access: free (STRM PDFs; Excel bundle paid)
The only public source combining a relationship type AND a numeric strength score across many frameworks; limitations are hub-mediated indirection, an undocumented strength scale, and an Excel paywall. source ↗

Commercial vendors

Most vendor mappings are inside the paid product and not independently verifiable; we describe their approach honestly rather than scoring locked data.

Vantapartial

Scope: GRC
Direction: one-way
Method: hub-and-spoke (control set)
Quality: binary
Current version:
Access: partially open — control set on GitHub (Apache-2.0); cross-framework engine product-only
The only GRC vendor publishing a machine-readable, openly-licensed control→requirement mapping; one-way, binary, hub-and-spoke. source ↗

Drata / Secureframe / OneTrust / AuditBoard / Thoropasspartial

Scope: GRC (common-control)
Direction: one-way
Method: hub-and-spoke via a common control set (some on SCF)
Quality: binary
Current version:
Access: product-only (not independently verifiable)
Standard common-control crosswalks; functionally similar; mapping content and method locked in the paid product, no published extent rating or QA methodology. source ↗

Hyperproofpartial

Scope: GRC
Direction: two-way via pivot (inferred)
Method: chained shared-topic pivot (on SCF)
Quality: binary (related/not)
Current version:
Access: product-only (SCF underneath is free)
Most transparent about method in the GRC group — and that method is the lossy shared-topic indirection our directly-authored two-way edges improve on. source ↗

Sprinto (UCF-based)partial

Scope: GRC
Direction: one-way
Method: AI auto-mapping on proprietary UCF
Quality: binary
Current version:
Access: product-only; UCF proprietary/paid
The closest marketed analog to LLM-authored mapping, but binary, product-locked, built on proprietary UCF, with no published human-QA or extent methodology. source ↗

Tenable / Qualys / Rapid7 / Microsoft Defender / Wizpartial

Scope: Scanner / platform
Direction: one-way
Method: direct check→standard cross-references; finding→ATT&CK tagging
Quality: binary (risk scores are prioritization, not mapping extent)
Current version:
Access: product-only (some .audit content visible to licensees; Microsoft contributes some control→ATT&CK to the open MITRE project)
Configuration-check-to-standard cross-referencing and ATT&CK tagging, binary and product-locked; not CVE/CWE→control extent-rated mapping. Several vendors honestly note coverage is selective. source ↗

CrowdStrikeno cumulative

Scope: Scanner / platform
Direction: one-way
Method: detection→ATT&CK technique tagging
Quality: binary
Current version:
Access: product-only
Best-in-class detection→ATT&CK tagging, but that is detection-to-technique tagging, not framework crosswalking — largely out of scope for compliance cross-mapping. source ↗

Survey compiled 2026-06-28 from public documentation; vendor claims are self-reported. Corrections welcome.