Vulnerabilities × MITRE ATT&CK
Purpose
This report maps vulnerability aggregates to probable ATT&CK techniques, providing:
rollups by domain and tactic (when available)
top techniques by weighted score
a compact matrix + evidence drilldown
an executive narrative tab
This mapping is derived from vulnerability data (not observations of attacker behavior). See "Limitations" below.
Output
Per scan:
output/<scan_name>/mitre.html(single file with internal tabs)
Optional model artifact (only when metadata export is enabled):
output/<scan_name>/mitre_mapping.json
Model JSON is written when notifications.include_run_metadata: true.
How to generate
miyabi-qualys-ai-triage-pack run --config config/config.yamlConfiguration
Enable/disable:
reports.mitre.enabled: true|false
Domains:
reports.mitre.domains.enabled_domains(default:enterprise,cloud,ics)
Local catalog:
reports.mitre.catalog.catalog_path(default:data/attack_catalog/attack-techniques.json)reports.mitre.catalog.catalog_version
UI options:
reports.mitre.ui.tabs_enabledreports.mitre.ui.top_techniquesreports.mitre.ui.max_techniques_per_vulnreports.mitre.ui.max_vulns_per_techniquereports.mitre.ui.max_rows_render
Optional redaction:
reports.mitre.redaction.enabledreports.mitre.redaction.fields
Optional LLM mapping (guardrailed / JSON-only):
reports.mitre.llm.enabledreports.mitre.llm.modelreports.mitre.llm.max_items_for_llmreports.mitre.llm.strict_json_only
Data sources (Qualys CSV fields)
Primary:
QID,Title,Severity,Category
Supporting signals (best-effort):
Exploitability,Threat,Associated Malware,CVE ID,Results,Impact
Catalog validation (important)
When LLM mapping is enabled, technique IDs must still validate against the local ATT&CK catalog used by the report. This keeps output auditable and prevents arbitrary technique IDs.
Limitations
This is a behavior mapping from vulnerability data, not an observation of attacker behavior.
Domain/tactic coverage depends on what is present in the local catalog subset.