Burp Suite

Intruder

Burp Suite Intruder – Attack Type Methodology & Decision Framework

Summary

1. Objective

This document defines a methodology for selecting and executing Intruder attack types during authorized web application security assessments.

2. Pre-Execution Controls & Safeguards

Before selecting an attack type:

Estimate request count.
Confirm brute-force authorization.
Assess rate limiting.
Monitor for account lockout.
Log evidence properly.
Configure appropriate request throttling settings.

3. Attack Escalation Strategy

Methodology recommends escalation:

Begin with Sniper to identify response behavior.
Use Battering Ram when duplication logic is suspected.
Apply Pitchfork for known credential pairs.
Escalate to Cluster Bomb only when justified and authorized, as this mode may significantly increase request volume.

4. Attack Selection Decision Tree

                        ┌────────────────────────────┐
                        │  What are you testing?     │
                        └──────────────┬─────────────┘
                                       │
                    ┌──────────────────┴──────────────────┐
                    │                                     │
        ┌───────────▼───────────┐             ┌──────────▼──────────┐
        │ Single parameter only?│             │ Multiple parameters? │
        └───────────┬───────────┘             └──────────┬──────────┘
                    │ Yes                                  │ Yes
                    ▼                                      ▼
           ┌───────────────────┐              ┌────────────────────────────┐
           │ Use SNIPER        │              │ Do parameters need         │
           │                   │              │ identical values?          │
           └───────────────────┘              └──────────────┬─────────────┘
                                                             │
                                            ┌────────────────┴───────────────┐
                                            │                                │
                                           Yes                               No
                                            │                                │
                                            ▼                                ▼
                                ┌────────────────────┐        ┌────────────────────────────┐
                                │ Use BATTERING RAM  │        │ Are values correlated?     │
                                │ (same payload      │        │ (e.g., known pairs)        │
                                │ everywhere)        │        └──────────────┬─────────────┘
                                └────────────────────┘                       │
                                                                      ┌───────┴────────┐
                                                                      │                │
                                                                     Yes               No
                                                                      │                │
                                                                      ▼                ▼
                                                         ┌──────────────────┐   ┌─────────────────────┐
                                                         │ Use PITCHFORK    │   │ Use CLUSTER BOMB    │
                                                         │ (parallel lists) │   │ (all combinations)  │
                                                         └──────────────────┘   └─────────────────────┘

5. Attack Type Definitions & Execution Models

5.1 Sniper Attack

Purpose

Tests a single injection position sequentially using one payload set.

Target Example

username=§user§&password=pass

Payload Set (Single List)

payload1
payload2
payload3
payload4
payload5
payload6

Execution Model

Request	Payload	Sent Request
1	payload1	username=payload1&password=pass
2	payload2	username=payload2&password=pass
3	payload3	username=payload3&password=pass
4	payload4	username=payload4&password=pass
5	payload5	username=payload5&password=pass
6	payload6	username=payload6&password=pass

Use Cases

Testing single parameter behavior
Username enumeration
Initial response pattern analysis

5.2 Battering Ram Attack

Purpose

Injects the same payload into multiple positions simultaneously.

Target Example

username=§user§&password=§password§

Payload Set (Single List)

payload1
payload2
payload3
payload4
payload5
payload6

Execution Model

Request	Payload	Sent Request
1	payload1	username=payload1&password=payload1
2	payload2	username=payload2&password=payload2
3	payload3	username=payload3&password=payload3
4	payload4	username=payload4&password=payload4
5	payload5	username=payload5&password=payload5
6	payload6	username=payload6&password=payload6

Use Cases

Testing identical credentials
Scenarios where parameters are expected to match

5.3 Pitchfork Attack

Purpose

Iterates through multiple payload sets in parallel (index-based).

Target Example

username=§user§&password=§password§

Payload Sets

Set 1

set1_item1
set1_item2
set1_item3

Set 2

set2_item1
set2_item2
set2_item3

Execution Model

Request	1st payload	2nd payload	Sent Request
1	set1_item1	set2_item1	username=set1_item1&password=set2_item1
2	set1_item2	set2_item2	username=set1_item2&password=set2_item2
3	set1_item3	set2_item3	username=set1_item3&password=set2_item3

Use Cases

Testing known username/password pairs
Validating parameter dependencies

5.4 Cluster Bomb Attack

Purpose

Tests all possible combinations across multiple payload sets (cartesian product).

Target Example

username=§user§&password=§password§

Payload Sets

Set 1

set1_item1
set1_item2
set1_item3

Set 2

set2_item1
set2_item2
set2_item3

Execution Model (Example)

Request	1st payload	2nd payload	Sent Request
1	set1_item1	set2_item1	username=set1_item1&password=set2_item1
2	set1_item1	set2_item2	username=set1_item1&password=set2_item2
3	set1_item1	set2_item3	username=set1_item1&password=set2_item3
4	set1_item2	set2_item1	username=set1_item2&password=set2_item1
5	set1_item2	set2_item2	username=set1_item2&password=set2_item2
6	set1_item2	set2_item3	username=set1_item2&password=set2_item3

Use Cases

Assessment of authentication control robustness

Active Directory

Network

OSI Model

Definition

The OSI Model describes Internet using 7 layers:

Model

N°	Layer	Description
7	Application	High-level protocols used at the application level for data exchange (e.g., HTTP)
6	Presentation	Data representation and interface between applications and network endpoints.
5	Session	Management of communication sessions
4	Tansport	Transmission reliability, including segmentation and acknowledgement
3	Network	Addressing and routing of data across networks
2	Data	Node-to-node data transfer and framing
1	Physical	Physical transmission of raw bits and encoding of data on the medium.

Protocols

7. Application

HTTP - HTTPS - FTP - SMTP - Git - GraphQL - REST - SMB - DNS - CSRF Tokens - HTTP Headers - DNS - LDAP / LDAPS - Kerberos - SNMP - SMTP / IMAP / POP3 - RDP - SSH - NFS

6. Presentation

SSL/TLS - MIME - XML - JSON - MIME - base64 - gzip - ASN.1 - X.509 - JWT

5. Session

Sockets - WebSocket - OAuth2.0 - SAML - Session Cookies

Protocols

HTTP - HyperText Transfer Protocol

Related pages

Related RFCs

Summary

Definition

HyperText Transfer Protocol (HTTP)
Application layer protocol that specifies how to transmit data over the Internet. HTTP is a request-response model using a client-server architecture

Key characteristics

Stateless protocol
Supports multiple versions: HTTP/1.1, HTTP/2, HTTP/3 (see below)

HTTP versions HTTP/1.1 : pipelining (asynchronous requests) HTTP/2 : multiplexing and header compression (HPACK) HTTP/3 : QUIC support (UDP-based)

Note

All example provided in this page can be found it the associated pcap file:
This capture was generate using this Python script leveraging the scapy library.

Requests

A request is sent by a client to a server.
The start line includes a method name, a request URI and the protocol version with a single space between each field. The following request start line specifies method GET, URI /page and protocol version HTTP/1.1:

GET /page HTTP/1.1

Requests can pass additional information using Request header fields.

Example request

Below is an example request to example.com.

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/1.0
Accept: text/html
Connection: keep-alive

Note: There are two blank lines at the end of the request, marking the end of the request.
The subsequent response can be found in the response section.

Requests methods

Method	RFC	Safe	Cacheable
GET	RFC 9110	Yes	Yes
POST	RFC 9110	No	Yes
PUT	RFC 9110	No	No
HEAD	RFC 9110	Yes	Yes
DELETE	RFC 9110	No	No
CONNECT	RFC 9110	No	No
OPTIONS	RFC 9110	Yes	No
TRACE	RFC 9110	Yes	No
PATCH	RFC 5789	No	No
Notes:

A request is said safe if it does not modify server state.
A request is cacheable if its response may be stored by the server for future reuse.

Status codes

Class	Description
1XX	Informational - Request received and continuing
2XX	Successful - Request accepted and processed
3XX	Redirection - Further action required
4XX	Client Error - Request contains error
5XX	Server Error - Server failed to process request

Responses

Definition

A response is sent by the server to the client.

The start line contains:

Protocol version
Status code
Reason phrase (optional)

Example start line:

HTTP/1.1 200 OK

Responses may include additional response header fields

Example Response

Below is the response from the request from previous section

HTTP/1.1 200 OK
Date: Sat, 01 Jan 1970 00:00:00 GMT

Content-Type: text/html
Content-Length: 48
Connection: keep-alive

<html>
<head><title>Example</title></head>
<body>Test Page</body>
</html>

Security considerations

HTTP is generally secured through TLS, resulting in HTTPS. Other security considerations are to be bear in mind:

Never trust user input
Methods Enforcement - Restrict or disable unsafe methods (cf. request methods)
Security Headers - Implement headers such as Strict-Transport Security (enforces HTTPS-only), X-Frame-Options, Content-Security-Policy (enforces CSP) and X-Content-Type-Options (also see the [dedicated headers page])
Response Header Validation - Ensure headers do not leak sensitive informations (e.g., server software and version)
IP and Header Spoofing Mitigation - Validate incoming headers (cf. furnished OWASP article)

HTTP request header fields

HTTP response header fields

DNS - Domain Name System

Related pages

Related RFCs

Definition

Domain Name System (DNS)
Enables the translation from a human-readable domain name to a machine-readable IP address

Example
google.com -> 142.251.167.100

Command
nslookup (e.g., $ nslookup google.com)

Algorithm

Operates using a recursive, hierarchical lookup, sequentially querying each domain level until the authoritative record is retrieved.

From Wikipedia

In given example

The user attempts to access fr.wikipedia.org, triggering a DNS resolution request.
The DNS resolver queries the root NS, or root name server (here a.root-servers.net) to identify .org top-level domain authority.
root NS (a.root-servers.net) replies specifying the authoritative server for .org domain names (here a0.org.afilias-nst.info).
The resolver queries said server (a0.org.afilias-nst.info) for fr.wikipedia.org.
a0.org.afilias-nst.info answers ns0.wikimedia.org is in charge of wikipedia.org domain.
The resolver queries ns0.wikimedia.org for fr.wikipedia.org's IP address.
ns0.wikimedia.org returns 91.198.174.232.
The resolver delivers the IP address to the end user.

Note : In the referenced diagram, the DNS resolver is labeled Serveur DNS récursif

Structure

The DNS architecture is based on a distributed, tree-like model, structured around root servers, top-level domains, and authoritative name servers.

DNS Schema

From Wikipedia

DNS Record Types Table

Introduction

This page provides an overview of the different DNS record types, their operational usage, and their compliance with official standards. Links to the relevant RFC pages are available at the bottom of this document.

Address Resolution (Web / Network)

Type	Primary Function	RFC / Status
A	Name → IPv4	RFC 1035¹
AAAA	Name → IPv6	RFC 3596²
CNAME	Alias to canonical name	RFC 1035¹
DNAME	Alias for subtrees	RFC 6672³
HTTPS / SVCB	Modern HTTP service discovery	RFC 9460 / vendor-specific⁴

Notes

CNAME / DNAME: Provide aliasing flexibility; a CNAME cannot coexist with other record types on the same name.
HTTPS / SVCB: Recently standardized, replacing certain CNAME-based practices for HTTPS.

Mail Services and TLS Governance

Type	Usage	RFC / Status
MX	Email routing	RFC 1035¹
TXT	SPF, DKIM, DMARC via TXT records	RFC 1035¹ + RFC dédiées
CAA	Authorized certification authorities	RFC 8659⁵

DNSSEC – Integrity and Validation

Type	Role	RFC / Status
DNSKEY	DNSSEC public key	RFC 4034⁶
RRSIG	RRset signature	RFC 4034⁶
DS	Parent → child DNSSEC linkage	RFC 4034⁶
NSEC / NSEC3	Proof of non-existence	RFC 4034 / 5155⁶⁷
TLSA	DNS-based TLS authentication (DANE)	RFC 6698⁸

Services and Applications (VoIP, SIP, Service Discovery)

Type	Usage	RFC / Status
SRV	Service location + port (VoIP, SIP, XMPP)	RFC 2782⁹
NAPTR	URI rewriting and mapping (ENUM, SIP)	RFC 3403¹⁰
SSHFP	SSH server key fingerprints	RFC 4255¹¹
LOC	Geographic coordinates	RFC 1876¹²
URI	URI resource mapping	RFC 7553¹³
SMIMEA	S/MIME certificate via DNS	RFC 8162¹⁴

Zone Administration and Infrastructure

Type	Usage	RFC / Status
SOA	Zone metadata (admin, timers)	RFC 1035¹
NS	Authoritative name servers	RFC 1035¹
PTR	Reverse DNS (IP → name)	RFC 1035¹

Rare Types

Type	Usage	RFC
AFSDB	AFS Database	RFC 1183¹⁵
CERT	Generic certificate	RFC 4398¹⁶
RP	Responsible Person	RFC 1183¹⁵
APL	Address Prefix List	RFC 3123¹⁷
HINFO	Host information	RFC 1035¹

Non-standard / Proprietary

Type	Usage
ANAME / ALIAS	Apex-level aliasing, provider-resolved (non-RFC)
SVCB / HTTPS	Modern service bindings, progressive adoption

Summary Table

The table below aggregates all DNS record types detailed in the previous sections, indicating their primary usage, DNS standard compliance, and corresponding RFC references.

Type	Primary Usage	Standard	RFC / Status
A	Name → IPv4	Yes	RFC 1035¹
AAAA	Name → IPv6	Yes	RFC 3596²
CNAME	Alias to canonical name	Yes	RFC 1035¹
MX	Mail routing	Yes	RFC 1035¹
TXT	Arbitrary data (SPF, DKIM, DMARC…)	Yes	RFC 1035¹
NS	Authoritative DNS servers	Yes	RFC 1035¹
SOA	Zone metadata	Yes	RFC 1035¹
PTR	Reverse DNS	Yes	RFC 1035¹
SRV	Service + port	Yes	RFC 2782⁹
CAA	Authorized certification authorities	Yes	RFC 8659⁵
DS	DNSSEC chaining (parent → child)	Yes	RFC 4034⁶
DNSKEY	DNSSEC public keys	Yes	RFC 4034⁶
RRSIG	DNSSEC signature	Yes	RFC 4034⁶
NSEC / NSEC3	DNSSEC proof of non-existence	Yes	RFC 4034 / 5155⁶⁷
TLSA	DANE (TLS via DNSSEC)	Yes	RFC 6698⁸
NAPTR	Rewriting + service discovery	Yes	RFC 3403¹⁰
LOC	Geographic coordinates	Yes	RFC 1876¹²
SSHFP	SSH key fingerprints	Yes	RFC 4255¹¹
HTTPS / SVCB	Modern HTTPS service discovery	Yes	RFC 9460 / vendor-specific⁴
ANAME	Apex alias	No	Vendor-specific
ALIAS	Apex alias	No	Vendor-specific

RFC Datatracker Links

RFC 1035 – Domain Names – Implementation and Specification

RFC 3596 – DNS Extensions to Support IPv6

RFC 6672 – DNAME Redirection in the DNS

⁴

RFC 9460 – Service Binding (SVCB) and HTTPS RR

⁵

RFC 8659 – Certification Authority Authorization (CAA)

⁶

RFC 4034 – Resource Records for the DNS Security Extensions

⁷

RFC 5155 – DNSSEC NSEC3

⁸

RFC 6698 – The DNS-Based Authentication of Named Entities (DANE) Protocol

⁹

RFC 2782 – A DNS RR for Specifying the Location of Services

¹⁰

RFC 3403 – Naming Authority Pointer (NAPTR) RR

¹¹

RFC 4255 – Using DNS to Securely Publish SSH Key Fingerprints

¹²

RFC 1876 – DNS Encoding of Geographic Locations

¹³

RFC 7553 – The URI DNS Resource Record

¹⁴

RFC 8162 – S/MIME Certificate Distribution via DNS

¹⁵

RFC 1183 – AFSDB / Responsible Person (RP)

¹⁶

RFC 4398 – CERT RR – Certification Authority RR

¹⁷

RFC 3123 – Address Prefix List (APL)

ARP - Address Resolution Protocol

Related pages

Related RFCs

Definition

Address Resolution Protocol (ARP)
Enables the mapping from a IPv4 address to a link-layer (MAC) address within the same local network segment

Workflow

Blueprint

ARP Request: A host broadcasts a request: "Who has IP X.X.X.X?"
ARP Reply: The host with X.X.X.X IP responds with its MAC address.
Resolution: The requesting host updates its ARP cache and uses given IPv4 address.

Showcase

A PCAP file demonstrating a ARP request and response is provided below.

This capture was generate using this Python script leveraging the scapy library.

ARP Cache

Hosts store resolved IP -> MAC records mappings in a local ARP cache to reduce repeated broadcast traffic.
Entries have a time-to-live (TTL)
Proper cache management is critical; cf the ARP Spoofing and ARP flooding section

Proxy ARP

Routers may respond to ARP request on behalf of remote hosts in different subnets
Useful for legacy networks

Common attacks

ARP Spoofing

An attacker responds to an ARP request that was not meant for him, thus impersonating the original person

ARP Flooding

The attacker floods the network with ARP answers; after that, every request goes to the attacker

Security mitigations

Static ARP entries: Configure critical hosts to prevent spoofing
Dynamic ARP inspection (DAI): Enforce ARP validation on managed switches
Segmentation and VLANs: Limit broadcasts to reduce attack surface
Disable ARP gleaning

References and recommended readings

TLS/SSL

Related pages

Related RFCs

Summary

Definition

Transport Layer Security (TLS)
Cryptographic protocol providing confidentiality, integrity and authentication for communications over a computer network.
TLS is the successor of the now depreciated Secure Socket Layer (SSL); while the terms are commonly used indistinctly, TLS is the protocol currently standardized and deployed

Key characteristics

Relies on a three-way handshake
Session-oriented protocol
Provides end-to-end encryption and peer authentication
Multiple protocol versions: SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3

Protocol versions

Deprecated and insecure versions

SSL 1.0 - Never released
SSL 2.0 - Cryptographically broken
SSL 3.0 - Vulnerable to POODLE attacks
TLS 1.0 - defined in RFC 2246 - Deprecated due to weak cryptographic primitives
TLS 1.1 - defined in RFC 4346 - Deprecated and no longer recommended

Note : All versions listed above are deprecated and should not be used

Supported and secure versions

TLS 1.2 - defined in RFC 5246 - updated in RFC 8446
- Uses SHA-256 (instead of MD5 and SHA-1 combination)
- Added AES-GCM and AES-CCM
- Still widely deployed and used
- Authentication is embedded in cipher suite, thus the certificate is tightly coupled to it
TLS 1.3 - defined in RFC 8446
- Removes insecure algorithms and features
- Reduces handshake latency
- Authentication and key exchange are decoupled from cipher suites (negotiated via signature_algorithm), increasing flexibility, configuration and auditing

Note

To explore TLS interactively, check out the TLS section of the Crypto on the web page from cryptohack.org:

Handshake

TLS relies on a handshake, performed between the client and the server at connection initialization.
Make sure to read the given documentation about TLS handshake risks.
Below is a handshake overview.

TLS 1.2 handshake

Client Hello
- Supported TLS versions, supported cipher suites, supported compression methods, Client nonce, extensions.
Server Hello
- Selected TLS version, selected cipher suite, server nonce.
Certificate
- Server X.509 certificate chain, public key.
ServerKeyExchange (if applicable)
- Key exhange parameters, digital signature.
ClientKeyExchange
- Pre-master secret (RSA) or client key share (ECDHE)
ChangeCipherSpec / Finished
- Confirmation of negotiated parameters, handshake integrity verification.

TLS 1.3 handshake

Client Hello
- Supported TLS versions, supported cipher suites, supported signature algorithms, key shares (ECDHE), extensions.
Server Hello
- Selected TLS version, selected cipher suite, selected key share.
Ecnrypted Extensions
- Negotiated extensions.
Certificate
- Server certificate chain, authentication context.
CertificateVerify
- Server proof of private key ownership
Finished
- Handshake transcript verification, keys activated.

Certificates

TLS relies on X.509 certificates to authenticate servers within a public key infrastructure (PKI). Certificates are typically issued by a trusted Certificate Authority (CA).

Key considerations

Verify that certificates are valid, unexpired, and issued by a trusted CA.
Confirm key strength (e.g., RSA > 2048 bits).
Check that signature algorithms are not deprecated.
Ensure the certificate chain is complete and correctly configured.
Confirm hostname matching.

Common attacks

Renegociation Exploiting unsafe TLS renegociation sequences Downgrade attacks Forcing a connection to use older/weaker TLS or SSL versions Cross-protocols attacks Leveraging compatibility with SSL/TLS in other services Time attacks Cipher-specific attacks BEAST Exploits TLS 1.0 CBC mode CRIME Targets TLS compression POODLE Exploit SSL 3.0 padding issued RC4 Weak stream cipher in legacy TLS. Truncation and plaintext attack Forcing premature session closure or exposing data. Heartbleed Exploits vulnerable OpenSSL heartbeat implementations TLS interception / MiTM Unauthorized inteception of traffic, usually via rogue certificates

References & recommended readings

Policies & Framework References

This section consolidates curated notes on Governance, Risk, and Compliance (GRC), as well as leading associated frameworks, including ISO 27001 and NIST CSF 2.0.

Disclaimer: All linked materials are provided for educational and professional reference purposes. Their use in operational contexts must adhere to organizational policies and authorized procedures. These documents represent internal notes; some interpretations or summaries may not fully reflect official guidance. Users are advised to consult primary sources and exercise professional judgment.

Governance, Risk & Compliance (GRC)

GRC Overview – Notes on Governance, Risk Management, and Compliance.

ISO27001

ISO 27001 — Testing Types – Overview of penetration testing types: external, internal, blind, double-blind, and targeted approaches.

NIST CSF 2.0

NIST CSF 2.0 — Governance Functions – Description of the six CSF functions: Govern, Identify, Protect, Detect, Respond, Recover, with outcomes.
NIST CSF 2.0 — Tiers & Evaluation – Explanation of implementation maturity tiers and evaluation criteria.

GRC Overview

ISO 27001 Framework Notes

This section consolidates internal notes and resources related to ISO 27001.

Disclaimer: All linked materials are intended for educational and professional reference purposes. These notes represent internal summaries; some interpretations may not fully reflect official guidance. Users should consult official ISO 27001 documentation and exercise professional judgment.

Testing & Assessments

ISO 27001 — Testing Types – Overview of penetration testing types: external, internal, blind, double-blind, and targeted.

ISO 27001 – Testing Types

This section outlines the main types of security tests recommended under an ISO 27001 ISMS, with objectives and alternative names.

External Testing

Compromises access from outside the system.
Target: Everything visible from the Internet.

Also called: Black-box testing, External Network Assessment

Internal Testing

Assesses what an attacker can compromise once inside the network.
Target: Insider threat—employees, contractors.

Also called: Internal Network Assessment, Grey-box testing (partially)

Conducted without any prior knowledge of the system.
Target: Understand what a hacker could do with no internal information.

Also called: Single-Blind Testing

Neither the pentester nor the security team knows the test is occurring.
Target: Evaluate both what a hacker could achieve and how quickly the team detects them.

Also called: Double-Blind Penetration Test

Targeted Testing

The tester and security team work together, focusing on specific areas.
Target: Evaluate defenses with full collaboration for selected components.

Also called: Knowledge-Based Testing, Collaborative Testing

Tests human and physical security controls via phishing, vishing, or on-site exercises.
Target: Assess human vulnerabilities and policy adherence.

Also called: Phishing Assessment, Human Factor Testing, Physical Security Testing

Red Teaming

Simulates a realistic, multi-vector attack combining external, internal, social engineering, and physical methods over time.
Target: Measure the organization’s overall detection and response capabilities.

Also called: Full-Scope Adversary Simulation, Adversarial Emulation

Configuration / Compliance Testing

Checks system configurations and adherence to ISO 27001 policies.
Target: Ensure technical and procedural compliance.

Also called: Audit Testing, Technical Compliance Assessment

NIST CSF 2.0 Framework References

This section consolidates internal notes and resources related to NIST Cybersecurity Framework (CSF) 2.0.

Disclaimer: All linked materials are intended for educational and professional reference purposes. These notes represent internal summaries; some interpretations may not fully reflect official guidance. Users should consult official NIST CSF documentation and exercise professional judgment.

Governance & Core Functions

NIST CSF 2.0 — Governance Functions – Detailed description of the six CSF functions: Govern, Identify, Protect, Detect, Respond, Recover, with outcomes.

Implementation & Maturity

NIST CSF 2.0 — Tiers & Evaluation – Explanation of maturity tiers, evaluation factors, and assessments.

NIST CSF 2.0 — Governance Functions

This document focuses on the functional components of the NIST Cybersecurity Framework (CSF) 2.0 and their role in cybersecurity governance and operations.

Govern

Core governance function

Establish and maintain cybersecurity policies
Align cybersecurity objectives with organizational mission and strategy
Define roles, responsibilities, and accountability
Support strategic planning and decision-making
Oversee cybersecurity risk management and risk ownership at the executive level

Outcome: Governance structures, oversight mechanisms, and cybersecurity leadership alignment.

Identify

Understand cybersecurity risks to the organization
Identify and classify assets, systems, and business processes
Perform risk-based assessments aligned with risk appetite
Improve policies, procedures, and prioritization mechanisms
Identify and assess third-party and supply chain cybersecurity risks

Outcome: Asset inventory and risk-informed security strategy.

Protect

Implement safeguards to mitigate identified risks
Enforce security policies through technical and organizational controls
Protect organizational assets, systems, and data
Apply preventive security controls, including:
- Identity and Access Management (IAM / PAM)
- Security awareness and training
- Data protection mechanisms
- System and application hardening

Outcome: Effective implementation of preventive security measures.