MITRE ATT&CK

SAO — Security Audit Orchestrator

SAO — Security Audit Orchestrator

Challenge

Security teams struggle with fragmented tooling: separate tools for asset inventory, vulnerability scanning, attack path analysis, and detection engineering. Infrastructure state is scattered across Terraform backends, cloud APIs, and on-premise systems. Attack feasibility assessments require manual expert analysis.

Build a unified security audit platform that:

  • Extracts infrastructure state from multiple clouds
  • Generates comprehensive SBOMs
  • Builds attack trees mapped to MITRE ATT&CK
  • Identifies detection coverage gaps
  • Provides AI-powered risk assessment

Solution Architecture

Overview

┌─────────────────────────────────────────────────────────────────────┐
│                     Security Audit Orchestrator                      │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│   ┌──────────────┐    ┌──────────────┐    ┌──────────────┐         │
│   │  Extractors  │    │   Parsers    │    │   Analyzers  │         │
│   │  - Terraform │    │  - Cloud API │    │  - Attack    │         │
│   │  - Docker    │    │  - SBOM      │    │  - Detection │         │
│   │  - Git       │    │  - IAM       │    │  - Risk      │         │
│   │  - OS Pkgs   │    │  - Network   │    │  - AI/LLM    │         │
│   └──────┬───────┘    └──────┬───────┘    └──────┬───────┘         │
│          │                   │                   │                  │
│          └───────────────────┼───────────────────┘                  │
│                              ▼                                      │
│                    ┌──────────────────┐                             │
│                    │   Audit Engine   │                             │
│                    │   NIST CSF 2.0   │                             │
│                    │   MITRE ATT&CK   │                             │
│                    └────────┬─────────┘                             │
│                             ▼                                       │
│          ┌─────────────────────────────────────┐                   │
│          │           Output Formats             │                   │
│          │  SARIF · CycloneDX · JSON · Markdown │                   │
│          └─────────────────────────────────────┘                   │
└─────────────────────────────────────────────────────────────────────┘

NIST CSF 2.0 Alignment

FunctionCoverageKey Capabilities
GOVERN (GV)StrategicRisk metrics, compliance mapping
IDENTIFY (ID)Asset managementSBOM, dependency analysis, threat catalog
PROTECT (PR)PreventiveIAM analysis, encryption audit, network segmentation
DETECT (DE)Detection engineeringRule coverage, gap analysis, SIEM correlation
RESPOND (RS)Incident responseAttack paths, remediation plans
RECOVER (RC)Business continuityImpact analysis, recovery priorities

Key Features

1. Multi-Cloud Support

# AWS infrastructure audit
sao run --cloud aws --terraform-state s3://bucket/prod.tfstate

# Yandex Cloud audit
sao run --cloud yandex --terraform-state s3://bucket/yc-prod.tfstate

# On-premise (local state)
sao run --cloud onprem --terraform-state ./terraform.tfstate

2. SBOM Extraction

# Docker image SBOM
sao extract sbom --type docker --target nginx:1.25-alpine

# Git repository dependencies
sao extract sbom --type git --target ./my-app

# OS packages
sao extract sbom --type os --target ubuntu:22.04

# CI/CD build artifacts
sao extract sbom --type build --target ./build-manifest.json

Output formats: CycloneDX, SPDX, JSON.

Security Audit SBOM Attack Tree MITRE ATT&CK Detection Engineering Multi-Cloud