MITRE INFORM

Advance Your
Threat-Informed Defense

Measure, optimize, and strengthen your threat-informed defense capabilities with MITRE’s proven maturity model.

Assess Your Threat-Informed Defense

What is INFORM?

INFORM is MITRE’s threat-informed defense maturity model — a structured way to measure your defensive posture, prioritize improvements, and show real progress over time. As threats evolve and programs become more complex, INFORM gives security teams a consistent, defensible framework for maturing their threat-informed defense based on real adversary behavior.

Why Threat-Informed Defense Matters

Threat-informed defense continuously aligns your security program to real adversary behavior, giving leaders deeper insight into their posture, operations, strategy, and overall effectiveness. It’s relevant and scalable for organizations of any size or sector.

Cyber Threat Intelligence

Understand the Threat

Know who is targeting you and how they operate.

Defensive Measures

Proactively Defend

Deploy and tune controls aligned to real adversary behavior.

Test and Evaluate

Validate & Improve

Continuously test defenses with real-world adversary behaviors to drive improvement.

“Threat-informed defense is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses.”

— MITRE Center for Threat-Informed Defense

How INFORM Works

INFORM turns threat-informed defense into a measurable framework with 3 dimensions and 22 measurable components that look across people, processes, and technology.

TID Dimensions

Cyber Threat Intelligence
Defensive Measures
Test & Evaluation

CTI Components

Depth of CTI
Relevance of CTI
Organizational Integration of CTI
Incorporation of CTI
Recency of CTI
Speed of CTI Dissemination
CTI Driven Decision Making

How INFORM Enables Improvement

Measure

Measure your current maturity

Prioritize

Prioritize high-impact, low complexity improvements

Improve

Track your progress and
measure improvement

INFORM vs. CTID vs. M3TID

INFORM builds on MITRE’s original M3TID model and incorporates two years of real-world feedback from security teams through the Center for Threat-Informed Defense (CTID). The result is a more actionable, more intuitive, and more operational framework for advancing threat-informed defense.

CTID

MITRE’s Center for Threat-Informed Defense (CTID) is the research and development program at MITRE that develops innovative, community-driven approaches to applying adversary intelligence to cybersecurity. Both M3TID and INFORM were created through CTID collaborations.

M3TID (2024)

M3TID was MITRE’s first threat-informed defense maturity model. It introduced the core concepts and structure used globally to assess and improve threat-informed defense programs and served as a foundational tool for training and evaluation.

INFORM (2026)

INFORM is MITRE’s updated and refined maturity model, informed by two years of real-world use. It offers clearer guidance, stronger scoring logic, and better alignment to how security teams implement and mature threat-informed defense today.

How INFORM Strengthens Continuous Threat Exposure Management (CTEM)

Threat-informed defense provides the adversary-centric foundation for CTEM, ensuring that security programs are aligned to real-world adversary behaviors and focused on the threats that matter most. INFORM assessments help organizations think strategically about security program optimization as they advance threat-informed defense maturity. Increased threat-informed defense maturity leads to a stronger, more effective foundation for CTEM.

Threat-informed defense is the adversary-centric foundation for Continuous Threat Exposure Management

  • Aligned with real-world adversary behaviors
  • Focused on the threats that matter most 

Increased TID maturity builds a stronger, more effective foundation for CTEM.

How Security Teams Use INFORM

INFORM gives organizations a structured way to evaluate their security program and make threat-informed decisions. Teams use the model to guide planning, focus resourcing, demonstrate progress, and continuously refine their defenses using real adversary behavior.

Strategic
Planning

Use INFORM assessments to shape roadmap decisions, align initiatives to adversary behavior, and ensure long-term investments are grounded in real-world threats.

Investment Prioritization

Identify which improvements—whether people, process, or technology—deliver the highest impact, and justify budget requests based on measurable maturity gains.

Program Optimization

Spot strengths, gaps, and redundancies across security operations. INFORM helps teams focus on the areas that most improve posture and reduce exposure.

Measuring
Progress

Run assessments periodically to track your maturity growth, compare results across business units or teams, and demonstrate improvement to leadership and auditors.

How AttackIQ Operationalizes INFORM

AttackIQ transforms INFORM from a maturity model into an operational capability. We help security teams measure their maturity, prioritize improvements, and operationalize threat-informed defense across—backed by automation and expert guidance.
Platform-Integrated Assessments
Run INFORM assessments directly within AttackIQ to baseline your maturity. Assessments are stored, versioned, and easily compared over time.
Trend Tracking & Dashboards
Visualize your maturity trajectory, view changes across teams or business units, and identify where progress is accelerating or stalling.
Recommendation Engine
Automatically generate prioritized “what to do next” actions based on your current maturity level, the impact of each improvement, and implementation complexity.
Professional Services Enablement
Our experts provide threat-informed defense training, facilitate INFORM assessments, and guide teams through systematically maturing their security operations. We help organizations use INFORM to build a stronger, more effective foundation for CTEM.

INFORM FAQs

INFORM looks broadly across security functions and focuses on the application of timely, relevant threat intelligence. It provides a strategic view of threat-informed defense maturity that enables resource optimization across the security organization. INFORM complements other maturity models like the Cyber Threat Intelligence Maturity Model and the Red Team Maturity Model which are more focused and in-depth in their respective domains.

INFORM has been mapped to the following frameworks and maturity models: CTI CMM V1.2, SOC CMM V2.3.4, Red Team CMM V1, and CTEM.

M3TID is the name of the initial threat-informed defense maturity model developed by MITRE in 2024. Since then, M3TID has been used by security teams around the world to assess and mature their programs and as a foundational resource to train security professionals on the concept and application of threat-informed defense. INFORM is MITRE’s updated threat-informed defense maturity model based on two years of global use.

INFORM is a product of MITRE’s Center for Threat-Informed Defense. It was developed as a collaborative effort to bring together MITRE’s security operations experience with the experience and perspectives of sophisticated security teams and innovative security companies. You can learn more about INFORM at MITRE’s INFORM web page.

INFORM is designed for security operations team leaders, managers, and decision-makers responsible for shaping and driving their organization’s security practices. However, any security professional may find value in conducting an INFORM assessment.

The concept of threat-informed defense applies broadly. INFORM assessments can have a meaningful impact on security organizations regardless of their size, sophistication, or resource allocation.

INFORM is a light-weight rapid assessment with around 25 questions. An individual might complete an assessment in less than an hour.

The assessment is most effective when done as a team involving key security organization decision makers. INFORM works very well as the basis for a tabletop exercise. A team-developed assessment may take around 2 hours.

We recommend conducting an INFORM assessment twice per year. Aligning your INFORM assessment schedule to precede annual budgetary requests is a best practice.

Adjust your assessment frequency as you achieve milestones and based on the pace of change in your organization.

Measure What Matters

The Goal Is Not Fewer Findings.

It’s Less Threat Debt.

See which attack paths matter, which controls fail, and what actions reduce risk in your environment.

See It In Action

Featured Articles

  • Insights & Perspectives

    INFORM 2026: MITRE’s Updated Threat-Informed Defense Maturity Model Explained

    On January 8th, MITRE’s Center for Threat-Informed Defense (CTID) published a significant update to INFORM, its threat-informed defense maturity model. This update reflects the joint efforts of MITRE researchers, AttackIQ, and several CTID members to enhance INFORM based on two years of operational use and broad security community feedback.
    Read More

  • Threat-INFORM Your Defenses

    MITRE’s INFORM maturity model helps organizations adopt threat-informed defense. Learn what’s new in the latest update and how to baseline posture, prioritize investments, and measure progress against real threats.
    Watch Now

  • MITRE ATT&CK For Dummies

    How can you ensure that your cybersecurity capabilities defend your organization as best they can? After decades and billions of dollars spent on the people, processes, and technology of cybersecurity, this question still haunts security leaders. Intruders break past, security controls falter, and defenses fail against even basic cyberattack techniques. What should be done? Instead of trying to close every vulnerability, meet every standard, or buy the “best” technology, security teams can change the game by focusing their defenses on known threats.
    Read More