ACDP is a prioritization methodology that sits one level above ATT&CK, NIST, and FAIR. It uses their outputs as inputs and produces a reasoned ordering of defensive actions against a specific adversary - based on how much each action disrupts that adversary's strategy and how much damage it prevents if that disruption fails.
Most defensive prioritization happens implicitly - inherited from compliance frameworks, risk heat maps, or executive preference. When attacker intent shifts, those prioritizations rarely shift with it. ACDP exists to make prioritization explicit, defensible, and actor-aware. It does not replace ATT&CK or NIST. It operates above them, turning their outputs into ranked action.
Priority Index · weighted sum of four scoring axes · weights vary by adversary profile
Each candidate control is scored on a 1–5 ordinal scale across four axes. The first two capture what matters against any adversary - disruption of their plan and limitation of their damage. The second two capture implementation reality: cost and detection timing.
How strongly does this control interfere with the actor's campaign strategy?
If the actor succeeds elsewhere, how much damage does this prevent?
How realistic is implementation under current resource constraints?
Does this provide usable signal early enough to change outcomes?
Load a predefined actor profile and control set, or build your own. Click any score to change it. The Priority Index updates live, and the tier distribution shows you which controls deserve attention first against this specific adversary.
The same six defensive controls, scored against three different adversary profiles, produce three different prioritizations. This is the core claim of ACDP: what matters most is not the controls themselves but who you are defending against. Click a profile to load it into the calculator.
Prioritizes strategic damage over persistence. Recovery capability outranks detection; infrastructure hygiene outranks user behavior. Controls that feel boring dominate the ranking.
Prioritizes long-term access and data collection over disruption. Early detection matters more than recovery; infrastructure tracking outranks endpoint response; user awareness rises in value.
Prioritizes credential harvesting and persistent access. Detection timing and cost-effectiveness dominate; awareness training regains value; backup strategies matter less than for destructive profiles.