CAPEC Version 3.3 is Released

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CAPEC Version 3.3 is Released


CAPEC Version 3.3 has been released. A detailed report is available that lists specific changes between Version 3.2 and Version 3.3.

Version 3.3 includes the addition of seven new attack patterns: CAPEC-508: Shoulder SurfingCAPEC-565: Password SprayingCAPEC-655: Avoid Security Tool Identification by Adding Data, and as part of reorganization of the CAPEC-560 subtree, CAPEC-600: Credential StuffingCAPEC-652: Use of Known Kerberos CredentialsCAPEC-653: Use of Known Windows Credentials, and CAPEC-654: Credential Prompt Impersonation. In addition, 152 CAPEC-to-CWE (Common Weakness Enumeration) mappings were added, and 245 patterns and 4 categories were updated.

CWE versions 4.0 and 4.1 added 72 Hardware CWEs, 49 of which were mapped to CAPEC Entries in CAPEC Version 3.3. Some CAPEC Entries were enhanced to fully understand the mapping. One new software CWE was also mapped. These mappings help inform a tighter integration between CWE and CAPEC.

The CAPEC Schema was updated from v3.2 to v3.3 to change AttackPatternType/Description, AudienceType/Description, IndicatorsType/Indicator, and PrerequisitesType/Prerequisite to StructuredTextType.


There are now 524 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:


  • Existing Attack Patterns Updated:


  • Attack Patterns Deprecated:


  • Existing Categories Updated:


  • CAPEC-to-CWE Mappings Added:


  • CAPEC-to-CWE Mappings Removed:


See the complete list of changes at

Future updates will be noted here, on the CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please [hidden email] with any comments or concerns.


Thank you again for all of your help and your interest and support of CAPEC.





Rich Piazza

Lead Cyber Security Engineer

The MITRE Corporation