On January 8th, MITRE’s Center for Threat-Informed Defense (CTID) published a significant update update to INFORM, its threat-informed defense maturity model. This update reflects the joint efforts of MITRE researchers, AttackIQ, and several CTID members to enhance INFORM based on two years of operational use and broad security community feedback.
“Threat-informed defense is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses.” – MITRE Center for Threat-Informed Defense
Threat-informed defense (TID) is a continuous process driven by changing IT environments, evolving threats, and ongoing security operations. TID focuses organizations on understanding real-world adversary behaviors, implementing effective defenses against those threats, and validating the efficacy of those defenses. TID applies broadly to organizations regardless of their size, budget, sophistication, or sector. TID aims to make cyber defense more efficient and effective for all.
How INFORM Helps Organizations Mature TID
INFORM guides organizations through adopting and advancing TID as a practice. An INFORM assessment provides a simple means for organizations to:
- Measure how effectively they apply TID
- Optimize their security program based on TID principles
- Visualize their progress over time
INFORM turns TID into something you can measure and continually improve. INFORM will help you baseline your security posture, prioritize investment, and measure improvement against real-world threats.
Making Threat-Informed Defense Measurable
INFORM breaks TID down into three dimensions. Each dimension has a set of measurable components. Dimensions and components are assigned weights to support TID measurement and analysis.
The INFORM web application codifies this maturity model and allows security organizations to quickly and easily conduct an assessment. Assessment results can be saved, and progress can be measured over time.
How INFORM Is Used Across the Security Community
Originally launched as M3TID in April 2024, INFORM is now widely used by security organizations to understand and advance TID principles. Due to its broad and pragmatic approach, INFORM enables several practical use cases:
Resource Prioritization
INFORM allows organizations to look broadly at their security program and focus resources in the areas that will have the greatest effect in maturing their defenses.
Budget Justification
Organizations use INFORM to justify budget requests by demonstrating how additional resources will contribute to overall TID maturity.
New Client Onboarding
Security providers use INFORM to quickly baseline client maturity and tailor services to client needs.
Supply Chain Analysis
Organizations use INFORM assessments to quickly understand supply chain maturity and prioritize action.
Team Training
Throughout 2025, MITRE used INFORM as a framework for community-wide TID training and education, empowering students to become TID champions within their organizations.
Large-Scale Surveys
INFORM has been used as the basis of country-wide TID surveys to understand, at a national scale, TID maturity and advise on measurable improvement.
What’s New in INFORM
Two years of operational use and broad security community feedback led to refinement and significant new capability in INFORM.
Revised Questions & Scoring
INFORM components and their questions have been overhauled. The original questions were a bit too focused on MITRE ATT&CK® as an end rather than a means to an end. The original model was a bit too rigid in forcing five components per dimension. New questions add a timeliness factor to the assessment, and the overall scoring algorithm and weights of dimension and components are refined.
Recommendations Based on Complexity & Impact
Guiding teams with actionable recommendations is supported with a new impact vs. complexity matrix. Each INFORM component is assigned an impact and implementation complexity value allowing the assessment tool to dynamically build a matrix tailored to each organization’s assessment.
Mapped to Other Maturity Models
The INFORM maturity model is now mapped to the CTI Maturity Model, the Red Team Maturity Model, the SOC Maturity Model, and Gartner’s CTEM. These mappings help organizations understand how TID maturity contributes to other more specialized maturity models.
Operationalizing INFORM to Improve Cyber Defense
AttackIQ has supported the development of INFORM since its inception because organizations need a simple approach to learn, adopt, and advance TID. TID should be accessible to all organizations regardless of their size, budget, or sophistication. With this update to INFORM, we are launching new capability and services to guide organizations in systematically adopting and advancing TID.
MITRE’s INFORM maturity model has become the foundation for how we support our customers and partners on their TID journey. You can learn more about INFORM at AttackIQ.
Join us on January 20, 2026 at 10:00 AM PT / 1:00 PM ET for a special session, Threat-INFORM Your Defenses, featuring Jonathan Baker (AttackIQ), Mike Cunningham (MITRE CTID), and Douglas Santos (Fortinet). This session offers an inside look at what’s new in INFORM, how organizations are applying the model in real security programs, and practical guidance for getting started with a threat-informed defense assessment. Eligible attendees may also earn 0.75 ISC2 CPE credit. Register here.
Looking Ahead
We will follow up with an additional blog focused on INFORM, TID, and Gartner CTEM. TID and CTEM together provide a foundation of observed adversary behavior and the programmatic approach to reducing exposures that matter most, optimizing cyber defense operations and reducing risk.
