Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0533: Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows

DET0533 is a MITRE ATT&CK detection strategy for identifying poisoned pipeline execution in SaaS CI/CD workflows. The business issue is that CI/CD systems...

EnterpriseDET0533Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0533 is a MITRE ATT&CK detection strategy for identifying poisoned pipeline execution in SaaS CI/CD workflows. The business issue is that CI/CD systems often sit on the path between source code and production, and may handle credentials, artifacts, and deployment authority. If pipeline behavior is manipulated, the risk is not limited to one developer account; it can affect software delivery trust, incident scope, audit evidence, and release continuity.

Executive priority

Security leaders should treat this as a software supply chain and cloud/SaaS governance concern. The key decision is whether the organization can prove who changed CI/CD workflow definitions, what executed in build jobs, what secrets were exposed to those jobs, and whether suspicious artifacts or credentials can be traced during an incident. Budget and control priorities should focus on SaaS CI/CD visibility, change governance, identity/access control, secret handling, and incident response readiness for build systems.

Technical view

The supplied ATT&CK relationship states that this detection strategy detects T1677, Poisoned Pipeline Execution, an execution technique on SaaS platforms. Because MITRE did not provide official detection text for this object, SOC and detection engineering teams should validate coverage around CI/CD workflow and configuration changes, build job execution behavior, artifact creation, and access to credentials used during builds. Incident responders should be able to reconstruct pipeline changes and executions over time, especially where CI configuration files or workflow definitions are modified.

Likely telemetry

  • SaaS CI/CD audit logs for workflow, pipeline, and configuration changes
  • Source control history for CI/CD configuration files and related repository changes
  • Build job execution logs, including commands, environment variables exposure indicators, and job metadata where available
  • Artifact creation, publication, and download records from CI/CD systems
  • Identity and access logs for users, service accounts, tokens, and automation accounts interacting with CI/CD workflows

Detection direction

  • Validate that detections cover changes to CI/CD workflow definitions, not only source code changes.
  • Correlate workflow changes with subsequent pipeline execution, artifact generation, and identity activity.
  • Tune for authorized engineering activity to reduce false positives, but preserve alerting for unusual actors, timing, repositories, or workflow files.
  • Confirm whether SaaS CI/CD logs are retained long enough to support investigation after a suspicious release or credential exposure concern.
  • Use the relationship to T1677 as the analytic anchor: the goal is to identify execution enabled by manipulated CI/CD processes, not generic developer activity alone.

Mitigation priorities

  • Inventory SaaS CI/CD platforms, repositories, workflow definitions, build secrets, and service accounts used in software delivery.
  • Restrict and review permissions for modifying CI/CD configuration and managing build secrets.
  • Require review and change-control expectations for workflow or pipeline definition changes where operationally feasible.
  • Limit credential exposure in build jobs and rotate secrets when pipeline compromise is suspected.
  • Ensure incident response playbooks include CI/CD audit collection, artifact review, token revocation, and release integrity decisions.
Analyst notes and limits

This object is a detection strategy, not a technique. The strongest supported context comes from its relationship to T1677, Poisoned Pipeline Execution, which is an enterprise ATT&CK execution technique for SaaS CI/CD environments. The ATT&CK record does not provide a platform list, tactics, official description, or official detection text for DET0533 itself, so implementation details must be validated against the organization’s actual CI/CD tooling and logging.

The supplied DET0533 fields are sparse. This summary does not assert active exploitation, adversary attribution, guaranteed detection coverage, or vendor-specific behavior. Local SaaS CI/CD architecture, audit-log availability, retention, identity model, and secret-management design are required to turn this into precise detections and controls.

Official MITRE ATT&CK definition

Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1677 Poisoned Pipeline Execution This object detects Poisoned Pipeline Execution.
Relationship explorer

All related ATT&CK context

detects · Technique T1677: Poisoned Pipeline Execution Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
268107e0507aca3b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 268107e0507a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0533
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use