Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0829: Detection of Serverless

DET0829 is a MITRE detection strategy object for detecting adversary use of serverless infrastructure as part of resource development. Its value is in prom...

EnterpriseDET0829Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0829 is a MITRE detection strategy object for detecting adversary use of serverless infrastructure as part of resource development. Its value is in prompting leaders and defenders to ask whether they can see when cloud-hosted, serverless resources such as workers, functions, or scripts are being prepared or used as operational infrastructure. Because the ATT&CK object provides no official detection text or platforms, this should be treated as a coverage-planning reference rather than a ready-to-deploy detection.

Executive priority

Serverless infrastructure can reduce the visibility and attribution clarity defenders often rely on during investigations. For executives and security leaders, the priority is to confirm whether cloud security, threat intelligence, SOC, and incident response processes can recognize suspicious serverless infrastructure in pre-compromise or targeting-related activity. This matters for resilience planning, cloud governance, vendor and internet exposure review, and evidence that the organization can investigate infrastructure used against it even when it is not hosted on traditional servers.

Technical view

This detection strategy is linked to ATT&CK technique T1583.007, Serverless, under the resource-development tactic with PRE platform context. Since MITRE provides no official detection procedure for DET0829, SOC and detection engineering teams should use it to validate visibility around serverless-related indicators and infrastructure context rather than assume a specific analytic exists. IR teams should ensure playbooks can preserve and correlate evidence involving serverless endpoints, cloud provider metadata, DNS, proxy-like behavior, and references to services such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts where those appear in local telemetry or investigations.

Likely telemetry

  • DNS queries and passive DNS records involving serverless-hosted domains or endpoints
  • Web proxy, secure web gateway, and firewall logs showing connections to serverless URLs or cloud-hosted runtime endpoints
  • Cloud access logs and SaaS audit logs where the organization uses or interacts with serverless services
  • Threat intelligence enrichment for domains, URLs, certificates, hosting providers, and cloud service indicators
  • Endpoint network telemetry showing processes communicating with serverless-hosted infrastructure

Detection direction

  • Inventory which logs can distinguish serverless-hosted infrastructure from ordinary cloud provider traffic; many environments collapse this into generic cloud or web traffic categories.
  • Tune detections carefully because legitimate business applications may use serverless services, creating a high false-positive risk without business context, destination reputation, user/process context, and historical baselines.
  • Correlate serverless indicators with resource-development context, suspicious targeting activity, unexpected external communications, or infrastructure linked to other investigation evidence rather than relying on provider name alone.
  • Validate whether threat intelligence workflows enrich serverless URLs, domains, and hosting metadata sufficiently for SOC triage.
  • Confirm IR workflows can pivot from a serverless endpoint to related DNS, certificate, web, endpoint, and proxy evidence.

Mitigation priorities

  • Establish governance and logging expectations for sanctioned serverless and cloud services used by the organization.
  • Ensure web, DNS, endpoint, and cloud telemetry are retained long enough to support investigations involving external serverless infrastructure.
  • Use allowlists, business context, and risk-based filtering to separate approved serverless use from unknown or suspicious infrastructure.
  • Integrate threat intelligence enrichment into SOC triage for cloud-hosted and serverless indicators.
  • Document investigation procedures for suspicious serverless endpoints, including evidence preservation and cross-telemetry correlation.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy, not a technique implementation or analytic. It detects T1583.007 Serverless, which describes adversaries purchasing and configuring serverless cloud infrastructure for use during targeting and to make attribution more difficult. The available object has no official description, no official detection guidance, no specified platforms, and no specified tactics, so recommendations should be adapted to the organization’s actual cloud, DNS, web, endpoint, and threat intelligence visibility.

Coverage cannot be asserted from this ATT&CK object alone. The official detection field is not provided, and the object does not specify platforms or tactics. Local architecture, sanctioned serverless usage, logging configuration, retention, and enrichment quality determine whether meaningful detection or investigation is possible.

Official MITRE ATT&CK definition

Detection of Serverless

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1583.007 Serverless Sub-technique This object detects Serverless.
Relationship explorer

All related ATT&CK context

detects · Technique T1583.007: Serverless Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9b0deed359ee7978...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9b0deed359ee…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0829
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use