Live Active security incident? Get immediate response
MITRE ATT&CK® Mitigation

M0916: Vulnerability Scanning

Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.

ICSM0916MitigationObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Vulnerability Scanning matters here because MITRE maps it as an ICS mitigation for finding software weaknesses before they are used against internet-facing applications, remote services, or compromised products introduced through the supply chain. For executives, the practical value is not the scan itself; it is whether the organization can identify exploitable exposure, prioritize remediation safely in operational environments, and produce evidence that known weaknesses are being managed.

Executive priority

Treat this as a governance and resilience control, not only a technical activity. Leaders should ask whether vulnerability scanning covers externally reachable systems and remote services that could provide a path into industrial environments, whether results are prioritized against operational risk, and whether remediation evidence supports compliance expectations such as NIST SP 800-53 Rev. 5 RA-5. In ICS settings, scanning must be planned carefully so risk reduction does not create operational disruption.

Technical view

For SOC, IR, vulnerability management, and ICS security teams, validate that vulnerability scanning outputs are linked to the ATT&CK-relevant risk areas: Exploit Public-Facing Application, Exploitation of Remote Services, and Supply Chain Compromise. Because the ATT&CK object does not specify platforms or detection guidance, local asset inventory, exposure data, scanner results, change records, and remediation status are necessary to determine coverage. Teams should confirm that scan findings are actionable, tracked to closure, and correlated with internet exposure and remote-service presence where applicable.

Likely telemetry

  • Vulnerability scanner results and scan history
  • Asset inventory for ICS and supporting systems
  • Internet-facing application and service exposure records
  • Remote service inventory and configuration records
  • Software, firmware, and product inventory supporting supply chain review

Detection direction

  • Do not treat vulnerability scanning as adversary detection by itself; MITRE provides no official detection text for this mitigation.
  • Validate visibility into public-facing applications and remote services because those are the techniques this mitigation is mapped to.
  • Tune reporting to reduce noise from low-risk findings and elevate findings that are externally reachable, remotely exploitable, or present on systems connected to industrial operations.
  • Check for blind spots caused by incomplete asset inventory, unmanaged vendor products, unsupported software, or systems excluded from scanning for operational reasons.
  • Use scan results as incident-response context when investigating exploitation of internet-facing applications or remote services.

Mitigation priorities

  • Establish an accurate inventory of software, services, and products before relying on scan coverage.
  • Prioritize scanning around internet-facing applications, remote services, and products introduced through supply chain processes, consistent with the mapped ATT&CK relationships.
  • Coordinate scanning with operations and change-management teams in ICS environments to avoid unintended disruption.
  • Track findings through remediation, approved exceptions, or compensating controls.
  • Maintain evidence of scan cadence, scope, results, and remediation status for risk management and compliance readiness.
Analyst notes and limits

This is an ATT&CK mitigation object in the ICS domain, external ID M0916, labeled to NIST SP 800-53 Rev. 5 RA-5. The supplied relationship context shows it mitigates T0819 Exploit Public-Facing Application, T0862 Supply Chain Compromise, and T0866 Exploitation of Remote Services. The strongest decision value is in validating whether scanning scope and remediation workflow actually reduce exploitable exposure in and around industrial environments.

The official object provides a short mitigation description only. Platforms, tactics, aliases, and detection guidance are not specified. Any assessment of tool coverage, scan safety, exploitability, business impact, or active exposure requires local environment data and should not be inferred from this ATT&CK object alone.

Official MITRE ATT&CK definition

Vulnerability Scanning

Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

3 rows
Domain ID Name Relationship / procedure
ICS T0866 Exploitation of Remote Services

Regularly scan the internal network for available services to identify new and potentially vulnerable services.
ICS T0819 Exploit Public-Facing Application

Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.
ICS T0862 Supply Chain Compromise

Implement continuous monitoring of vulnerability sources. Also, use automatic and manual code review tools. CitationOWASP
Relationship explorer

All related ATT&CK context

mitigates · Technique T0866: Exploitation of Remote Services ICS mitigates · Technique T0819: Exploit Public-Facing Application ICS mitigates · Technique T0862: Supply Chain Compromise ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bb11f09668379875...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bb11f0966837…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack M0916
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use