Skip to main content

AI Scope Suggestions

AI Scope Suggestions analyzes your target description and automatically recommends which MITRE techniques should be included in your engagement scope. This saves hours of manual technique selection and ensures you don't miss relevant attack paths.

Why Define Scope First?

Scope is the foundation of your engagement plan. Before you can generate an AI attack plan, RTF requires at least some techniques to be marked as in scope.

Defining scope upfront helps you:

  • Focus on what's actually relevant to the target
  • Get a meaningful AI-generated attack plan
  • Avoid testing techniques that don't apply (e.g., ICS techniques on a web app target)
  • Set expectations for coverage in your final report

How to Use AI Scope Suggestions

  1. Open your engagement and go to AI Features → Scope Suggestions

  2. In the text box, describe your target. Be as specific as possible:

    "Windows Active Directory environment with 200 users. The target has a public-facing web application running on IIS, an internal VPN, and uses Microsoft 365. No cloud infrastructure."

  3. (Optional) Select whether this is for MITRE ATT&CK or MITRE ATLAS

  4. Click Suggest Scope

  5. Wait a moment while the AI analyzes your description

  6. Review the suggested techniques — each one shows:

    • Technique name and ID
    • Why it was included (brief justification)
    • Tactic it belongs to

  7. Click Apply Scope to mark all suggested techniques as in-scope on your navigator

tip

You can also enable Auto Apply to have scope suggestions applied to the navigator immediately without a separate review step.

Reviewing and Adjusting Suggestions

AI suggestions are a starting point, not a final decision. After applying:

  • Open the MITRE Navigator to review what was marked in-scope
  • Manually toggle any technique on or off as needed
  • Techniques marked in-scope appear highlighted in the navigator

Writing a Good Target Description

The quality of scope suggestions depends heavily on how well you describe the target. Here are some tips:

Include:

  • Operating systems in use (Windows, Linux, macOS)
  • Key services (Active Directory, web apps, APIs, databases)
  • Network layout (internal, DMZ, cloud, VPN)
  • User count and types (employees, contractors, admins)
  • Security controls in place (EDR, firewalls, WAF)
  • Specific technologies (IIS, Apache, AWS, Azure, SAP, etc.)

Avoid:

  • Vague descriptions like "a company network"
  • Irrelevant information that doesn't describe the target

Example — Good description:

"Linux-based web application with a REST API. The app uses Python/Django with a PostgreSQL database. It's hosted on AWS EC2 behind an application load balancer. Authentication is handled via JWT tokens. No WAF in place."

Example — Weak description:

"A web app"

ATLAS Scope Suggestions

For AI/ML targets, the scope suggestion flow is the same but uses ATLAS techniques:

  1. Select MITRE ATLAS as the framework

  2. Describe the AI system:

    "An OpenAI-powered chatbot integrated into a customer support platform. The model is accessed via a public REST API. Users can upload documents for the model to analyze."

  3. Click Suggest Scope

The AI will recommend ATLAS techniques relevant to LLM-based systems (prompt injection, data extraction, etc.)

What Happens After Scope is Applied

Once techniques are in scope:

  • The navigator highlights them visually
  • You can generate an AI Attack Plan (which requires in-scope techniques)
  • Terminal sessions and findings reference these techniques by path

Next Steps