Transforming security incident metadata to security outcomes: the Threat Technique Catalog for AWS Journey
When a cloud IR team can’t systematically categorize what they’re seeing across incidents, every engagement starts from scratch. In 2019, when a security incident response team tried to discuss incident patterns internally, they hit the same wall every time—no shared vocabulary, no common framework. One responder would describe an attack as 'credential theft,' another as 'privilege escalation,' and they'd spend 20 minutes just aligning on what actually happened before we could extract any lessons.
That's when we realized: if we couldn't discuss patterns among ourselves, how could we possibly share impactful lessons learned with customers or the broader security community? This talk chronicles our journey from that frustrating moment to launching an open-source threat intelligence resource now used globally—the Threat Technique Catalog for AWS, written and released by the AWS Customer Incident Response Team.
The Threat Technique Catalog for AWS was built out of necessity, and it transformed how CIRT operated. For the first time, they could track incident types and threat actor activity systematically. This visibility enabled the ability to prioritize authoring playbooks for the most common incidents, identify gaps in our response capabilities, and take action on opportunities that we hadn't known existed before.
We’ll talk through how systemic incident categorization enabled a cloud IR team to identify response capability gaps, prioritize playbook development for the most frequently observed techniques, and build an evidence base that drove platform-level security improvements – including contributing to the decision to enforce mandatory MFA for root users across all AWS account types.
Since the first launch in June 2025, the catalog has become a living resource—the March 2026 update just added new techniques like Cogito that we're seeing in active campaigns right now. Every quarter brings fresh intelligence: novel attack patterns, emerging threat actor behaviors, and the techniques CIRT observes most frequently in the wild. This isn't a static reference—it's an evolving playbook that turns every security incident into an opportunity to educate the community while we work in parallel to make AWS more secure by default.
The Talk covers three phases: building the internal taxonomy and the operational improvements it unlocked; using aggregated incident data to advocate for systemic security changes; and the process of taking internal threat intelligence public through a quarterly-updated open-source catalog. We’ll share specific examples of how incident metadata revealed patterns that weren’t visibile at the individual case level, and how those patterns translated into concrete actions – from new detection logic to publicly available IR workshops covering scenarios like unauthorized credential use, ransomware, cryptomining, and SSRF.
Attendees will leave with a practical framework for building their own incident categorization system, concrete examples of how threat intelligence devised from IR engagements can drive both tactical and strategic improvements, and an understanding of how to evaluate whether their current monitoring would catch the techniques cloud IR teams see most frequently.
