MITRE has released EMB3D version 2.0, marking the first update since the model reached content completion with the Mitigations release last fall. The latest update introduces a machine-readable Structured Threat Information Expression (STIX) 2.1 JSON format to support integration with threat and vulnerability tools. It also adds new Properties (PID-28, 33, 34), Threats (TID-225, 226), and Mitigations (MID-84 to 89), alongside expanded definitions, references, and numerous technical edits.
The new release focuses heavily on refreshing the Threats and Properties sections, which have been available the longest, and addressing feedback and suggestions from the community. The STIX language is a machine-readable JSON format used for capturing and sharing cyber threat information, and the EMB3D dataset is available in STIX 2.1 format.
“On the Mitigations side, we completed a set of new entries on different ways that formal methods approaches can address various threats, ranging from parsers to operating system internals,” according to the MITRE EMB3D site. “Two other new mitigations pair with the expanded threats related to logging. Several existing MIDs were expanded with additional techniques and references. Finally, we’ve been asked for this a lot and can finally make it available.”
It added that EMB3D is now packaged up in a machine-readable format. “We picked the STIX 2.1 standard as its data model captures most of the EMB3D data set well. We also hope choosing STIX makes it easier to integrate EMB3D with other threat and vulnerability tools and data sets.”
“At MITRE, we believe that collaboration is the cornerstone of security,” Yosry Barsoum, MITRE, vice president and director at the Center for Securing the Homeland, wrote in a LinkedIn post on Tuesday. “That’s why we continue to partner closely with industry leaders—large and small—to co-develop capabilities like EMB3D to not only strengthen individual organizations but build collective security across industry and government. In doing so, we help safeguard the economic security of the nation.”
Barsoum added that since EMB3D’s initial release, “we’ve received overwhelming feedback and adoption across sectors like energy, water, space, automotive, and beyond. Whether it’s large manufacturers leveraging EMB3D as the backbone of AI-driven threat modeling platforms or small device makers using it as their core modeling tool, the response has been clear.”
EMB3D is a comprehensive threat model for embedded devices used across industries such as critical infrastructure, IoT, automotive, healthcare, manufacturing, and more. Designed as a resource for vendors, asset owners/operators, test organizations, and security researchers, the model helps enhance the security of embedded device hardware and software. It serves as a central repository that defines known threats to embedded devices and the unique features or properties that enable specific threat actions. By mapping threats to relevant device features, users can assess threat exposure based on the known characteristics of the devices.
The EMB3D data is represented using primarily standard STIX data objects (SDOs) with some custom extensions, where EMB3D Threats are expressed as vulnerability objects; EMB3D Mitigations are expressed as course-of-action objects; and EMB3D Properties do not map well to standard STIX data types and are instead expressed as custom objects.
The threat and mitigation description text is contained in the description field of each object. The contents of this field are the Markdown format text corresponding to the similar section on each TID and MID web page. Evidence and reference text for threats and mitigations are similarly encoded as Markdown text. The EMB3D data is generated using the OASIS CTI TC’s Python STIX2 library in UTF-8 text encoding.
The limitations of the EMB3D 2.0 release include the initial implementation of the STIX data representation. While all model data is included in the STIX JSON file, it does not fully leverage the complete STIX feature set. Specifically, the evidence and reference materials associated with Threats and Mitigations are represented as free-form Markdown text. In a future EMB3D release, these will be encoded as objects using the STIX external-reference data type mechanism.
