A structured way to describe how attackers operate, using goals, methods, and implementation details. In practice, it helps defenders separate what the attacker wanted from how they achieved it, which improves detection engineering, incident analysis, and control validation.
Expanded Definition
Adversary tactics, techniques, and common knowledge is an ATT&CK-like way of describing hostile activity by separating intent, method, and reusable operational knowledge. Tactics describe why an attacker acts, techniques describe how they do it, and common knowledge captures repeatable implementation detail that defenders can recognise across campaigns. In NHI security, this framing is especially useful when service accounts, API keys, tokens, or agent tool permissions are targeted because the same tactic can appear through very different execution paths.
Definitions vary across vendors, but the practical value is consistent: it gives analysts a shared language for detection engineering, incident triage, and control testing. It also maps naturally to threat modelling for agentic systems, where an AI agent may have legitimate tool access yet still be manipulated into attacker-favourable actions. For broader adversary mapping, MITRE ATLAS adversarial AI threat matrix is the closest external reference point, although ATLAS focuses more on AI-specific adversary behaviour than on NHI controls. The most common misapplication is treating a single observed method as the whole attack, which occurs when teams do not distinguish initial access from persistence or credential abuse.
Examples and Use Cases
Implementing this taxonomy rigorously often introduces analysis overhead, requiring organisations to balance faster incident reporting against more precise attacker attribution and control validation.
- Detecting a service account abused for lateral movement by classifying the objective as persistence while treating the execution path as token replay or privilege escalation.
- Mapping repeated secrets theft campaigns to a common pattern after finding credentials in code, CI/CD logs, or config files, a problem highlighted in Ultimate Guide to NHIs — Why NHI Security Matters Now.
- Using CISA cyber threat advisories to correlate observed phishing, token theft, or session hijacking with the broader adversary pattern seen across multiple victims.
- Building detections for agent misuse by distinguishing the adversary’s tactic of coercing tool use from the specific technique of prompt injection or tool argument manipulation.
- Reviewing breach cases in The 52 NHI breaches Report to identify recurring attacker methods against API keys, orchestration layers, and cloud identities.
In practice, this term is most valuable when teams want to compare cases across environments without losing the operational detail that explains why one defence failed and another held. It also helps analysts avoid overfitting one-off incident narratives to a single adversary profile.
Why It Matters in NHI Security
When adversary behaviour is modelled this way, defenders can link incidents to specific NHI failure modes such as secret sprawl, excessive privilege, weak rotation, and poor offboarding. That matters because NHI compromise rarely looks like a single login event; it often appears as a chain of small abuses that only become obvious when mapped to intent, execution, and follow-on actions. NHI Mgmt Group reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is why the tactic-technique view is so operationally important.
This framing also supports control validation against agentic systems. A team can test whether a policy blocks the tactic even if the technique changes, which is the difference between a durable defence and a narrow signature. For NHI-specific governance and recurring failure patterns, the Top 10 NHI Issues and OWASP NHI Top 10 provide useful context. Organisations typically encounter this distinction only after an incident review reveals that the same credential abuse pattern was missed in multiple detections, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | ATT&CK-style mapping helps identify recurring NHI attack paths and missing detections. |
| OWASP Agentic AI Top 10 | A1 | Agentic abuse often combines prompt, tool, and control-plane tactics in one chain. |
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring depends on recognizing adversary behaviours and correlating indicators. |
Map observed NHI attack patterns to NHI-01 and build detections by tactic, not by one-off technique.
Related resources from NHI Mgmt Group
- What is the most common mistake organisations make with NHI credential management?
- What was the common factor in the Snowflake, BeyondTrust, OmniGPT, and DeepSeek breaches?
- What are common vulnerabilities associated with service accounts in AI deployments?
- What common vulnerabilities do cloud applications face with OAuth tokens?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
