Motivation
The schema already supports a structured attackSteps array plus attackPaths.stepIds, but the legacy attackPaths.steps string array is still present (deprecated only) and the comprehensive examples still use plain strings. To make attack path analysis machine-readable for AFR, MDR, and detection engineering use cases, structured steps must become the V1.0 default and gain the fields enumerated in the requirements that are not yet visible in the schema.
Proposed change
- Field additions on
attackStep:
type (enum: precondition | access | exploit | privilegeEscalation | lateralMovement | persistence | impact | exfiltration | actionOnObjective)
prerequisites[] (referenced by id; matches RDX-020-era requirement)
references[] to external knowledge bases: cveId, cweId, capecId, attackTechniqueId (MITRE ATT&CK incl. ATT&CK for ICS/Embedded), autoVulnDbId, internal vuln-tracker id
- Optional step-level
attackFeasibilityRatingId so step-level AFR can be expressed in addition to path-level
- Branching/graph support on
attackPath:
- Replace flat
stepIds with edges[] carrying from, to, and joinType (AND | OR | SEQUENCE) so AND/OR attack trees can be expressed
- Keep
stepIds accepted as a sequence shorthand for backwards compatibility
- Deprecate string
steps: mark in JSON Schema description and XSD annotation that the field will be removed in v0.2.0; update all examples to use structured steps; add a validator warning when string steps are present.
- Rewrite
examples/rdx-xml-comprehensive.xml and one JSON example to demonstrate the new structured + branching form.
References
REQUIREMENTS.md — RDX-019/020 (attack path steps as structured elements)
- AI peer review, section 3 ("Attack path modeling is in transition")
- MITRE ATT&CK for ICS / Embedded; MITRE CAPEC; CWE; NVD CVE
Acceptance criteria
Surfaced by external AI peer review; see chat transcript for full review text.
Motivation
The schema already supports a structured
attackStepsarray plusattackPaths.stepIds, but the legacyattackPaths.stepsstring array is still present (deprecated only) and the comprehensive examples still use plain strings. To make attack path analysis machine-readable for AFR, MDR, and detection engineering use cases, structured steps must become the V1.0 default and gain the fields enumerated in the requirements that are not yet visible in the schema.Proposed change
attackStep:type(enum:precondition|access|exploit|privilegeEscalation|lateralMovement|persistence|impact|exfiltration|actionOnObjective)prerequisites[](referenced by id; matches RDX-020-era requirement)references[]to external knowledge bases:cveId,cweId,capecId,attackTechniqueId(MITRE ATT&CK incl. ATT&CK for ICS/Embedded),autoVulnDbId, internal vuln-tracker idattackFeasibilityRatingIdso step-level AFR can be expressed in addition to path-levelattackPath:stepIdswithedges[]carryingfrom,to, andjoinType(AND|OR|SEQUENCE) so AND/OR attack trees can be expressedstepIdsaccepted as a sequence shorthand for backwards compatibilitysteps: mark in JSON Schema description and XSD annotation that the field will be removed in v0.2.0; update all examples to use structured steps; add a validator warning when string steps are present.examples/rdx-xml-comprehensive.xmland one JSON example to demonstrate the new structured + branching form.References
REQUIREMENTS.md— RDX-019/020 (attack path steps as structured elements)Acceptance criteria
attackStepschema (JSON + XSD) gainstype,prerequisites[], structuredreferences[]with vulnerability/technique IDs, and optionalattackFeasibilityRatingIdattackPathschema supports anedges[]model with AND/OR/SEQUENCE joinsstepsarray emits a deprecation warning fromtools/validate.shattackStepsSurfaced by external AI peer review; see chat transcript for full review text.