Attack Tree Origins


Attack trees evolved from other types of decision tree diagrams, especially fault trees. This gradual development process, combined with the fact that much of the original research took place at a certain three letter intelligence agency, has made it difficult to identify the precise moment in time when attack trees were invented, but probably in the late 1980s or early 1990s.

One of the earliest unclassified publications discussing attack trees was Edward Amoroso's 1994 book Fundamentals of Computer Security Technology. In the book he described threat trees, a tree structure very similar to attack trees. Dr. Amoroso recently confirmed that his first exposure to attack trees was on a project that involved co-workers from the defense and intelligence communities.

By the late 1990s papers were beginning to appear describing the attack tree analysis process in some detail. For instance, in the 1998 paper Toward a Secure System Engineering Methodology (, the authors describe a mature, attack tree-based approach to analyzing risk. The paper stated that "This paper is based on research done by a working group sponsored by the National Security Agency." Indeed, two of the paper's authors (Chris Salter and Jim Wallner) are identified as NSA employees. A third (O. Sami Saydjari) worked for DARPA. Since it usually takes a period of time for research from within classified environments to appear in non-restricted forums this confirms that the intelligence community had been involved in attack tree research for some time.

The fourth author of the Toward a Secure System Engineering Methodology paper was the eminent cryptographer and well known security researcher, Bruce Schneier. In the late 1990s Schneier gave numerous talks and presentations at security conferences on attack tree analysis. His efforts were invaluable in educating the security community about attack trees. Indeed, without his efforts, attack trees may never have progressed beyond their classified origins.

Amenaza Technologies, and the industry in general, owes a debt of gratitude to those persons who developed this valuable threat modeling approach. Many of the key inventors worked (and work) in classified environments. We applaud their efforts even if we cannot recognize them by name.


Go to Performance-based GRC (Governance, Risk and Compliance) >

SecurITree - threat modeling without limits