In cyber threat analysis, it is useful to characterize the tools, techniques, and procedures (TTPs) used by threat actors. When correlated across multiple attacks, such associations can be helpful for attribution. Accordingly, with malware being one of the most prevalent tools used by attackers, it would be useful to characterize specific malware instances as belonging TTPs of specific attackers.

MAEC provides this capability, as its standard vocabulary and grammar permits the accurate identification of malware attributes observed in previous attacks, thus linking attackers and malware toolsets.