Attack trees: because intelligent adversaries are all the rage

Recently I had an interesting conversation around incident response (IR) and preparedness for incidents. For some reason conversation centred around attack trees and how they can be used to better the information security posture of the company. My take on it is that attack trees are great for the security mindset that puts prevention first, second, and third and detection and response equal distant fourth. They’re not so good in the world where non-agent failure happens and your response to it defines how much damage the organisation wears in the end.