← Back to Research
Research · July 16, 2026

The overlap is empty

Simon Morley·3 min read

We crosswalked NRDAX against MITRE AADAPT. Twenty-two NRDAX techniques touch AADAPT. None of them are reproduced.

MITRE AADAPT (July 2025) covers the economic layer: flash loans, channel wormholing, double-spend, chain reorganisation, smart-contract implementation, counterfeit tokens. Eleven tactics, thirty-eight techniques, drawn from more than 150 sources.

NRDAX covers the layer underneath: malformed packets that force multi-gigabyte allocations, four-hundred-byte requests that cost a validator a second of CPU, decompression bombs, exhausted connection tables, non-terminating gossip loops. Mechanisms at the transport and node-resource boundary, reproduced on instrumented infrastructure and recorded with the capture that proves them.

Two registries, adjacent territory. We mapped the seam.

What the data shows

Twelve AADAPT techniques have any NRDAX counterpart. Twenty-two NRDAX techniques sit on the other side of those twelve rows. Every one of those twenty-two is unreproduced.

NRDAX currently holds 102 reproduced techniques. None of them appear in AADAPT. Every technique that does touch AADAPT was catalogued from public disclosure and never put on a wire.

Everything we have reproduced sits where MITRE does not model. Everything MITRE models, we have only read about.

The empty column is the finding.

Two rows that carry the argument

ADT3012 (Exploit Smart Contract Implementation) maps to seven NRDAX techniques. All seven are tombstoned: out of scope, permanently resolvable, and pointed at AADAPT. Contract logic is not our ground.

ADT3016 (Generate Counterfeit Tokens) is ceded. It is an outcome. AADAPT files outcomes.

ADT3016.001 (Cryptographic Protocol Analysis) is retained. Three NRDAX techniques remain in scope. NRDAX classifies by causal mechanism: analysing a cryptographic protocol is something done to a node, at the boundary, with packets. What the adversary gains may be a counterfeit token or a signature check that never runs. AADAPT files under what it produces. We file under what it does. Same technique, two axes. The crosswalk is where they cross.

Using it

Hold an ADT id and ask NRDAX what it knows:

GET https://api.nrdax.com/aadapt/ADT3012

Every NRDAX technique on that row, in scope or tombstoned, reproduced or not. The full index is at api.nrdax.com/aadapt. Human version at nrdax.com/aadapt.

Tombstoned techniques still resolve. An ID we issue answers forever, including when the answer is "not ours, go to MITRE".

The pin

The crosswalk is pinned to MITRE AADAPT at commit cd6a74ca (retrieved 2025-10-31) from github.com/mitre/AADAPT. Not a floating mirror. A specific ref, stated on the page, with a build check that fails if any mapping points at an ADT id that no longer exists.

The division of labour

MITRE cites. NRDAX reproduces. The crosswalk measures the difference rather than describing it: twenty-two rows of overlap, zero reproduced.

AADAPT covers the economic layer from source review. The transport and node-resource boundary is a different class of object. The evidence is a capture, and the capture only exists if the infrastructure to take it is built.

NRDAX is the registry for the network-boundary and node-resource attack class: 102 techniques reproduced on instrumented infrastructure, 274 catalogued from public disclosure, 17 out of scope. Every technique carries a permanent citable ID.

Crosswalk: nrdax.com/aadapt.

nrdaxmitreaadaptcrosswalktaxonomyregistrysecurity-research
Publication policy:Why we publish these findings →

Related Posts