Attack-Defense Trees (ADTs)

Updated 10 December 2025

Attack-Defense Trees (ADTs) are formal, compositional models that depict attacker actions and defensive countermeasures using structured trees or directed acyclic graphs.
They employ refinements such as AND, OR, and specialized countermeasure edges to support Boolean, quantitative, trace-based, and game-theoretic analyses.
Extensive tool support and empirical validation make ADTs a key methodology for threat modeling, risk assessment, and security engineering.

Attack-Defense Trees (ADTs) constitute a formal, graphical methodology for modeling and quantitative analysis of security scenarios where both adversarial actions and proactive defensive countermeasures must be expressed compositionally. ADTs generalize classical attack trees by introducing explicit defender nodes and countermeasure edges. They are mathematically precise, support a variety of semantic frameworks (Boolean, quantitative, trace- and game-theoretic), and are widely used both in academia and industrial toolchains for threat modeling, security requirements engineering, and risk assessment (Broccia et al., 9 Apr 2024, Kordy et al., 2012, Kordy et al., 2013, Brihaye et al., 2023).

1. Formal Syntax and Semantics

An ADT is defined as a rooted, labeled tree or, in general, a directed acyclic graph (DAG), with nodes partitioned as attack (adversarial) or defense (countermeasure) nodes. Let $V$ be the nodes, $E_r$ the refinement edges (AND, OR), and $E_c$ the countermeasure (defense-to-attack or attack-to-defense) edges. Refinements can be conjunctive ( $\wedge$ ) or disjunctive ( $\vee$ ), and countermeasure edges represent the explicit blocking or neutralizing of attacks by defenses (or vice versa): $T = (V, E_r \cup E_c), \quad V = V_{\mathit{A}} \dot\cup V_{\mathit{D}}, \quad E_r \subseteq V \times V, \quad E_c \subseteq (V_{\mathit{A}} \times V_{\mathit{D}}) \cup (V_{\mathit{D}} \times V_{\mathit{A}})$ A typical ADT may include further constructors such as SAND (sequential AND), inhibition gates (INH), reactive/no-defence patterns, or explicit duration/cost/probability annotations per node (Arias et al., 2019, Copae et al., 17 Apr 2025).

Boolean semantics are described via recursive evaluation over the tree:

AND-refinement: success if all children succeed
OR-refinement: success if at least one child succeeds
Countermeasure: success if attack succeeds and defense fails (or vice versa)
Leaf nodes: success/fail according to user-assigned base attribute

For quantitative attributes $v(\cdot)$ (e.g., probability, cost, time), standard bottom-up evaluation applies: $v\left(\bigwedge_{i=1}^k n_i\right) = \prod_{i=1}^k v(n_i), \qquad v\left(\bigvee_{i=1}^k n_i\right) = 1 - \prod_{i=1}^k (1 - v(n_i))$ Countermeasures can be composed according to user-defined rules, e.g., subtraction of defense effectiveness from attack probability (Broccia et al., 9 Apr 2024, Kordy et al., 2013).

2. Graphical and Tool-Based Modeling

ADTs are visually specified with attack nodes as ovals/circles and defense nodes as rectangles/squares. Refinement edges indicate decomposition (AND, OR, SAND), and countermeasure edges are drawn as distinct arrows. Numerous tools support ADT editing and bottom-up analysis:

ADTool enables graphical model construction, bottom-up attribute evaluation, multi-metric support, and outputs for visualization or further formal analysis (Kordy et al., 2013).
QuADTool extends this paradigm, supporting imprecise (PAC) input parameters and rigorous uncertainty propagation, along with interfaces to formal verification tools (PRISM, UPPAAL, MODEST) (Dorfhuber et al., 21 Jun 2024).
Analysis is scalable: quantitative evaluation is linear in tree size except where extreme countermeasure nesting (i.e., DAGs with large defense branching) is present (Copae et al., 17 Apr 2025).

3. Mathematical Expressiveness and Formal Properties

The formal power of ADTs has been precisely established:

Trace-language semantics: ADTs characterize the family of star-free regular languages; each depth of countermeasure (nesting of C-operators) provably increases expressiveness, forming the ADT-hierarchy (Brihaye et al., 2023).
Game-theoretic equivalence: There exists a structural, outcome-preserving bijection between ADTs and two-player binary zero-sum extensive-form games; compositional modeling directly translates into compositional strategic games (Kordy et al., 2010).
Decision problem complexity:
- Trace membership is LOGSPACE-complete
- Non-emptiness is NP-complete for shallow countermeasure depth, non-elementary for unrestricted depth
- Equivalence scales from coNP-complete ( $k=0$ ) to non-elementary (Brihaye et al., 2023)

4. Quantitative Evaluation and Multiple Attribute Domains

A unifying feature of ADTs is the capacity to support a wide array of quantitative analyses. This is formalized by the attribute domain concept: $A_\alpha = (D_\alpha,\,\vee^p_\alpha,\,\wedge^p_\alpha,\,\vee^o_\alpha,\,\wedge^o_\alpha,\,\mathit{counter}^p_\alpha,\,\mathit{counter}^o_\alpha)$ where $p$ denotes the proponent (attacker), $o$ the opponent (defender), and $\alpha$ the attribute (e.g., cost, probability, skill). The evaluation proceeds via a postorder traversal, aggregating attributes according to the gate and node type (Kordy et al., 2012, Kordy et al., 2013, Copae et al., 17 Apr 2025).

Defense attributes have recently been unified with attack attributes by modeling both as semirings and computing Pareto-optimal tradeoffs. Efficient algorithms exist for tree-structured and (via BDDs) DAG-shaped ADTs, with scalable performance confirmed by experiments up to hundreds of nodes (Copae et al., 17 Apr 2025).

Many tools also handle imprecise input by propagating (ε,δ)-PAC estimates according to analytically derived algebraic rules for error/confidence accumulation through the tree (Dorfhuber et al., 21 Jun 2024).

5. Multi-Agent and Scheduling Frameworks

ADTs can be mapped to asynchronous multi-agent systems (EAMAS), where each node corresponds to a local process/automaton, and synchronization encodes gate logic. This mapping enables quantitative verification of timing, cost, and constraints under different attacker/defender coalition models in tools such as UPPAAL and IMITATOR (Arias et al., 2019). Further, optimal scheduling of ADT tasks/agents—minimizing makespan and number of agents for attack/defense actions—can be solved by techniques reducing to constrained DAG scheduling, with polynomial-time algorithms available for practical ADT sizes (Arias et al., 2023, Arias et al., 2021).

6. Adversarial and Strategic Semantics

The classical path semantics of ADTs (reachability, attribute accumulation over cooperative runs) is extended by adversarial (strategy-based) semantics, where analysis asks whether the attacker can force a win against all possible defender strategies, or vice versa. Formally, ADTs can be embedded into concurrent game arenas (CGAs), and the complexity of associated questions then matches known bounds in classical game theory (PSPACE-complete for strategy non-emptiness, coNP-complete for membership) (Brihaye et al., 2022). The equivalence to perfect-information games supports the application of established algorithmic game-solving techniques to ADT analysis (Kordy et al., 2010).

7. Empirical Understandability and Practical Adoption

Recent empirical research confirms that ADT notation achieves a balance of formal rigor and human usability. In a controlled experiment (n=25), participants achieved high effectiveness (total effectiveness $0.768 \pm 0.134$ ), high perceived ease of use ( $4.18 \pm 0.56$ ), and high intention to use ( $3.88 \pm 0.40$ ) on 5-point Likert scales after minimal training. Regression analysis showed that intention to use is primarily driven by perceived usefulness, and practical tree manipulation is a key predictor of perceived usefulness (Broccia et al., 9 Apr 2024).

Best practice recommendations for modeling include: use ADTs in early security workshops to unify attacker and defender perspectives, provide focused onboarding tutorials, and leverage modern tools supporting both intuitive editing and formal/quantitative analysis.

Attack-Defense Trees provide a compositional, extensible, and analyzable syntax for specifying and quantifying adversarial processes in information security. Their well-studied semantics, strong connections to game and language theory, and extensive tool support make them a foundational technology in security engineering and risk management (Broccia et al., 9 Apr 2024, Brihaye et al., 2023, Kordy et al., 2012, Kordy et al., 2013, Copae et al., 17 Apr 2025).