By The Core Concept: Akamai structures its security product portfolio around the 14-stage MITRE ATT&CK chain — deploying specific capabilities at each adversarial stage to ensure attackers can be intercepted at reconnaissance, access, lateral movement, and exfiltration, rather than only at the entry and exit points most stacks protect.
The Guest: Steve Winterfeld, Advisory CISO at Akamai
The Bottom Line:
• Akamai’s security architecture is explicitly mapped to the MITRE ATT&CK chain — WAF, Prolexic, API Firewall, and micro-segmentation create layered interception across all 14 adversarial stages, closing the coverage gaps that concentrated entry/exit-only defenses leave open
Speaking with TFiR, Steve Winterfeld, Advisory CISO at Akamai, explained how Akamai translates the MITRE ATT&CK framework from a threat assessment tool into a practical architecture blueprint — mapping specific products and capabilities to each stage of the adversarial kill chain to protect the full data journey for both employees and customers.
THE COVERAGE GAP MOST SECURITY STACKS LEAVE OPEN
Most enterprise security programs concentrate their tooling at the two ends of the attack chain — prevention at initial access and detection at exfiltration. This leaves the middle stages — execution, persistence, evasion, lateral movement, and internal discovery — underprotected. Attackers who breach the perimeter can often move through these middle stages undetected because the controls simply aren’t there. The MITRE ATT&CK framework makes this gap visible; Akamai’s security architecture is designed to close it.
HOW AKAMAI MAPS TO THE ATT&CK CHAIN
Akamai’s approach to enterprise security is structured around the principle that defenders have 14 distinct opportunities to interrupt an adversary’s methodology — and that each opportunity requires a dedicated capability.
At the reconnaissance and initial access stages, Akamai’s Web Application Firewall (WAF) identifies and blocks probing and access attempts before they reach application infrastructure. For denial of service attacks targeting infrastructure, Prolexic provides purpose-built DDoS mitigation at network scale. API-layer attacks — an increasingly common vector as enterprise environments expose more machine-to-machine interfaces — are addressed by Akamai’s API Firewall.
“If they’re attacking our APIs, we have API Firewall — we just have a number of products around that step.”
At the execution, persistence, evasion, and lateral movement stages — where most security stacks have the fewest controls — Akamai’s micro-segmentation capability provides real-time visibility and interception. By seeing lateral movement as it happens, security teams can step in before an intrusion spreads across the environment. Command and control and data exfiltration are addressed by additional tooling completing the full chain coverage.
THE FULL DATA JOURNEY AS A UNIFIED SECURITY SURFACE
Winterfeld framed Akamai’s security model around protecting the entire data journey — not just the network perimeter. Whether traffic originates from an employee or a customer, the same layered defense applies across all 14 ATT&CK stages. This approach reflects the reality of modern enterprise environments, where the boundary between internal and external traffic has effectively disappeared.
“Across that entire thing — they have 14 opportunities for you to stop them — Akamai is going to be a partner in a lot of those different steps to interdict and disrupt their methodology.”
