AutoSUT: The Environment Semantics Gap in Structured CTI for Adversary Emulation

Abstract

Structured Cyber Threat Intelligence (CTI) increasingly supports adversary emulation, detection evaluation, and cyber range design, yet each workflow still requires a target System Under Test (SUT) whose environment is not fully described by public CTI. We define the environment semantics gap as a measurable property of structured CTI: the SUT information required for replay-ready instantiation that cannot be derived solely from structured fields. We present AutoSUT, a pipeline that locates where corpus-supported narrowing ends and analyst specification begins. Across ATT&CK Enterprise, Mobile, and ICS STIX bundles, with CAPEC and FiGHT as contrast datasets, we measure platform coverage, software specificity, vulnerability evidence, and deployment compatibility. Platform tags are near-universal, but 97.6% of Enterprise software objects lack version indicators and CPE identifiers. Campaign-level CVE evidence covers only 9.6% of campaigns, even after free-text enrichment, and only 19 of 691 techniques (2.7%) are container-feasible under conservative backend-family assignment. Profile confusion among intrusion sets drops from 1.3% for one linked software item to 0% for two linked software items, indicating that software-evidence density, not CVE enrichment, drives actor-specific SUT screening. Finally, we constructively demonstrate environment non-uniqueness: holding every corpus-supported element fixed and varying only the analyst-authored region yields multiple distinct, campaign-compatible SUTs, including an executable witness running CVE-2021-41773 and coincident witnesses in which structurally different service realizations execute the same attack. Structured CTI, therefore, constrains but does not uniquely determine the executable environment. Replay-ready emulation should accordingly declare which environment commitments the corpus supports and which remain analyst-authored.