Attack Pattern Architecture: Variants, Chains, and Composites

It exist at different levels of abstraction.

At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness.

A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology.

A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability.

A composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.