A socio-economic perspective – and its operational implications within the ENSEMBLE project
This article examines a work in progress – yet already highly insightful – structured around two major frameworks: MITRE ATT&CK and the European cyber incident database EuRepoC. The study conducted by Mhelvin Mercado addresses two central questions:
– the evolution of initial access techniques between 2000 and 2024;
– their statistical relationship with the severity of cyber incidents.
Beyond its findings, this work provides insights directly relevant to operational cyber threat analysis.
Mhelvin Mercado Evolution of initial access techniques (MITRE ATT&CK®) and the impact on incident severity in cyber incidents (2000–2024): A quantitative analysis of the EuRepoC dataset. (2026)
Mercado highlights a gradual transformation in initial access techniques. Some historically dominant methods are declining, while others are emerging or being reconfigured. This evolution shifts the constraints faced by attackers, under the combined effect of strengthened security measures, the spread of advanced authentication mechanisms and the transformation of organisational digital practices.
This shift becomes particularly visible when considering that initial access techniques reflect trade-offs. As certain technical vulnerabilities become more difficult to exploit, attackers reallocate their efforts towards other vectors. The observed evolution therefore reflects continuous adaptation to a changing defensive environment.
The central result lies in the relationship between initial access techniques and incident severity. Not all techniques are equivalent. Some are statistically associated with higher-intensity incidents. This relationship suggests that the initial access vector is correlated with the structure of the attack itself.
In a theoretical representation of crime-as-a-service attacks, such a correlation should not appear. Mercado’s results, however, reveal a link that shifts the analysis.
The initial access vector signals an attack configuration. It provides information on the type of actor involved, their level of preparation and their resources. Above all, it reflects the capacity of the organisation – regardless of its form – to translate access into operational impact.
This interpretation leads to distinguishing two regimes of attack:
– a technical regime, based on the exploitation of vulnerabilities,
– an interactional regime, based on the manipulation of actors, the exploitation of identities and integration
into organisational practices.
The latter is becoming increasingly prominent, reflecting a rational adjustment in an environment where technical exploitation is more costly, more uncertain and more rapidly neutralised.
The scope of these results must nonetheless be qualified. The analysis relies on documented incidents and therefore on observable phenomena. It does not capture failed attempts, undetected attacks or organisational configurations that do not produce exploitable traces. As in most research on economic crime, observability both structures and limits the analysis.
It is precisely within this space that the ENSEMBLE project operates. By structuring analysis around the reconstruction of attack chains, and in particular the tactics, techniques and procedures that compose them, the project aims to move beyond a fragmented reading of incidents towards a more integrated understanding of attack configurations. This approach makes it possible to connect dispersed signals and to reposition initial access within a broader dynamic, where it conditions persistence, lateral movement and impact
generation.
ENSEMBLE’s contribution also lies in its capacity to combine heterogeneous data sources – technical traces, interactions and event logs – within collaborative analytical frameworks. The use of artificial intelligence, particularly in distributed architectures, enables these data to be exploited while preserving confidentiality and sovereignty constraints. This articulation between information sharing and data protection represents a central challenge for authorities engaged in combating cybercrime.
In line with Mercado’s findings, ENSEMBLE explicitly integrates social and organisational dimensions into its analytical models. Actor motivations, interpersonal interactions and organisational contexts are treated as constitutive elements of attack configurations. This shift is essential in a context where interactional techniques are gaining prominence.
This does not diminish the value of Mercado’s work. It provides a robust empirical grounding for previously fragmented observations and highlights consistent patterns, particularly regarding the relationship between access vectors and incident intensity. It contributes to a more comprehensive understanding of cybercrime – attack chains, value chains and organisational forms – and opens the way for further modelling.
It is within this articulation between empirical validation and modelling capacity that the current limits – and future developments – of cybercrime analysis can be found.
Written by Paul Labic. Laboratory for theoretical and applied economics (BETA), CNRS UMR 7522. Associate researcher at the research lab of the French police academy (ENSP)f the French police academy (ENSP)
REFERENCES
Mercado, M. (2026). Evolution of initial access techniques (MITRE ATT&CK®) and the impact on incident severity in cyber incidents (2000-2024): A quantitative analysis of the Eurepoc dataset [South College]. https://www.proquest.com/openview/7538e6671504d6f4335d90debdc19fb8/1
