Attack Tree Origins

Attack trees appear to have evolved from other types of decision tree diagrams, especially fault trees. This gradual development process, combined with the fact that much of the original research took place in classified environments, has made it difficult to identify the precise moment in time when attack trees were invented.

In 1994, Edward Amoroso's book Fundamentals of Computer Security Technology described threat trees, a tree structure very similar to attack trees. By the late 1990s papers were beginning to appear describing the attack tree analysis process in some detail. For instance, in the 1998 paper Toward a Secure System Engineering Methodology (, the authors describe a mature, attack tree-based approach to analyzing risk. The paper stated that "This paper is based on research done by a working group sponsored by the National Security Agency." Indeed, two of the paper's authors (Chris Salter and Jim Wallner) are identified as NSA employees. A third (O. Sami Saydjari) worked for DARPA. Since it usually takes a period of time for research from within classified environments to appear in non-restricted forums this would seem to indicate that the intelligence community had been involved in attack tree research for some time. We speculate that attack trees were invented by the NSA in the late 1980s or early 1990s. We know of no relationship between Edward Amoroso (of Bell Labs) and the NSA and believe he worked independently to invent attack trees.

The fourth author of the Toward a Secure System Engineering Methodology paper was the eminent cryptographer and security researcher, Bruce Schneier. In the late 1990s Schneier gave numerous talks and presentations at security conferences on attack tree analysis. His efforts were invaluable in educating the security community about attack trees.