©

Getting Started

Overview

See here for a one-page overview of how to use the MITRE SAF© to help developers, assessors, and operations teams automate security in their current processes.

How To Use The MITRE SAF©

MITRE SAF© Tooling at a Glance

MITRE SAF© is a framework, not one tool. To determine which framework components will help you improve your cybersecurity processes, take a look at this diagram. 

SAF Security Validation Lifecycle

MITRE SAF© helps piece together disparate automation content from the security community and MITRE to ensure developer teams can leverage quality code that is already written. For more information on how to deploy tools inside your environment, be sure to check out our apps: Vulcan, SAF CLI, Heimdall, and eMASSer.

Mature DevSecOps Best Practices

DevSecOps is a software development framework that stresses automation and rapid user feedback to deliver quality, secure software quickly. A DevSecOps pipeline is a collection of tools and practices that can automate as much of development as possible, from testing to change management to deployment.

The MITRE SAF© toolset is designed to support DevSecOps pipelines (though a pipeline is not required to use them), and to easily "slot in" alongside your existing security tools.

DevSecOps Best Practices Guide

Primers

See the following for an executive summary of MITRE SAF©'s capabilities.

Take a look at some presentation slide decks the MITRE SAF© engineers have given on various topics related to security automation:

InSpec

InSpec is a free and open-source Chef framework for testing and auditing applications and infrastructure. InSpec is designed to integrate very easily into existing DevOps pipelines. MITRE has partnered with the open-source community to create a growing number of baseline testing profiles to make it easy for developers to jump right in.

InSpec Documentation | InSpec Profile Resources Reference | Introduction to InSpec Video Courses | InSpec Profile Developers Course | InSpec Advanced Developer Course | SAF CLI

How is InSpec deployed?

It is intended and recommended that InSpec be installed on a "runner" host (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) and run against the target remotely. However, InSpec may be deployed in various ways depending on the needs of the user:

Inspec Options

Privacy Policy | MITRE
Deploys by Netlify

Copyright © 1997-2026, The MITRE Corporation. All rights reserved.

MITRE is a registered trademark of The MITRE Corporation. Material on this site may be copied and distributed with permission only.