Structured Cyber Threat Intelligence (CTI) is increasingly used for adversary emulation, detection evaluation, and cyber range design. However, these workflows still require a target System Under Test (SUT) whose environment is not fully described by public CTI. We measure how much of that environment can be derived from MITRE ATT&CK Structured Threat Information Expression (STIX) bundles. Using the ATT&CK Enterprise, Mobile, and Industrial Control Systems datasets, with CAPEC and FiGHT as comparison datasets, we evaluate platform coverage, software specificity, vulnerability evidence, and deployment compatibility. Platform annotations are common, but software references rarely include versions or Common Platform Enumeration (CPE) identifiers. In Enterprise, 97.6% of software objects lack both, and campaign-level Common Vulnerabilities and Exposures (CVEs) remain sparse. Our results show that ATT&CK-style structured CTI can narrow candidate environments and support lower-bound backend-family assignment, but structured fields alone are insufficient to derive a replay-ready SUT. Profile confusion decreases from 1.3% when one software item is linked to 0% when two are linked. The results identify a boundary between environment details supported by the corpus and the version, vulnerability, and deployment information that must come from external sources. Keeping corpus-supported elements fixed while varying only analyst-authored details yields multiple distinct, campaign-compatible SUTs, including an executable witness exploiting the same real vulnerability. Structured CTI, therefore, constrains but does not uniquely determine the environment, highlighting the need to separate corpus-supported commitments from analyst-authored assumptions in replay-ready emulation.

翻译：结构化网络威胁情报（CTI）正日益被用于对手模拟、检测评估和网络靶场设计。然而，这些工作流程仍然需要一个目标被测系统（SUT），其环境无法由公开CTI完全描述。我们评估了从MITRE ATT&CK结构化威胁信息表达（STIX）数据包中能推导出多少环境信息。通过使用ATT&CK企业、移动和工业控制系统数据集，并以CAPEC和FiGHT作为对比数据集，我们评估了平台覆盖率、软件特异性、漏洞证据及部署兼容性。平台注释较为常见，但软件引用极少包含版本号或通用平台枚举（CPE）标识符。在企业数据集中，97.6%的软件对象同时缺失这两类信息，而战役级别的通用漏洞披露（CVE）关联仍十分稀疏。我们的结果表明，ATT&CK风格的结构化CTI能够缩小候选环境范围，并支持后端家族的低阶分配，但单纯的结构化字段不足以推导出可重放SUT。当软件项关联从1个降至2个时，配置混淆率从1.3%降至0%。研究结果划定了语料库支持的环境细节与必须来自外部源的版本、漏洞及部署信息之间的边界。保持语料库支持的元素不变，仅调整分析人员编写的细节，可生成多个不同且与战役兼容的SUT，其中包括利用同一真实漏洞的可执行验证样例。因此，结构化CTI能够约束但无法唯一确定环境，这凸显了在可重放模拟中需将语料库支持的承诺与分析人员编写的假设加以区分。