This study addresses the challenge of constructing replayable systems under test (SUT) for adversary emulation using structured cyber threat intelligence (CTI), which often lacks contextual semantics. It presents the first quantitative assessment of semantic gaps in MITRE ATT&CK STIX data by integrating CAPEC and FiGHT, leveraging platform annotations, CPE/CVE linkages, and version identification to evaluate environmental representativeness. The analysis reveals that 97.6% of enterprise software objects lack version or CPE identifiers, rendering structured fields insufficient for uniquely specifying an SUT. To overcome this limitation, the work proposes a novel SUT construction paradigm that decouples corpus-supported elements from analyst assumptions, enabling the generation of multi-version-compatible and executable adversary emulation environments.

Structured Cyber Threat Intelligence (CTI) is increasingly used for adversary emulation, detection evaluation, and cyber range design. However, these workflows still require a target System Under Test (SUT) whose environment is not fully described by public CTI. We measure how much of that environment can be derived from MITRE ATT&CK Structured Threat Information Expression (STIX) bundles. Using the ATT&CK Enterprise, Mobile, and Industrial Control Systems datasets, with CAPEC and FiGHT as comparison datasets, we evaluate platform coverage, software specificity, vulnerability evidence, and deployment compatibility. Platform annotations are common, but software references rarely include versions or Common Platform Enumeration (CPE) identifiers. In Enterprise, 97.6% of software objects lack both, and campaign-level Common Vulnerabilities and Exposures (CVEs) remain sparse. Our results show that ATT&CK-style structured CTI can narrow candidate environments and support lower-bound backend-family assignment, but structured fields alone are insufficient to derive a replay-ready SUT. Profile confusion decreases from 1.3% when one software item is linked to 0% when two are linked. The results identify a boundary between environment details supported by the corpus and the version, vulnerability, and deployment information that must come from external sources. Keeping corpus-supported elements fixed while varying only analyst-authored details yields multiple distinct, campaign-compatible SUTs, including an executable witness exploiting the same real vulnerability. Structured CTI, therefore, constrains but does not uniquely determine the environment, highlighting the need to separate corpus-supported commitments from analyst-authored assumptions in replay-ready emulation.