We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / MITRE ATT&CK
MITRE · Global

MITRE ATT&CK

A knowledge base of real-world adversary tactics and techniques.

1. Introduction

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible, evidence-based knowledge base of adversary behaviour, curated and maintained by MITRE, a not-for-profit organisation that operates federally funded research and development centres (FFRDCs) in the United States. Unlike a prescriptive compliance standard such as PCI DSS or ISO/IEC 27001, ATT&CK is a descriptive taxonomy: it catalogues how real-world threat actors actually operate once they are inside, or attempting to breach, an enterprise, mobile, cloud, or industrial control systems environment. Since its first public release in 2015, ATT&CK has become the lingua franca of defensive cybersecurity, adopted by security operations centres (SOCs), threat-intelligence teams, red teams, detection engineers, and boards of directors seeking a common vocabulary for measuring defensive coverage.

This CyberSigma Knowledge Center deep-dive is written for security leaders, SOC managers, detection engineers, threat hunters, purple-team practitioners, and auditors who need to operationalise ATT&CK as a measurable programme rather than a poster on the wall. It treats ATT&CK as an assessable capability model: we enumerate every tactic (the columns of the matrix), explain the technique and sub-technique hierarchy, and provide auditor-grade verification tables covering detection coverage, data-source instrumentation, threat-informed defence, and adversary emulation. Because ATT&CK is not a certification, the objective here is not a pass/fail audit but a rigorous, repeatable assessment of coverage, maturity, and defensive efficacy against the techniques most relevant to your threat model.

Copyright and licensing note
MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. The ATT&CK knowledge base is made available by MITRE under terms that permit reuse with attribution; however, the ATT&CK content, technique identifiers, and matrices remain the intellectual property of MITRE. This guide is original CyberSigma commentary and interpretation written to help organisations operationalise the framework. It does not reproduce MITRE's copyrighted descriptive text. Always consult the authoritative source at attack.mitre.org for canonical technique definitions, and reproduce MITRE material only in accordance with MITRE's terms of use and attribution requirements.

2. What is MITRE ATT&CK

MITRE ATT&CK is a curated knowledge base that organises adversary behaviour into a structured matrix. The framework answers a deceptively simple question that traditional vulnerability-centric security historically struggled with: what does an attacker actually do, step by step, to achieve their objectives? Rather than focusing on indicators of compromise (IOCs) such as file hashes or IP addresses that change constantly, ATT&CK focuses on tactics, techniques and procedures (TTPs) that describe adversary behaviour at a level of abstraction that is far more durable and difficult for an attacker to change.

The framework is expressed as a set of matrices. The columns of a matrix are tactics, representing the adversary's tactical goal or the reason for performing an action, such as gaining initial access or exfiltrating data. Within each tactic column sit the techniques, which describe how an adversary achieves that tactical goal, and many techniques are further decomposed into sub-techniques that describe more specific variants of behaviour. Each technique is documented with procedure examples drawn from observed intrusions, the data sources needed to detect it, mitigations that reduce its likelihood or impact, and references to the threat groups and software known to use it.

ATT&CK is versioned and released periodically (typically twice a year), with each release adding, deprecating, or revising techniques as the threat landscape evolves. The knowledge base is complemented by related MITRE resources: ATT&CK for adversary behaviour, the ATT&CK Navigator for visualising coverage as heat maps, D3FEND for defensive countermeasures, CAR (Cyber Analytics Repository) for detection analytics, and MITRE Engenuity's ATT&CK Evaluations which independently test commercial security products against emulated adversaries.

Why ATT&CK matters for defenders

  • Common language: security teams, vendors, threat intelligence providers and executives can all reference the same technique identifiers, eliminating ambiguity.
  • Threat-informed defence: coverage can be prioritised against the specific techniques used by the threat groups most relevant to an organisation's sector and geography.
  • Detection engineering: each technique maps to observable data sources, giving detection engineers a concrete target for analytic development.
  • Gap analysis and heat mapping: the ATT&CK Navigator lets teams visualise which techniques they can detect, mitigate, or are blind to.
  • Red and purple teaming: adversary emulation plans are built directly from ATT&CK techniques, enabling repeatable, behaviour-based testing.
  • Vendor evaluation: procurement decisions can be grounded in objective, technique-level coverage rather than marketing claims.

3. Who must comply / who should adopt ATT&CK

MITRE ATT&CK is not a regulatory mandate, so no organisation is legally required to comply with it in the way one must comply with the PCI DSS or the DPDP Act. However, ATT&CK adoption is increasingly expected as a matter of good practice, and a growing number of regulators, frameworks, and customers reference or require behaviour-based defensive coverage that maps naturally to ATT&CK. The table below sets out the audiences for whom ATT&CK adoption is effectively obligatory in practice.

AudienceWhy ATT&CK applies to them
Security Operations Centres (SOCs)ATT&CK is the de facto standard for measuring detection coverage, triaging alerts, and structuring threat hunts; mature SOCs are expected to map detections to techniques.
Managed Security Service Providers (MSSPs / MDR)Clients increasingly demand ATT&CK coverage reporting as a contractual deliverable and a differentiator during procurement.
Threat intelligence teamsCTI is expressed in ATT&CK technique IDs to make it actionable; sharing communities (ISACs) standardise on ATT&CK.
Red teams, penetration testers and purple teamsEngagement scoping, adversary emulation plans, and reporting are structured around ATT&CK tactics and techniques.
Detection and security engineeringAnalytic development, SIEM/EDR content, and data-source instrumentation are prioritised using ATT&CK.
CISOs and boardsATT&CK heat maps provide a defensible, evidence-based narrative of defensive posture and investment justification.
Critical national infrastructure and OT/ICS operatorsATT&CK for ICS is used to assess control-system-specific adversary behaviour for sectors under regulatory scrutiny (e.g. CERT-In directions, NIS2).
Software and product vendorsSecurity-tool vendors publish ATT&CK coverage and participate in ATT&CK Evaluations to demonstrate efficacy.
Auditors and assessorsBehaviour-based assurance increasingly supplements control-checklist audits; ATT&CK provides the reference model.

4. Structure of MITRE ATT&CK

ATT&CK is organised into technology domains, each with its own matrix of tactics and techniques. Within a matrix, the hierarchy runs from tactics (the why) to techniques (the how) to sub-techniques (specific variants), each carrying a stable identifier. The table below summarises the domains, the object types, and the identifier conventions that make up the ATT&CK model.

Structural elementDescription and identifier convention
Enterprise domainCovers Windows, macOS, Linux, cloud (IaaS/SaaS/Office 365/Azure AD/Google Workspace), network devices, and containers. The most widely used matrix, with 14 tactics.
Mobile domainCovers Android and iOS adversary behaviour, aligned where possible to enterprise tactics, plus mobile-specific tactics such as network effects.
ICS domainCovers industrial control systems and operational technology, with tactics reflecting the physical process impact of attacks (e.g. Impair Process Control, Inhibit Response Function).
TacticThe adversary's tactical objective; forms the matrix columns. Identifier format TAxxxx (e.g. TA0001 Initial Access).
TechniqueHow an adversary achieves a tactic. Identifier format Txxxx (e.g. T1566 Phishing).
Sub-techniqueA more specific behaviour under a parent technique. Identifier format Txxxx.xxx (e.g. T1566.001 Spearphishing Attachment).
ProcedureA specific, observed implementation of a technique by a threat actor or piece of software.
MitigationA defensive configuration, tool, or process that reduces a technique's likelihood or impact. Identifier format Mxxxx (e.g. M1017 User Training).
Data source and data componentThe telemetry required to observe a technique (e.g. Process: Process Creation). Identifier format DSxxxx.
DetectionGuidance on the analytic logic used to identify a technique in the relevant data source.
GroupA tracked threat actor / intrusion set. Identifier format Gxxxx (e.g. G0016 APT29).
SoftwareMalware or tooling used by adversaries. Identifier format Sxxxx (e.g. S0002 Mimikatz).
CampaignA grouping of intrusion activity over a time period with shared objectives. Identifier format Cxxxx.

The Enterprise tactics (matrix columns)

The Enterprise matrix comprises 14 tactics arranged roughly in the order an intrusion may unfold, from reconnaissance through to impact. These tactics form the backbone of the master assessment checklist in the next section.

Tactic (ID)Adversary objective
Reconnaissance (TA0043)Gather information to plan future operations against a target.
Resource Development (TA0042)Establish resources (infrastructure, accounts, capabilities) to support operations.
Initial Access (TA0001)Gain an initial foothold within the target environment.
Execution (TA0002)Run adversary-controlled code on a local or remote system.
Persistence (TA0003)Maintain access across restarts, credential changes, and other interruptions.
Privilege Escalation (TA0004)Gain higher-level permissions on a system or network.
Defense Evasion (TA0005)Avoid detection by security controls and analysts.
Credential Access (TA0006)Steal account names, passwords, tokens, and other credentials.
Discovery (TA0007)Explore and understand the environment after gaining access.
Lateral Movement (TA0008)Move through the environment to reach objectives.
Collection (TA0009)Gather data of interest to the adversary's goal.
Command and Control (TA0011)Communicate with compromised systems to control them.
Exfiltration (TA0010)Steal data out of the target network.
Impact (TA0040)Manipulate, interrupt, or destroy systems and data.

5. Master assessment checklist

This is the core of the guide. For each ATT&CK Enterprise tactic we provide a verification table that an assessor can use to evaluate whether the organisation can detect, mitigate, and respond to the techniques within that tactic. Each row states what to verify and the typical evidence that demonstrates coverage. The intent is not to require detection of every one of the several hundred techniques, but to ensure deliberate, risk-prioritised coverage with instrumented data sources, tested analytics, and documented gaps. Assessors should cross-reference the organisation's ATT&CK Navigator coverage layer, detection catalogue, and adversary-emulation results throughout.

5.0 Programme foundations (cross-cutting)

What to verifyTypical evidence
A threat-informed defence programme exists with a named owner and mandateProgramme charter, RACI, steering-committee minutes
The organisation has a prioritised list of relevant threat groups and techniquesCTI report mapping sector/geo threats to ATT&CK groups (Gxxxx) and techniques
An ATT&CK Navigator coverage layer is maintained and version-controlledExported Navigator JSON, change history, review dates
Detections are catalogued and mapped to technique IDsDetection library / SIEM content with T-ID tags
Data-source instrumentation is inventoried against required data componentsData-source coverage matrix, log-source inventory
ATT&CK version currency is tracked and coverage re-baselined on new releasesVersion-control notes, remapping records after each ATT&CK release

5.1 Reconnaissance (TA0043)

What to verifyTypical evidence
Detection or monitoring for active scanning and probing of external assets (T1595)IDS/WAF logs, external attack-surface monitoring alerts
Awareness of information exposed via public sources and search (T1593, T1596)OSINT / brand-monitoring reports, exposed-credential scans
Phishing-for-information detection and reporting channels (T1598)Reported-email metrics, awareness-training records
Attack-surface reduction for gathered victim host/network/org informationAsset inventory, external footprint minimisation records

5.2 Resource Development (TA0042)

What to verifyTypical evidence
Monitoring for lookalike / typosquatted domains and acquired infrastructure (T1583, T1584)Domain-monitoring service reports, takedown records
Detection of adversary account creation abusing the brand (T1585, T1586)Social-media and impersonation-monitoring alerts
Threat-intelligence enrichment identifying adversary tooling and capabilities (T1587, T1588)CTI feeds, malware/tooling tracking, IOC ingestion logs
Certificate transparency and code-signing abuse monitoringCT-log monitoring alerts, certificate inventory

5.3 Initial Access (TA0001)

What to verifyTypical evidence
Phishing detection across attachment, link and service variants (T1566)Email-gateway logs, sandbox verdicts, click-tracking, user reports
Exploitation of public-facing applications monitored and patched (T1190)WAF logs, vulnerability-scan results, patch records
Valid-accounts abuse detection including cloud and default accounts (T1078)Impossible-travel/anomalous-login alerts, MFA logs
External remote services hardened and monitored (T1133)VPN/RDP logs, MFA enforcement, geo-fencing rules
Supply-chain and trusted-relationship compromise controls (T1195, T1199)Vendor risk assessments, third-party access reviews
Removable-media and drive-by controls (T1091, T1189)USB device-control policy, web-proxy content inspection

5.4 Execution (TA0002)

What to verifyTypical evidence
Command and scripting interpreter monitoring (PowerShell, cmd, Bash, WMI) (T1059)Script-block logging, EDR command-line telemetry, AMSI logs
User-execution (malicious file/link) detection and awareness (T1204)EDR detonation alerts, phishing-simulation metrics
Native API and system-service abuse detection (T1106, T1569)EDR behavioural detections, service-creation alerts
Scheduled task / job execution monitoring (T1053)Task-creation event logs (e.g. Event ID 4698), cron auditing
Container and serverless execution monitoring where applicable (T1610, T1648)Container runtime logs, cloud function invocation logs

5.5 Persistence (TA0003)

What to verifyTypical evidence
Account manipulation and creation monitoring (T1098, T1136)Directory audit logs, new-account and group-change alerts
Boot/logon autostart execution monitoring (registry run keys, services) (T1547, T1543)Autoruns baselining, registry and service-creation telemetry
Scheduled task persistence detection (T1053)Task-scheduler audit logs, deviation from golden baseline
Server software component and web-shell detection (T1505)Web-server file-integrity monitoring, web-shell scanners
Cloud and identity persistence (additional credentials, federation) (T1098.001-005)Cloud IAM change logs, federation/SSO configuration audits

5.6 Privilege Escalation (TA0004)

What to verifyTypical evidence
Exploitation for privilege escalation detection (T1068)EDR exploit-guard alerts, kernel/driver anomaly detection
Abuse of elevation-control mechanisms (UAC bypass, sudo) (T1548)Privileged-action audit logs, UAC-bypass detections
Access-token manipulation monitoring (T1134)EDR token-manipulation telemetry, process-integrity checks
Valid privileged-account and role escalation monitoring (T1078, cloud roles)Privileged-access-management logs, role-assignment change alerts
Process injection detection (also evasion) (T1055)EDR memory/injection detections

5.7 Defense Evasion (TA0005)

What to verifyTypical evidence
Impair-defenses detection (security tool tampering, log deletion) (T1562)EDR self-protection alerts, log-clearing events (Event ID 1102)
Masquerading and file/renaming detection (T1036)EDR filename/path anomaly detections, signed-binary validation
Indicator removal / log tampering monitoring (T1070)Immutable/forwarded logs, deletion alerts
Obfuscated/encoded files and information detection (T1027)AMSI, entropy analysis, deobfuscation sandboxing
Signed binary proxy execution (LOLBins) monitoring (T1218)EDR detections for rundll32/mshta/regsvr32 abuse
Valid-accounts and trusted-tool abuse to evade controlsBehavioural baselining, anomaly detection

5.8 Credential Access (TA0006)

What to verifyTypical evidence
OS credential dumping detection (LSASS, SAM, /etc/shadow) (T1003)EDR LSASS-access alerts, Credential Guard, honeytoken triggers
Brute-force and password-spray detection (T1110)Failed-login analytics, lockout policy, MFA logs
Credentials from stores (browsers, password managers) monitoring (T1555)File-access auditing on credential stores, DLP alerts
Steal or forge Kerberos tickets detection (Kerberoasting, Golden Ticket) (T1558)Kerberos service-ticket anomaly detection (Event ID 4769)
Multi-factor request generation / MFA fatigue detection (T1621)IdP push-notification analytics, number-matching enforcement
Unsecured credentials in files/config/code (T1552)Secrets-scanning results, credential-in-repo alerts

5.9 Discovery (TA0007)

What to verifyTypical evidence
Account, group and domain trust discovery detection (T1087, T1482)Directory-enumeration analytics (e.g. BloodHound-like queries)
System and network configuration discovery monitoring (T1016, T1082)Command-line telemetry for ipconfig/systeminfo/net commands
Remote system and network share discovery detection (T1018, T1135)SMB enumeration alerts, share-access auditing
Cloud service and infrastructure discovery monitoring (T1526, T1580)Cloud API audit logs (list/describe calls anomalies)
Security-software discovery detection (T1518.001)EDR telemetry for defence-enumeration commands

5.10 Lateral Movement (TA0008)

What to verifyTypical evidence
Remote-services abuse detection (RDP, SSH, SMB, WinRM) (T1021)Authentication logs, lateral-auth analytics, network segmentation
Pass-the-hash / pass-the-ticket detection (T1550)NTLM/Kerberos anomaly detection, credential-tiering controls
Use of alternate authentication material and remote exec tools (PsExec, WMI)EDR remote-execution telemetry, service-creation on target
Internal spearphishing and lateral tool transfer detection (T1534, T1570)Internal-email analytics, host-to-host file-transfer monitoring
Exploitation of remote services detection (T1210)IDS signatures, vulnerability posture of internal services

5.11 Collection (TA0009)

What to verifyTypical evidence
Data-from-local-system and network-shared-drive collection detection (T1005, T1039)DLP alerts, mass file-access anomaly detection
Email collection and archive staging detection (T1114, T1560)Mailbox-rule auditing, archive-creation (zip/rar) telemetry
Screen capture, keylogging and input capture detection (T1113, T1056)EDR behavioural detections, endpoint monitoring
Data-from-cloud/repositories collection monitoring (T1530, T1213)Cloud storage/repo access audit logs, DLP for SaaS
Automated collection detection (T1119)Scripted-access anomaly detection, volume-based alerts

5.12 Command and Control (TA0011)

What to verifyTypical evidence
Application-layer protocol C2 detection (web, DNS, mail) (T1071)Proxy/DNS analytics, JA3/JA4 fingerprinting, beaconing detection
Encrypted-channel and protocol-tunnelling detection (T1573, T1572)TLS inspection or metadata analytics, tunnelling anomaly alerts
Ingress tool transfer detection (T1105)Download telemetry, sandbox verdicts, EDR file-drop alerts
Web-service / dead-drop and fallback-channel detection (T1102, T1008)Traffic to known abused services, domain-reputation analytics
Non-standard port and traffic-signalling detection (T1571, T1205)Netflow analytics, port/protocol mismatch alerts

5.13 Exfiltration (TA0010)

What to verifyTypical evidence
Exfiltration over C2 channel and alternative protocol detection (T1041, T1048)Egress volume analytics, DLP, DNS-exfil detection
Exfiltration to cloud storage and web services monitoring (T1567)CASB/DLP alerts for uploads to unsanctioned services
Data-transfer size-limit and scheduled-transfer detection (T1030, T1029)Chunked-transfer anomaly detection, off-hours egress alerts
Exfiltration over physical/removable media controls (T1052)USB device-control policy, endpoint DLP logs
Egress filtering and data-loss prevention effectivenessDLP policy configuration, blocked-exfil test results

5.14 Impact (TA0040)

What to verifyTypical evidence
Data-encrypted-for-impact (ransomware) detection and response (T1486)Canary files, mass-encryption behavioural detection, immutable backups
Data destruction and disk wipe detection (T1485, T1561)EDR destructive-action alerts, backup restore tests
Inhibit system recovery detection (shadow-copy deletion) (T1490)Detection of vssadmin/wbadmin deletion, backup protection
Service stop and endpoint denial-of-service detection (T1489, T1499)Availability monitoring, service-stop event alerts
Account access removal and defacement detection (T1531, T1491)IAM change alerts, integrity monitoring on public assets

5.15 Mobile and ICS domain coverage (where applicable)

What to verifyTypical evidence
Mobile-domain techniques assessed for BYOD/MDM estate (Android/iOS)MDM/MTD coverage report, mobile ATT&CK Navigator layer
ICS-domain tactics assessed for OT/process environmentsICS ATT&CK layer, OT network monitoring records
ICS impact techniques (impair/inhibit process control) coveredOT IDS alerts, safety-instrumented-system monitoring
Segmentation between IT and OT verified and monitoredNetwork diagrams, firewall rule reviews, unidirectional gateway records

6. Scoping

Because ATT&CK is a descriptive framework spanning several hundred techniques across multiple domains, attempting to detect everything at once is neither feasible nor cost-effective. Scoping an ATT&CK programme is fundamentally an exercise in threat-informed prioritisation: deciding which domains, techniques, and threat groups matter most to your organisation and instrumenting accordingly.

Defining the assessment scope

  • Domain selection: determine which matrices apply (Enterprise is near-universal; add Mobile if you have a managed device estate, and ICS if you operate OT/process control).
  • Platform scope: within Enterprise, identify relevant platforms (Windows, macOS, Linux, cloud/IaaS, SaaS, identity providers, network, containers) as many techniques are platform-specific.
  • Threat-actor scope: use CTI to identify the intrusion sets (Gxxxx) most relevant to your sector, geography, and value as a target; this yields a prioritised technique list.
  • Crown-jewel scope: identify the assets, data, and business processes an adversary would target, and prioritise the techniques on the likely kill-chain to those assets.
  • Data-source scope: map which telemetry sources are (or can be) instrumented, since detection is impossible without the underlying data component.
  • Maturity scope: decide whether the current cycle targets detection coverage, mitigation coverage, or adversary-emulation validation.
  • Out-of-scope declaration: explicitly document techniques deliberately deprioritised (e.g. platforms not in use) so the coverage map is honest.
Scoping principle
Coverage breadth without depth is a false comfort. It is better to have robust, tested detection for the fifty techniques your priority threat actors actually use than shallow, untested rules nominally covering three hundred. Scope to your threat model, then deepen coverage iteratively.

7. Implementation approach

Operationalising ATT&CK is best delivered as a phased programme that moves from understanding the threat, through instrumentation and detection engineering, to continuous validation via adversary emulation. The phases below are cumulative; each produces concrete deliverables that feed the next.

Phase 1 — Threat modelling and prioritisation

  • Activities: gather cyber threat intelligence; identify relevant threat groups and their known techniques; define crown-jewel assets and likely attack paths; agree the priority technique list.
  • Deliverables: threat profile document, prioritised ATT&CK technique list, initial Navigator layer of target coverage.

Phase 2 — Data-source and visibility assessment

  • Activities: inventory current log and telemetry sources; map them to the data components required by priority techniques; identify visibility gaps; plan instrumentation (e.g. enabling script-block logging, EDR, cloud audit logs).
  • Deliverables: data-source coverage matrix, visibility gap register, instrumentation roadmap.

Phase 3 — Detection engineering

  • Activities: develop, tune, and document analytics for priority techniques; tag each detection with its technique ID; establish a detection catalogue and a test harness; reduce false positives.
  • Deliverables: detection library mapped to ATT&CK, detection-as-code repository, Navigator layer of achieved detection coverage.

Phase 4 — Mitigation and hardening

  • Activities: implement ATT&CK mitigations (Mxxxx) that reduce technique feasibility (e.g. application control, MFA, network segmentation); map mitigations to techniques; verify configuration.
  • Deliverables: mitigation-to-technique map, hardening baseline records, residual-risk register.

Phase 5 — Adversary emulation and validation

  • Activities: build adversary-emulation plans from priority techniques; execute purple-team exercises and automated breach-and-attack simulation; measure detection and prevention efficacy; feed findings back into detection engineering.
  • Deliverables: emulation plans, purple-team reports, validated coverage heat map, remediation backlog.

Phase 6 — Continuous improvement and governance

  • Activities: re-baseline on each ATT&CK release; track KPIs; report coverage to leadership; integrate lessons from real incidents into technique coverage.
  • Deliverables: recurring coverage reports, KPI dashboard, updated Navigator layers, governance review minutes.

8. Maturity / capability model

Organisations progress through recognisable stages of ATT&CK adoption. The model below, inspired by the concept of threat-informed defence maturity, lets an assessor place an organisation on a capability scale and set a target level. Levels are cumulative.

Maturity levelCharacteristics
Level 0 — UnawareNo use of ATT&CK; defence is IOC-centric and tool-driven; no technique-level coverage view.
Level 1 — Aware / mappingATT&CK understood; some detections retrospectively mapped to techniques; ad-hoc Navigator use; no threat prioritisation.
Level 2 — Threat-informedPriority threat groups and techniques defined; data-source gaps identified; detection engineering targets ATT&CK; coverage layer maintained.
Level 3 — ValidatedDetections and mitigations validated through purple teaming and adversary emulation; efficacy measured, not assumed; KPIs tracked.
Level 4 — Optimised / continuousContinuous, automated validation; detection-as-code; coverage re-baselined each release; ATT&CK integrated across CTI, SOC, red team, and risk reporting to the board.

9. Assessment and audit approach

A rigorous ATT&CK assessment blends documentation review, technical validation, and adversary emulation. The following steps describe a repeatable assessment methodology an auditor can follow.

  1. Define scope and objectives: agree the domains, platforms, priority threat groups, and whether the assessment targets detection, mitigation, or full validation.
  2. Review the threat profile: confirm CTI-driven prioritisation is current and defensible against the organisation's sector and geography.
  3. Inventory data sources: verify which required data components are instrumented and retained, and identify blind spots.
  4. Review the detection catalogue: confirm detections are mapped to technique IDs, documented, version-controlled, and tuned.
  5. Review mitigations: verify implemented ATT&CK mitigations and their configuration against priority techniques.
  6. Assess the coverage layer: examine the Navigator layer for honesty (claimed vs validated coverage) and currency against the latest ATT&CK release.
  7. Execute adversary emulation: run purple-team or breach-and-attack-simulation tests against priority techniques and measure detection/prevention outcomes.
  8. Analyse gaps: reconcile claimed coverage with emulation results; classify gaps as visibility, detection, or mitigation deficiencies.
  9. Rate maturity: place the organisation on the capability model and agree a target level with a roadmap.
  10. Report and remediate: deliver a findings report with prioritised remediation, feed the backlog into detection engineering, and schedule re-assessment.

10. Evidence request list

The following categorised evidence should be requested at the outset of an assessment to enable efficient, thorough review.

Programme and governance

  • Threat-informed defence programme charter and RACI
  • Steering-committee or governance review minutes
  • Current threat profile / CTI reports mapping threats to ATT&CK groups and techniques
  • ATT&CK version-currency and remapping records

Coverage and detection

  • Exported ATT&CK Navigator coverage layer(s)
  • Detection catalogue / SIEM-EDR content library tagged with technique IDs
  • Detection-as-code repository history and test results
  • False-positive and tuning records

Data sources and visibility

  • Log-source and telemetry inventory
  • Data-source coverage matrix mapped to data components
  • Log retention and integrity (immutability/forwarding) evidence

Mitigations and hardening

  • Mitigation-to-technique mapping
  • Hardening baselines (application control, MFA, segmentation, PAM)
  • Configuration evidence and exception register

Validation

  • Adversary-emulation plans and purple-team reports
  • Breach-and-attack-simulation results
  • Incident post-mortems mapped to ATT&CK techniques
  • KPI dashboards and trend data

11. Roles and responsibilities

RoleResponsibilities
CISO / Head of SecurityOwns the threat-informed defence mandate; reports coverage and residual risk to the board; approves investment.
Threat Intelligence LeadMaintains the threat profile; identifies priority groups and techniques; enriches detections with adversary context.
Detection Engineering LeadBuilds, tunes, and documents analytics mapped to techniques; maintains the detection-as-code repository and test harness.
SOC Manager / AnalystsOperate detections; triage and investigate alerts by technique; contribute detection gaps from real incidents.
Red / Purple Team LeadDesigns and executes adversary-emulation plans; validates detection and prevention efficacy; reports gaps.
Security Architecture / EngineeringImplements mitigations and instrumentation (EDR, logging, segmentation, MFA, PAM).
Data / Platform EngineeringEnsures required telemetry is collected, retained, and made available to analytics.
Risk and ComplianceMaps ATT&CK coverage to regulatory and framework obligations; tracks residual risk and remediation.
Executive Sponsor / BoardProvides mandate and funding; consumes coverage reporting for risk oversight.

12. KPIs to track

  • Technique coverage: percentage of priority techniques with at least one documented, tuned detection.
  • Validated coverage: percentage of priority techniques whose detections have been confirmed by adversary emulation.
  • Data-source coverage: percentage of required data components instrumented and retained.
  • Detection efficacy: true-positive rate and false-positive rate per detection over time.
  • Mean time to detect (MTTD) and mean time to respond (MTTR) by technique or tactic.
  • Emulation pass rate: proportion of emulated techniques detected and/or prevented per exercise.
  • Coverage drift: change in coverage after each ATT&CK release before remapping.
  • Mitigation coverage: percentage of priority techniques with an implemented ATT&CK mitigation.
  • Time-to-detection-content: mean time from a new relevant technique/threat to deployed detection.
  • Gap closure rate: percentage of identified coverage gaps remediated within target SLA.

13. Readiness checklist

  • A named owner and mandate for a threat-informed defence programme exist.
  • A current CTI-driven threat profile maps priority threat groups and techniques to your organisation.
  • An ATT&CK Navigator coverage layer is maintained and version-controlled.
  • Required data sources are inventoried and instrumented, with a documented gap register.
  • Detections are catalogued and tagged with technique IDs in a detection-as-code repository.
  • Detections are tuned, with false-positive rates tracked.
  • ATT&CK mitigations are implemented and mapped to priority techniques.
  • Adversary-emulation or purple-team exercises validate coverage on a defined cadence.
  • Breach-and-attack-simulation or equivalent continuous validation is in place.
  • Coverage is re-baselined after each ATT&CK release.
  • KPIs are tracked and reported to leadership.
  • Real-incident findings are fed back into technique coverage.
  • Mobile and/or ICS domains are assessed where the estate warrants.
  • IT/OT segmentation is verified where operational technology is in scope.

14. Common gaps

  • Vanity coverage: Navigator layers claiming detection that has never been validated by emulation.
  • Missing data sources: analytics written for techniques whose underlying telemetry is not actually collected or retained.
  • IOC dependence: reliance on hashes/IPs rather than durable behaviour-based detection.
  • No threat prioritisation: attempting broad, shallow coverage instead of focusing on relevant threat actors.
  • Stale mapping: coverage never remapped after ATT&CK releases, leaving deprecated or newly split techniques uncovered.
  • Detection sprawl without tuning: noisy rules that analysts ignore, undermining efficacy.
  • No purple teaming: detection efficacy assumed rather than tested against live emulation.
  • Cloud and identity blind spots: on-premises focus while modern intrusions pivot through IdPs and SaaS.
  • Sub-technique neglect: coverage claimed at parent-technique level while specific sub-techniques go undetected.
  • No feedback loop: real incidents not mapped back to ATT&CK to close the discovering gaps.
  • Fragmented ownership: CTI, SOC, and red team operating in silos with no shared coverage view.
  • Ignoring mitigations: over-investment in detection while feasible preventative controls (MFA, application control, segmentation) are neglected.

15. MITRE ATT&CK mapped to other frameworks

ATT&CK is complementary to control-based standards: it describes adversary behaviour, while standards prescribe controls. Mapping the two lets organisations demonstrate that their controls actually counter real-world techniques. The table below sketches how ATT&CK relates to widely used frameworks.

FrameworkRelationship to ATT&CK
NIST Cybersecurity Framework (CSF)ATT&CK techniques map into the Detect and Respond functions; ATT&CK provides behaviour-level assurance behind CSF outcomes.
NIST SP 800-53MITRE publishes mappings from ATT&CK techniques to 800-53 controls, showing which controls mitigate which techniques.
ISO/IEC 27001 / 27002Annex A controls can be validated against the techniques they are intended to mitigate; ATT&CK evidences control efficacy.
CIS Critical Security ControlsCIS Controls map to ATT&CK techniques (community mappings), prioritising safeguards by real adversary behaviour.
PCI DSSATT&CK helps demonstrate that detection and response requirements (e.g. logging, monitoring, anti-malware) counter actual attack techniques.
MITRE D3FENDThe defensive counterpart to ATT&CK; D3FEND countermeasures map to the ATT&CK techniques they defeat.
Cyber Kill Chain (Lockheed Martin)ATT&CK offers finer-grained, behaviour-level detail than the seven-stage kill chain and can be aligned to its phases.
CERT-In directions / sector regulationsBehaviour-based monitoring and incident-reporting expectations align to ATT&CK detection and response coverage.
MITRE ATT&CK EvaluationsIndependent, ATT&CK-based testing of security products to validate technique-level detection efficacy.

16. How CyberSigma helps

How CyberSigma operationalises MITRE ATT&CK for you
CyberSigma helps organisations move from ATT&CK awareness to validated, threat-informed defence. Our CERT-In empanelled and PCI QSA-led team builds your CTI-driven threat profile, maps your priority threat groups and techniques, and assesses your telemetry against the data components each technique demands. We engineer and tune detections as code mapped to ATT&CK technique IDs, implement ATT&CK mitigations across identity, endpoint, cloud, and network, and validate everything through purple-team exercises and breach-and-attack simulation, so your coverage heat map reflects reality rather than aspiration. We integrate ATT&CK reporting into board-level risk narratives and map your coverage to ISO 27001, NIST CSF/800-53, CIS Controls, and PCI DSS to satisfy auditors and regulators alike. Whether you are at Level 0 or aiming for continuous, optimised defence, CyberSigma provides the assessment, engineering, and managed detection and response capability to get you there and keep you there across every ATT&CK release.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

Is MITRE ATT&CK a compliance framework?
No. It is a behavioural knowledge base for defenders and testers, not a certifiable standard. It complements frameworks like NIST CSF by making detection and testing concrete.
What is the difference between ATT&CK and the Cyber Kill Chain?
The Kill Chain is a high-level linear model of an attack; ATT&CK is a far more granular, non-linear catalog of specific techniques observed in the wild.
What is MITRE D3FEND?
D3FEND is a complementary knowledge base of defensive countermeasures, mapping defensive techniques to the offensive techniques in ATT&CK.

Need help with MITRE ATT&CK?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.