1. Introduction
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible, evidence-based knowledge base of adversary behaviour, curated and maintained by MITRE, a not-for-profit organisation that operates federally funded research and development centres (FFRDCs) in the United States. Unlike a prescriptive compliance standard such as PCI DSS or ISO/IEC 27001, ATT&CK is a descriptive taxonomy: it catalogues how real-world threat actors actually operate once they are inside, or attempting to breach, an enterprise, mobile, cloud, or industrial control systems environment. Since its first public release in 2015, ATT&CK has become the lingua franca of defensive cybersecurity, adopted by security operations centres (SOCs), threat-intelligence teams, red teams, detection engineers, and boards of directors seeking a common vocabulary for measuring defensive coverage.
This CyberSigma Knowledge Center deep-dive is written for security leaders, SOC managers, detection engineers, threat hunters, purple-team practitioners, and auditors who need to operationalise ATT&CK as a measurable programme rather than a poster on the wall. It treats ATT&CK as an assessable capability model: we enumerate every tactic (the columns of the matrix), explain the technique and sub-technique hierarchy, and provide auditor-grade verification tables covering detection coverage, data-source instrumentation, threat-informed defence, and adversary emulation. Because ATT&CK is not a certification, the objective here is not a pass/fail audit but a rigorous, repeatable assessment of coverage, maturity, and defensive efficacy against the techniques most relevant to your threat model.
Copyright and licensing note
MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. The ATT&CK knowledge base is made available by MITRE under terms that permit reuse with attribution; however, the ATT&CK content, technique identifiers, and matrices remain the intellectual property of MITRE. This guide is original CyberSigma commentary and interpretation written to help organisations operationalise the framework. It does not reproduce MITRE's copyrighted descriptive text. Always consult the authoritative source at attack.mitre.org for canonical technique definitions, and reproduce MITRE material only in accordance with MITRE's terms of use and attribution requirements.
2. What is MITRE ATT&CK
MITRE ATT&CK is a curated knowledge base that organises adversary behaviour into a structured matrix. The framework answers a deceptively simple question that traditional vulnerability-centric security historically struggled with: what does an attacker actually do, step by step, to achieve their objectives? Rather than focusing on indicators of compromise (IOCs) such as file hashes or IP addresses that change constantly, ATT&CK focuses on tactics, techniques and procedures (TTPs) that describe adversary behaviour at a level of abstraction that is far more durable and difficult for an attacker to change.
The framework is expressed as a set of matrices. The columns of a matrix are tactics, representing the adversary's tactical goal or the reason for performing an action, such as gaining initial access or exfiltrating data. Within each tactic column sit the techniques, which describe how an adversary achieves that tactical goal, and many techniques are further decomposed into sub-techniques that describe more specific variants of behaviour. Each technique is documented with procedure examples drawn from observed intrusions, the data sources needed to detect it, mitigations that reduce its likelihood or impact, and references to the threat groups and software known to use it.
ATT&CK is versioned and released periodically (typically twice a year), with each release adding, deprecating, or revising techniques as the threat landscape evolves. The knowledge base is complemented by related MITRE resources: ATT&CK for adversary behaviour, the ATT&CK Navigator for visualising coverage as heat maps, D3FEND for defensive countermeasures, CAR (Cyber Analytics Repository) for detection analytics, and MITRE Engenuity's ATT&CK Evaluations which independently test commercial security products against emulated adversaries.
Why ATT&CK matters for defenders
- Common language: security teams, vendors, threat intelligence providers and executives can all reference the same technique identifiers, eliminating ambiguity.
- Threat-informed defence: coverage can be prioritised against the specific techniques used by the threat groups most relevant to an organisation's sector and geography.
- Detection engineering: each technique maps to observable data sources, giving detection engineers a concrete target for analytic development.
- Gap analysis and heat mapping: the ATT&CK Navigator lets teams visualise which techniques they can detect, mitigate, or are blind to.
- Red and purple teaming: adversary emulation plans are built directly from ATT&CK techniques, enabling repeatable, behaviour-based testing.
- Vendor evaluation: procurement decisions can be grounded in objective, technique-level coverage rather than marketing claims.
3. Who must comply / who should adopt ATT&CK
MITRE ATT&CK is not a regulatory mandate, so no organisation is legally required to comply with it in the way one must comply with the PCI DSS or the DPDP Act. However, ATT&CK adoption is increasingly expected as a matter of good practice, and a growing number of regulators, frameworks, and customers reference or require behaviour-based defensive coverage that maps naturally to ATT&CK. The table below sets out the audiences for whom ATT&CK adoption is effectively obligatory in practice.
| Audience | Why ATT&CK applies to them |
|---|
| Security Operations Centres (SOCs) | ATT&CK is the de facto standard for measuring detection coverage, triaging alerts, and structuring threat hunts; mature SOCs are expected to map detections to techniques. |
| Managed Security Service Providers (MSSPs / MDR) | Clients increasingly demand ATT&CK coverage reporting as a contractual deliverable and a differentiator during procurement. |
| Threat intelligence teams | CTI is expressed in ATT&CK technique IDs to make it actionable; sharing communities (ISACs) standardise on ATT&CK. |
| Red teams, penetration testers and purple teams | Engagement scoping, adversary emulation plans, and reporting are structured around ATT&CK tactics and techniques. |
| Detection and security engineering | Analytic development, SIEM/EDR content, and data-source instrumentation are prioritised using ATT&CK. |
| CISOs and boards | ATT&CK heat maps provide a defensible, evidence-based narrative of defensive posture and investment justification. |
| Critical national infrastructure and OT/ICS operators | ATT&CK for ICS is used to assess control-system-specific adversary behaviour for sectors under regulatory scrutiny (e.g. CERT-In directions, NIS2). |
| Software and product vendors | Security-tool vendors publish ATT&CK coverage and participate in ATT&CK Evaluations to demonstrate efficacy. |
| Auditors and assessors | Behaviour-based assurance increasingly supplements control-checklist audits; ATT&CK provides the reference model. |
4. Structure of MITRE ATT&CK
ATT&CK is organised into technology domains, each with its own matrix of tactics and techniques. Within a matrix, the hierarchy runs from tactics (the why) to techniques (the how) to sub-techniques (specific variants), each carrying a stable identifier. The table below summarises the domains, the object types, and the identifier conventions that make up the ATT&CK model.
| Structural element | Description and identifier convention |
|---|
| Enterprise domain | Covers Windows, macOS, Linux, cloud (IaaS/SaaS/Office 365/Azure AD/Google Workspace), network devices, and containers. The most widely used matrix, with 14 tactics. |
| Mobile domain | Covers Android and iOS adversary behaviour, aligned where possible to enterprise tactics, plus mobile-specific tactics such as network effects. |
| ICS domain | Covers industrial control systems and operational technology, with tactics reflecting the physical process impact of attacks (e.g. Impair Process Control, Inhibit Response Function). |
| Tactic | The adversary's tactical objective; forms the matrix columns. Identifier format TAxxxx (e.g. TA0001 Initial Access). |
| Technique | How an adversary achieves a tactic. Identifier format Txxxx (e.g. T1566 Phishing). |
| Sub-technique | A more specific behaviour under a parent technique. Identifier format Txxxx.xxx (e.g. T1566.001 Spearphishing Attachment). |
| Procedure | A specific, observed implementation of a technique by a threat actor or piece of software. |
| Mitigation | A defensive configuration, tool, or process that reduces a technique's likelihood or impact. Identifier format Mxxxx (e.g. M1017 User Training). |
| Data source and data component | The telemetry required to observe a technique (e.g. Process: Process Creation). Identifier format DSxxxx. |
| Detection | Guidance on the analytic logic used to identify a technique in the relevant data source. |
| Group | A tracked threat actor / intrusion set. Identifier format Gxxxx (e.g. G0016 APT29). |
| Software | Malware or tooling used by adversaries. Identifier format Sxxxx (e.g. S0002 Mimikatz). |
| Campaign | A grouping of intrusion activity over a time period with shared objectives. Identifier format Cxxxx. |
The Enterprise tactics (matrix columns)
The Enterprise matrix comprises 14 tactics arranged roughly in the order an intrusion may unfold, from reconnaissance through to impact. These tactics form the backbone of the master assessment checklist in the next section.
| Tactic (ID) | Adversary objective |
|---|
| Reconnaissance (TA0043) | Gather information to plan future operations against a target. |
| Resource Development (TA0042) | Establish resources (infrastructure, accounts, capabilities) to support operations. |
| Initial Access (TA0001) | Gain an initial foothold within the target environment. |
| Execution (TA0002) | Run adversary-controlled code on a local or remote system. |
| Persistence (TA0003) | Maintain access across restarts, credential changes, and other interruptions. |
| Privilege Escalation (TA0004) | Gain higher-level permissions on a system or network. |
| Defense Evasion (TA0005) | Avoid detection by security controls and analysts. |
| Credential Access (TA0006) | Steal account names, passwords, tokens, and other credentials. |
| Discovery (TA0007) | Explore and understand the environment after gaining access. |
| Lateral Movement (TA0008) | Move through the environment to reach objectives. |
| Collection (TA0009) | Gather data of interest to the adversary's goal. |
| Command and Control (TA0011) | Communicate with compromised systems to control them. |
| Exfiltration (TA0010) | Steal data out of the target network. |
| Impact (TA0040) | Manipulate, interrupt, or destroy systems and data. |
5. Master assessment checklist
This is the core of the guide. For each ATT&CK Enterprise tactic we provide a verification table that an assessor can use to evaluate whether the organisation can detect, mitigate, and respond to the techniques within that tactic. Each row states what to verify and the typical evidence that demonstrates coverage. The intent is not to require detection of every one of the several hundred techniques, but to ensure deliberate, risk-prioritised coverage with instrumented data sources, tested analytics, and documented gaps. Assessors should cross-reference the organisation's ATT&CK Navigator coverage layer, detection catalogue, and adversary-emulation results throughout.
5.0 Programme foundations (cross-cutting)
| What to verify | Typical evidence |
|---|
| A threat-informed defence programme exists with a named owner and mandate | Programme charter, RACI, steering-committee minutes |
| The organisation has a prioritised list of relevant threat groups and techniques | CTI report mapping sector/geo threats to ATT&CK groups (Gxxxx) and techniques |
| An ATT&CK Navigator coverage layer is maintained and version-controlled | Exported Navigator JSON, change history, review dates |
| Detections are catalogued and mapped to technique IDs | Detection library / SIEM content with T-ID tags |
| Data-source instrumentation is inventoried against required data components | Data-source coverage matrix, log-source inventory |
| ATT&CK version currency is tracked and coverage re-baselined on new releases | Version-control notes, remapping records after each ATT&CK release |
5.1 Reconnaissance (TA0043)
| What to verify | Typical evidence |
|---|
| Detection or monitoring for active scanning and probing of external assets (T1595) | IDS/WAF logs, external attack-surface monitoring alerts |
| Awareness of information exposed via public sources and search (T1593, T1596) | OSINT / brand-monitoring reports, exposed-credential scans |
| Phishing-for-information detection and reporting channels (T1598) | Reported-email metrics, awareness-training records |
| Attack-surface reduction for gathered victim host/network/org information | Asset inventory, external footprint minimisation records |
5.2 Resource Development (TA0042)
| What to verify | Typical evidence |
|---|
| Monitoring for lookalike / typosquatted domains and acquired infrastructure (T1583, T1584) | Domain-monitoring service reports, takedown records |
| Detection of adversary account creation abusing the brand (T1585, T1586) | Social-media and impersonation-monitoring alerts |
| Threat-intelligence enrichment identifying adversary tooling and capabilities (T1587, T1588) | CTI feeds, malware/tooling tracking, IOC ingestion logs |
| Certificate transparency and code-signing abuse monitoring | CT-log monitoring alerts, certificate inventory |
5.3 Initial Access (TA0001)
| What to verify | Typical evidence |
|---|
| Phishing detection across attachment, link and service variants (T1566) | Email-gateway logs, sandbox verdicts, click-tracking, user reports |
| Exploitation of public-facing applications monitored and patched (T1190) | WAF logs, vulnerability-scan results, patch records |
| Valid-accounts abuse detection including cloud and default accounts (T1078) | Impossible-travel/anomalous-login alerts, MFA logs |
| External remote services hardened and monitored (T1133) | VPN/RDP logs, MFA enforcement, geo-fencing rules |
| Supply-chain and trusted-relationship compromise controls (T1195, T1199) | Vendor risk assessments, third-party access reviews |
| Removable-media and drive-by controls (T1091, T1189) | USB device-control policy, web-proxy content inspection |
5.4 Execution (TA0002)
| What to verify | Typical evidence |
|---|
| Command and scripting interpreter monitoring (PowerShell, cmd, Bash, WMI) (T1059) | Script-block logging, EDR command-line telemetry, AMSI logs |
| User-execution (malicious file/link) detection and awareness (T1204) | EDR detonation alerts, phishing-simulation metrics |
| Native API and system-service abuse detection (T1106, T1569) | EDR behavioural detections, service-creation alerts |
| Scheduled task / job execution monitoring (T1053) | Task-creation event logs (e.g. Event ID 4698), cron auditing |
| Container and serverless execution monitoring where applicable (T1610, T1648) | Container runtime logs, cloud function invocation logs |
5.5 Persistence (TA0003)
| What to verify | Typical evidence |
|---|
| Account manipulation and creation monitoring (T1098, T1136) | Directory audit logs, new-account and group-change alerts |
| Boot/logon autostart execution monitoring (registry run keys, services) (T1547, T1543) | Autoruns baselining, registry and service-creation telemetry |
| Scheduled task persistence detection (T1053) | Task-scheduler audit logs, deviation from golden baseline |
| Server software component and web-shell detection (T1505) | Web-server file-integrity monitoring, web-shell scanners |
| Cloud and identity persistence (additional credentials, federation) (T1098.001-005) | Cloud IAM change logs, federation/SSO configuration audits |
5.6 Privilege Escalation (TA0004)
| What to verify | Typical evidence |
|---|
| Exploitation for privilege escalation detection (T1068) | EDR exploit-guard alerts, kernel/driver anomaly detection |
| Abuse of elevation-control mechanisms (UAC bypass, sudo) (T1548) | Privileged-action audit logs, UAC-bypass detections |
| Access-token manipulation monitoring (T1134) | EDR token-manipulation telemetry, process-integrity checks |
| Valid privileged-account and role escalation monitoring (T1078, cloud roles) | Privileged-access-management logs, role-assignment change alerts |
| Process injection detection (also evasion) (T1055) | EDR memory/injection detections |
5.7 Defense Evasion (TA0005)
| What to verify | Typical evidence |
|---|
| Impair-defenses detection (security tool tampering, log deletion) (T1562) | EDR self-protection alerts, log-clearing events (Event ID 1102) |
| Masquerading and file/renaming detection (T1036) | EDR filename/path anomaly detections, signed-binary validation |
| Indicator removal / log tampering monitoring (T1070) | Immutable/forwarded logs, deletion alerts |
| Obfuscated/encoded files and information detection (T1027) | AMSI, entropy analysis, deobfuscation sandboxing |
| Signed binary proxy execution (LOLBins) monitoring (T1218) | EDR detections for rundll32/mshta/regsvr32 abuse |
| Valid-accounts and trusted-tool abuse to evade controls | Behavioural baselining, anomaly detection |
5.8 Credential Access (TA0006)
| What to verify | Typical evidence |
|---|
| OS credential dumping detection (LSASS, SAM, /etc/shadow) (T1003) | EDR LSASS-access alerts, Credential Guard, honeytoken triggers |
| Brute-force and password-spray detection (T1110) | Failed-login analytics, lockout policy, MFA logs |
| Credentials from stores (browsers, password managers) monitoring (T1555) | File-access auditing on credential stores, DLP alerts |
| Steal or forge Kerberos tickets detection (Kerberoasting, Golden Ticket) (T1558) | Kerberos service-ticket anomaly detection (Event ID 4769) |
| Multi-factor request generation / MFA fatigue detection (T1621) | IdP push-notification analytics, number-matching enforcement |
| Unsecured credentials in files/config/code (T1552) | Secrets-scanning results, credential-in-repo alerts |
5.9 Discovery (TA0007)
| What to verify | Typical evidence |
|---|
| Account, group and domain trust discovery detection (T1087, T1482) | Directory-enumeration analytics (e.g. BloodHound-like queries) |
| System and network configuration discovery monitoring (T1016, T1082) | Command-line telemetry for ipconfig/systeminfo/net commands |
| Remote system and network share discovery detection (T1018, T1135) | SMB enumeration alerts, share-access auditing |
| Cloud service and infrastructure discovery monitoring (T1526, T1580) | Cloud API audit logs (list/describe calls anomalies) |
| Security-software discovery detection (T1518.001) | EDR telemetry for defence-enumeration commands |
5.10 Lateral Movement (TA0008)
| What to verify | Typical evidence |
|---|
| Remote-services abuse detection (RDP, SSH, SMB, WinRM) (T1021) | Authentication logs, lateral-auth analytics, network segmentation |
| Pass-the-hash / pass-the-ticket detection (T1550) | NTLM/Kerberos anomaly detection, credential-tiering controls |
| Use of alternate authentication material and remote exec tools (PsExec, WMI) | EDR remote-execution telemetry, service-creation on target |
| Internal spearphishing and lateral tool transfer detection (T1534, T1570) | Internal-email analytics, host-to-host file-transfer monitoring |
| Exploitation of remote services detection (T1210) | IDS signatures, vulnerability posture of internal services |
5.11 Collection (TA0009)
| What to verify | Typical evidence |
|---|
| Data-from-local-system and network-shared-drive collection detection (T1005, T1039) | DLP alerts, mass file-access anomaly detection |
| Email collection and archive staging detection (T1114, T1560) | Mailbox-rule auditing, archive-creation (zip/rar) telemetry |
| Screen capture, keylogging and input capture detection (T1113, T1056) | EDR behavioural detections, endpoint monitoring |
| Data-from-cloud/repositories collection monitoring (T1530, T1213) | Cloud storage/repo access audit logs, DLP for SaaS |
| Automated collection detection (T1119) | Scripted-access anomaly detection, volume-based alerts |
5.12 Command and Control (TA0011)
| What to verify | Typical evidence |
|---|
| Application-layer protocol C2 detection (web, DNS, mail) (T1071) | Proxy/DNS analytics, JA3/JA4 fingerprinting, beaconing detection |
| Encrypted-channel and protocol-tunnelling detection (T1573, T1572) | TLS inspection or metadata analytics, tunnelling anomaly alerts |
| Ingress tool transfer detection (T1105) | Download telemetry, sandbox verdicts, EDR file-drop alerts |
| Web-service / dead-drop and fallback-channel detection (T1102, T1008) | Traffic to known abused services, domain-reputation analytics |
| Non-standard port and traffic-signalling detection (T1571, T1205) | Netflow analytics, port/protocol mismatch alerts |
5.13 Exfiltration (TA0010)
| What to verify | Typical evidence |
|---|
| Exfiltration over C2 channel and alternative protocol detection (T1041, T1048) | Egress volume analytics, DLP, DNS-exfil detection |
| Exfiltration to cloud storage and web services monitoring (T1567) | CASB/DLP alerts for uploads to unsanctioned services |
| Data-transfer size-limit and scheduled-transfer detection (T1030, T1029) | Chunked-transfer anomaly detection, off-hours egress alerts |
| Exfiltration over physical/removable media controls (T1052) | USB device-control policy, endpoint DLP logs |
| Egress filtering and data-loss prevention effectiveness | DLP policy configuration, blocked-exfil test results |
5.14 Impact (TA0040)
| What to verify | Typical evidence |
|---|
| Data-encrypted-for-impact (ransomware) detection and response (T1486) | Canary files, mass-encryption behavioural detection, immutable backups |
| Data destruction and disk wipe detection (T1485, T1561) | EDR destructive-action alerts, backup restore tests |
| Inhibit system recovery detection (shadow-copy deletion) (T1490) | Detection of vssadmin/wbadmin deletion, backup protection |
| Service stop and endpoint denial-of-service detection (T1489, T1499) | Availability monitoring, service-stop event alerts |
| Account access removal and defacement detection (T1531, T1491) | IAM change alerts, integrity monitoring on public assets |
5.15 Mobile and ICS domain coverage (where applicable)
| What to verify | Typical evidence |
|---|
| Mobile-domain techniques assessed for BYOD/MDM estate (Android/iOS) | MDM/MTD coverage report, mobile ATT&CK Navigator layer |
| ICS-domain tactics assessed for OT/process environments | ICS ATT&CK layer, OT network monitoring records |
| ICS impact techniques (impair/inhibit process control) covered | OT IDS alerts, safety-instrumented-system monitoring |
| Segmentation between IT and OT verified and monitored | Network diagrams, firewall rule reviews, unidirectional gateway records |
6. Scoping
Because ATT&CK is a descriptive framework spanning several hundred techniques across multiple domains, attempting to detect everything at once is neither feasible nor cost-effective. Scoping an ATT&CK programme is fundamentally an exercise in threat-informed prioritisation: deciding which domains, techniques, and threat groups matter most to your organisation and instrumenting accordingly.
Defining the assessment scope
- Domain selection: determine which matrices apply (Enterprise is near-universal; add Mobile if you have a managed device estate, and ICS if you operate OT/process control).
- Platform scope: within Enterprise, identify relevant platforms (Windows, macOS, Linux, cloud/IaaS, SaaS, identity providers, network, containers) as many techniques are platform-specific.
- Threat-actor scope: use CTI to identify the intrusion sets (Gxxxx) most relevant to your sector, geography, and value as a target; this yields a prioritised technique list.
- Crown-jewel scope: identify the assets, data, and business processes an adversary would target, and prioritise the techniques on the likely kill-chain to those assets.
- Data-source scope: map which telemetry sources are (or can be) instrumented, since detection is impossible without the underlying data component.
- Maturity scope: decide whether the current cycle targets detection coverage, mitigation coverage, or adversary-emulation validation.
- Out-of-scope declaration: explicitly document techniques deliberately deprioritised (e.g. platforms not in use) so the coverage map is honest.
Scoping principle
Coverage breadth without depth is a false comfort. It is better to have robust, tested detection for the fifty techniques your priority threat actors actually use than shallow, untested rules nominally covering three hundred. Scope to your threat model, then deepen coverage iteratively.
7. Implementation approach
Operationalising ATT&CK is best delivered as a phased programme that moves from understanding the threat, through instrumentation and detection engineering, to continuous validation via adversary emulation. The phases below are cumulative; each produces concrete deliverables that feed the next.
Phase 1 — Threat modelling and prioritisation
- Activities: gather cyber threat intelligence; identify relevant threat groups and their known techniques; define crown-jewel assets and likely attack paths; agree the priority technique list.
- Deliverables: threat profile document, prioritised ATT&CK technique list, initial Navigator layer of target coverage.
Phase 2 — Data-source and visibility assessment
- Activities: inventory current log and telemetry sources; map them to the data components required by priority techniques; identify visibility gaps; plan instrumentation (e.g. enabling script-block logging, EDR, cloud audit logs).
- Deliverables: data-source coverage matrix, visibility gap register, instrumentation roadmap.
Phase 3 — Detection engineering
- Activities: develop, tune, and document analytics for priority techniques; tag each detection with its technique ID; establish a detection catalogue and a test harness; reduce false positives.
- Deliverables: detection library mapped to ATT&CK, detection-as-code repository, Navigator layer of achieved detection coverage.
Phase 4 — Mitigation and hardening
- Activities: implement ATT&CK mitigations (Mxxxx) that reduce technique feasibility (e.g. application control, MFA, network segmentation); map mitigations to techniques; verify configuration.
- Deliverables: mitigation-to-technique map, hardening baseline records, residual-risk register.
Phase 5 — Adversary emulation and validation
- Activities: build adversary-emulation plans from priority techniques; execute purple-team exercises and automated breach-and-attack simulation; measure detection and prevention efficacy; feed findings back into detection engineering.
- Deliverables: emulation plans, purple-team reports, validated coverage heat map, remediation backlog.
Phase 6 — Continuous improvement and governance
- Activities: re-baseline on each ATT&CK release; track KPIs; report coverage to leadership; integrate lessons from real incidents into technique coverage.
- Deliverables: recurring coverage reports, KPI dashboard, updated Navigator layers, governance review minutes.
8. Maturity / capability model
Organisations progress through recognisable stages of ATT&CK adoption. The model below, inspired by the concept of threat-informed defence maturity, lets an assessor place an organisation on a capability scale and set a target level. Levels are cumulative.
| Maturity level | Characteristics |
|---|
| Level 0 — Unaware | No use of ATT&CK; defence is IOC-centric and tool-driven; no technique-level coverage view. |
| Level 1 — Aware / mapping | ATT&CK understood; some detections retrospectively mapped to techniques; ad-hoc Navigator use; no threat prioritisation. |
| Level 2 — Threat-informed | Priority threat groups and techniques defined; data-source gaps identified; detection engineering targets ATT&CK; coverage layer maintained. |
| Level 3 — Validated | Detections and mitigations validated through purple teaming and adversary emulation; efficacy measured, not assumed; KPIs tracked. |
| Level 4 — Optimised / continuous | Continuous, automated validation; detection-as-code; coverage re-baselined each release; ATT&CK integrated across CTI, SOC, red team, and risk reporting to the board. |
9. Assessment and audit approach
A rigorous ATT&CK assessment blends documentation review, technical validation, and adversary emulation. The following steps describe a repeatable assessment methodology an auditor can follow.
- Define scope and objectives: agree the domains, platforms, priority threat groups, and whether the assessment targets detection, mitigation, or full validation.
- Review the threat profile: confirm CTI-driven prioritisation is current and defensible against the organisation's sector and geography.
- Inventory data sources: verify which required data components are instrumented and retained, and identify blind spots.
- Review the detection catalogue: confirm detections are mapped to technique IDs, documented, version-controlled, and tuned.
- Review mitigations: verify implemented ATT&CK mitigations and their configuration against priority techniques.
- Assess the coverage layer: examine the Navigator layer for honesty (claimed vs validated coverage) and currency against the latest ATT&CK release.
- Execute adversary emulation: run purple-team or breach-and-attack-simulation tests against priority techniques and measure detection/prevention outcomes.
- Analyse gaps: reconcile claimed coverage with emulation results; classify gaps as visibility, detection, or mitigation deficiencies.
- Rate maturity: place the organisation on the capability model and agree a target level with a roadmap.
- Report and remediate: deliver a findings report with prioritised remediation, feed the backlog into detection engineering, and schedule re-assessment.
10. Evidence request list
The following categorised evidence should be requested at the outset of an assessment to enable efficient, thorough review.
Programme and governance
- Threat-informed defence programme charter and RACI
- Steering-committee or governance review minutes
- Current threat profile / CTI reports mapping threats to ATT&CK groups and techniques
- ATT&CK version-currency and remapping records
Coverage and detection
- Exported ATT&CK Navigator coverage layer(s)
- Detection catalogue / SIEM-EDR content library tagged with technique IDs
- Detection-as-code repository history and test results
- False-positive and tuning records
Data sources and visibility
- Log-source and telemetry inventory
- Data-source coverage matrix mapped to data components
- Log retention and integrity (immutability/forwarding) evidence
Mitigations and hardening
- Mitigation-to-technique mapping
- Hardening baselines (application control, MFA, segmentation, PAM)
- Configuration evidence and exception register
Validation
- Adversary-emulation plans and purple-team reports
- Breach-and-attack-simulation results
- Incident post-mortems mapped to ATT&CK techniques
- KPI dashboards and trend data
11. Roles and responsibilities
| Role | Responsibilities |
|---|
| CISO / Head of Security | Owns the threat-informed defence mandate; reports coverage and residual risk to the board; approves investment. |
| Threat Intelligence Lead | Maintains the threat profile; identifies priority groups and techniques; enriches detections with adversary context. |
| Detection Engineering Lead | Builds, tunes, and documents analytics mapped to techniques; maintains the detection-as-code repository and test harness. |
| SOC Manager / Analysts | Operate detections; triage and investigate alerts by technique; contribute detection gaps from real incidents. |
| Red / Purple Team Lead | Designs and executes adversary-emulation plans; validates detection and prevention efficacy; reports gaps. |
| Security Architecture / Engineering | Implements mitigations and instrumentation (EDR, logging, segmentation, MFA, PAM). |
| Data / Platform Engineering | Ensures required telemetry is collected, retained, and made available to analytics. |
| Risk and Compliance | Maps ATT&CK coverage to regulatory and framework obligations; tracks residual risk and remediation. |
| Executive Sponsor / Board | Provides mandate and funding; consumes coverage reporting for risk oversight. |
12. KPIs to track
- Technique coverage: percentage of priority techniques with at least one documented, tuned detection.
- Validated coverage: percentage of priority techniques whose detections have been confirmed by adversary emulation.
- Data-source coverage: percentage of required data components instrumented and retained.
- Detection efficacy: true-positive rate and false-positive rate per detection over time.
- Mean time to detect (MTTD) and mean time to respond (MTTR) by technique or tactic.
- Emulation pass rate: proportion of emulated techniques detected and/or prevented per exercise.
- Coverage drift: change in coverage after each ATT&CK release before remapping.
- Mitigation coverage: percentage of priority techniques with an implemented ATT&CK mitigation.
- Time-to-detection-content: mean time from a new relevant technique/threat to deployed detection.
- Gap closure rate: percentage of identified coverage gaps remediated within target SLA.
13. Readiness checklist
- A named owner and mandate for a threat-informed defence programme exist.
- A current CTI-driven threat profile maps priority threat groups and techniques to your organisation.
- An ATT&CK Navigator coverage layer is maintained and version-controlled.
- Required data sources are inventoried and instrumented, with a documented gap register.
- Detections are catalogued and tagged with technique IDs in a detection-as-code repository.
- Detections are tuned, with false-positive rates tracked.
- ATT&CK mitigations are implemented and mapped to priority techniques.
- Adversary-emulation or purple-team exercises validate coverage on a defined cadence.
- Breach-and-attack-simulation or equivalent continuous validation is in place.
- Coverage is re-baselined after each ATT&CK release.
- KPIs are tracked and reported to leadership.
- Real-incident findings are fed back into technique coverage.
- Mobile and/or ICS domains are assessed where the estate warrants.
- IT/OT segmentation is verified where operational technology is in scope.
14. Common gaps
- Vanity coverage: Navigator layers claiming detection that has never been validated by emulation.
- Missing data sources: analytics written for techniques whose underlying telemetry is not actually collected or retained.
- IOC dependence: reliance on hashes/IPs rather than durable behaviour-based detection.
- No threat prioritisation: attempting broad, shallow coverage instead of focusing on relevant threat actors.
- Stale mapping: coverage never remapped after ATT&CK releases, leaving deprecated or newly split techniques uncovered.
- Detection sprawl without tuning: noisy rules that analysts ignore, undermining efficacy.
- No purple teaming: detection efficacy assumed rather than tested against live emulation.
- Cloud and identity blind spots: on-premises focus while modern intrusions pivot through IdPs and SaaS.
- Sub-technique neglect: coverage claimed at parent-technique level while specific sub-techniques go undetected.
- No feedback loop: real incidents not mapped back to ATT&CK to close the discovering gaps.
- Fragmented ownership: CTI, SOC, and red team operating in silos with no shared coverage view.
- Ignoring mitigations: over-investment in detection while feasible preventative controls (MFA, application control, segmentation) are neglected.
15. MITRE ATT&CK mapped to other frameworks
ATT&CK is complementary to control-based standards: it describes adversary behaviour, while standards prescribe controls. Mapping the two lets organisations demonstrate that their controls actually counter real-world techniques. The table below sketches how ATT&CK relates to widely used frameworks.
| Framework | Relationship to ATT&CK |
|---|
| NIST Cybersecurity Framework (CSF) | ATT&CK techniques map into the Detect and Respond functions; ATT&CK provides behaviour-level assurance behind CSF outcomes. |
| NIST SP 800-53 | MITRE publishes mappings from ATT&CK techniques to 800-53 controls, showing which controls mitigate which techniques. |
| ISO/IEC 27001 / 27002 | Annex A controls can be validated against the techniques they are intended to mitigate; ATT&CK evidences control efficacy. |
| CIS Critical Security Controls | CIS Controls map to ATT&CK techniques (community mappings), prioritising safeguards by real adversary behaviour. |
| PCI DSS | ATT&CK helps demonstrate that detection and response requirements (e.g. logging, monitoring, anti-malware) counter actual attack techniques. |
| MITRE D3FEND | The defensive counterpart to ATT&CK; D3FEND countermeasures map to the ATT&CK techniques they defeat. |
| Cyber Kill Chain (Lockheed Martin) | ATT&CK offers finer-grained, behaviour-level detail than the seven-stage kill chain and can be aligned to its phases. |
| CERT-In directions / sector regulations | Behaviour-based monitoring and incident-reporting expectations align to ATT&CK detection and response coverage. |
| MITRE ATT&CK Evaluations | Independent, ATT&CK-based testing of security products to validate technique-level detection efficacy. |
16. How CyberSigma helps
How CyberSigma operationalises MITRE ATT&CK for you
CyberSigma helps organisations move from ATT&CK awareness to validated, threat-informed defence. Our CERT-In empanelled and PCI QSA-led team builds your CTI-driven threat profile, maps your priority threat groups and techniques, and assesses your telemetry against the data components each technique demands. We engineer and tune detections as code mapped to ATT&CK technique IDs, implement ATT&CK mitigations across identity, endpoint, cloud, and network, and validate everything through purple-team exercises and breach-and-attack simulation, so your coverage heat map reflects reality rather than aspiration. We integrate ATT&CK reporting into board-level risk narratives and map your coverage to ISO 27001, NIST CSF/800-53, CIS Controls, and PCI DSS to satisfy auditors and regulators alike. Whether you are at Level 0 or aiming for continuous, optimised defence, CyberSigma provides the assessment, engineering, and managed detection and response capability to get you there and keep you there across every ATT&CK release.