ATT&CK is the best thing to happen to detection engineering in twenty years, and it is also widely misused. Most orgs treat the matrix as a bingo card — colour a cell green when they have "coverage," count the greens, brief the board, repeat. This produces the illusion of progress and, in the worst cases, actively misleads defenders about their posture.

ATT&CK is a design language, not a scoreboard. Here is how to use it like one.

What ATT&CK Actually Is

MITRE ATT&CK is a curated, versioned knowledge base of adversary techniques derived from real-world incident observation — primarily by MITRE, Mandiant, Microsoft, CrowdStrike, and other contributors. The structure is tactics (the "why" — initial access, persistence, privilege escalation, etc.), techniques and sub-techniques (the "how"), and references to procedures and groups observed using them.

Important: it was built from post-incident forensics of sophisticated intrusions. It is biased toward what gets written up — which means APT-style targeted attacks are overrepresented and commodity threats, while present, are less granular. This matters when you use it to scope defensive priorities.

Honest Coverage Mapping

A real coverage map is not "do we have a rule that might fire for T1059.001 PowerShell?" It is:

  • Which specific procedures under this technique are we covering? PowerShell has dozens of sub-patterns — encoded commands, downloader stubs, AMSI bypass, IEX invocation, scheduled task execution via WMI. You need to be granular.
  • What is our detection quality? Alert only, alert + context, alert + automated response. A raw alert that nobody triages is not coverage.
  • What is our false-positive rate? A rule that fires on every admin workstation is not coverage; it is training your SOC to click "suppress."
  • Have we tested it? Atomic Red Team execution, purple-team validation, detection-as-code pipeline output. Untested rules often silently break when logging sources shift.

Red Canary's detection engineering writeups and SpecterOps' "on detection" series by Jared Atkinson are the standard-setting reads on doing this honestly. The MITRE ATT&CK Navigator is the visualization layer; color cells with a meaningful scale, not binary.

Threat-Informed Defense

You do not need coverage across every ATT&CK cell. You need coverage against the techniques actually used by adversaries targeting organizations like yours. This is the core insight of threat-informed defense — a concept MITRE's Center for Threat-Informed Defense has formalized.

Practical sequence: (1) identify the threat groups relevant to your sector and geography (operational intel), (2) export their technique coverage from ATT&CK Navigator, (3) overlay with your detection inventory, (4) prioritize gaps where the technique is common across multiple relevant groups. The overlap areas — the techniques used by everyone from Scattered Spider to APT41 to LockBit affiliates (credential dumping, Kerberoasting, SMB lateral movement, living-off-the-land binaries) — are where to spend first. These are also the most heavily-telegraphed techniques in open research; coverage is achievable.

ATT&CK in Purple Teams

This is where ATT&CK earns its reputation. A purple team engagement becomes scoping-trivial when framed in ATT&CK terms: "exercise T1566.001 + T1059.001 + T1547.001 + T1021.002 + T1041" is a complete initial-access-to-exfil chain in fifteen seconds of specification. Atomic Red Team gives you reference implementations. Caldera orchestrates sequences. The exercise output maps one-for-one back to detection gaps you can prioritize.

The failure mode to avoid: running Atomic Red Team tests in isolation, firing individual techniques, and declaring victory on the ones that alert. Adversaries chain techniques. Your detections need to perform in chains too — context and correlation across MITRE tactics is where realistic attacks actually differentiate from isolated lab tests.

The Framework's Limits

Three known biases to account for:

APT-centric historical bias. Less-documented techniques common in commodity ransomware or business email compromise can be underrepresented at the sub-technique level, though MITRE has worked to close this in recent versions.

Post-incident view. ATT&CK describes what was observed after a successful intrusion. Pre-compromise and social-engineering heavy chains (vishing, helpdesk abuse, MFA fatigue) are captured in the PRE matrix but at a different granularity than the main matrix.

Platform scope. Enterprise ATT&CK focuses on Windows, macOS, Linux, cloud, containers, network infrastructure. Mobile ATT&CK and ICS ATT&CK are separate and less mature. If your threat model is heavy on OT or mobile, you will need supplementary frameworks.

Adapting for Your Environment

Not every technique applies to every organization. A regional manufacturer probably does not need deep coverage of every cloud-specific sub-technique; a cloud-native SaaS company almost certainly does. Build a custom "priority matrix" — a subset of techniques weighted by relevance to your threat model, stack, and regulatory environment. Review it quarterly as the landscape shifts.

That custom matrix is the artifact you brief to your board. Not the full Enterprise matrix colored green. The green Enterprise matrix tells them you bought tools. The custom priority matrix tells them you thought.

The Practitioner's ATT&CK Stance

Use ATT&CK as a shared vocabulary between intel, detection, IR, red team, purple team, and audit. Do not use it as a measurement of completeness. No organization covers all of ATT&CK. The mature ones cover the techniques their adversaries actually use, honestly, with tested detections, and they keep updating as the adversaries do.