MITRE ATT&CK
mapping for pentests, red teams, and detection coverage

MITRE ATT&CK: a shared vocabulary for offensive and defensive work

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques, drawn from observed real-world incidents and maintained by MITRE. It is organised as a matrix where columns represent tactics (the adversary's objective at a step) and cells represent the techniques and sub-techniques used to achieve them. ATT&CK has become the de facto common language for penetration testers, red teams, threat intelligence analysts, detection engineers, and CISOs talking to each other about how attacks actually unfold.

The framework is structured but not prescriptive. It does not tell you what to test or how to defend; it gives every party a shared identifier for what just happened, or for what the attacker is expected to do next. That is precisely what makes it useful in reporting. A finding tagged T1190 Exploit Public-Facing Application means the same thing to the pentester who logged it, the SOC analyst building a detection, the CISO sizing risk, and the auditor checking that an annual test was actually threat-informed.

The three matrices and when each one applies

ATT&CK is split into three top-level matrices, each curated against a different environment. Picking the right matrix at engagement scoping time saves a lot of awkward re-tagging at report time, because techniques in one matrix do not always have direct equivalents in another.

Tactic, technique, sub-technique, procedure: knowing where to tag

ATT&CK is layered. Confusing the layers is the most common reason a technique-tagged report fails to land with defenders. Use the layers as written: tactics describe the objective, techniques and sub-techniques describe the method, and procedures describe the concrete behaviour observed during an engagement.

Tagging principles that survive contact with the engagement

Most ATT&CK programmes start strong and decay because tagging happens at report time rather than during testing. By then the operator memory is gone, the screenshots are unsorted, and the technique IDs end up approximate. Build the discipline into the workflow instead.

Running an ATT&CK aligned penetration test, end to end

Penetration tests benefit from ATT&CK even when the engagement is a single web application or external scope. The tactics and techniques give the report a structure that connects technical findings to the way an attacker would actually chain them. The workflow below assumes the engagement is run as a structured project rather than a collection of ad-hoc artefacts.

Red team, purple team, and adversary emulation

ATT&CK is closest to its original purpose during red team and adversary emulation work. The framework was first published as a way to describe post-compromise behaviour observed in real intrusions, so engagements that emulate a specific threat actor or that measure detection coverage benefit the most from technique-level tagging. The red team workflow in SecPortal is built around the same model: scope the matrix, plan techniques, capture evidence per technique, and report by tactic and technique rather than by raw finding count. For collaborative exercises where red and blue operators work the same record and outcome is measured per technique, the purple team operations workflow applies the same tagging model with detection outcome captured inline against each action.

From technique to detection: the data source pivot

Every ATT&CK technique entry lists the data sources required to detect it (for example Process Creation, Command Execution, Authentication Logs, Network Traffic Flow). That data source list is the bridge between an offensive finding and a defensive analytic. A technique-tagged finding without a data source recommendation is a half-built report; with it, the defender team has a direct path to the SIEM rule, EDR query, or NDR signature that would catch the next instance. Pair every technique-tagged finding with the corresponding detection data sources so the report ends with action, not observation.

Where ATT&CK meets compliance and assurance

ATT&CK is not itself a compliance framework, but it threads through several. Threat-led and threat-informed are increasingly used as criteria in regulator and assessor language, and ATT&CK is by far the most cited common vocabulary. Mapping technique evidence to existing controls turns a single piece of test work into multiple compliance artefacts.

Where SecPortal fits in an ATT&CK workflow

SecPortal is the operating layer for the engagement, not a replacement for the ATT&CK knowledge base or the detection engineering team. The platform holds the matrix scope, the techniques planned, the techniques exercised, the evidence per technique, and the report that ties them together. Coverage tracking, kill chain narrative, and detection recommendations live alongside the same findings management record that drives CVSS scoring and remediation. For multi-framework programmes, the same finding can carry an ATT&CK tag plus mappings to NIST 800-53, ISO 27001, or SOC 2 without re-keying anything.

ATT&CK rewards consistency over time more than any single engagement. Techniques tagged on this year's pentest become the baseline for next year's coverage measurement, and the trend across engagements is what tells a CISO whether detection is actually improving. Run the work as a managed penetration testing workflow with technique tagging in place from day one, and the second engagement is far cheaper to scope, plan, and report than the first.