MITRE ATT&CK for Detection Engineers: A Practical Guide
How to use the MITRE ATT&CK framework to build structured detection coverage for your organization.
If you work in a SOC or on a detection engineering team, you have probably heard of MITRE ATT&CK. It shows up on job postings, vendor marketing, and conference talks constantly. But what actually is it, and more importantly, how do you use it to build better detections? This guide cuts through the noise and focuses on practical application.
What is MITRE ATT&CK?
ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It is a freely available knowledge base maintained by MITRE Corporation that documents how real-world attackers behave after they gain initial access to an environment.
The key word is real-world. Every technique in ATT&CK is derived from observed threat actor behavior — not theoretical attacks. Techniques are documented with:
- Description of what the adversary does
- Procedure examples from real campaigns
- Known detection opportunities
- Mitigations
- References to threat actor groups that use the technique
ATT&CK is not a compliance checklist or a maturity model. It is a behavioral reference for building detections and understanding attacker tradecraft.
Tactics, Techniques, and Sub-Techniques
ATT&CK has a three-level hierarchy:
Tactics — The why (the adversary’s goal). There are 14 tactics in Enterprise ATT&CK:
| Tactic | Goal |
|---|---|
| Reconnaissance | Gather information before attacking |
| Resource Development | Acquire infrastructure and tools |
| Initial Access | Get into the environment |
| Execution | Run malicious code |
| Persistence | Maintain foothold after reboots |
| Privilege Escalation | Gain higher-level permissions |
| Defense Evasion | Avoid detection |
| Credential Access | Steal credentials |
| Discovery | Learn about the environment |
| Lateral Movement | Spread through the network |
| Collection | Gather data of interest |
| Command and Control | Communicate with compromised systems |
| Exfiltration | Steal data out of the environment |
| Impact | Disrupt, destroy, or manipulate |
Techniques — The how (what the adversary does to achieve their goal). For example, under the Execution tactic, there are techniques like T1059 Command and Scripting Interpreter and T1204 User Execution.
Sub-techniques — More specific variants of a technique. T1059 has sub-techniques for PowerShell (T1059.001), AppleScript (T1059.002), Windows Command Shell (T1059.003), and others.
This hierarchy matters because your detections should typically target techniques and sub-techniques, not tactics. You cannot directly detect “Execution” — but you can detect encoded PowerShell execution (T1059.001).
The ATT&CK Matrix
The matrix is a visual representation of all tactics (columns) and techniques (rows). You have likely seen it — it looks like a spreadsheet with hundreds of colored cells.
The matrix is most useful as a coverage map. When you color-code cells based on whether you have detections for each technique, patterns emerge quickly:
- Areas with no coverage (risks you cannot see)
- Areas with too many detections (over-indexed, high alert volume)
- Coverage gaps in specific environments (cloud vs. endpoint vs. network)
Mapping Detections to ATT&CK Techniques
Here is a practical mapping exercise. Take your existing SIGMA rules or SIEM queries and assign each one a technique ID:
| Detection | Technique | Sub-Technique | Data Source |
|---|---|---|---|
| Encoded PowerShell execution | T1059 | T1059.001 | Process Creation |
| Scheduled task creation | T1053 | T1053.005 | Windows Event Log |
| Pass-the-Hash (NTLM) | T1550 | T1550.002 | Windows Event Log |
| DNS query to DGA domain | T1568 | T1568.002 | DNS Logs |
| LSASS memory access | T1003 | T1003.001 | Process Access |
| New local admin account | T1136 | T1136.001 | Windows Event Log |
| Kerberoasting | T1558 | T1558.003 | Windows Event Log |
| Web shell upload | T1505 | T1505.003 | Web Server Logs |
Once you map your detections this way, you can load them into ATT&CK Navigator for visualization.
ATT&CK Navigator
ATT&CK Navigator is a free web-based tool at https://mitre-attack.github.io/attack-navigator/ that lets you annotate the ATT&CK Matrix. You can:
- Color-code techniques based on coverage
- Add annotations (which detection covers this, which data source you need)
- Export as JSON for sharing with your team
- Compare your coverage against specific threat actor groups
A practical workflow:
- Export your SIGMA rule repository as a list with technique IDs
- Import into Navigator and color-code: green = detected, yellow = partial, red = no coverage
- Look at the red cells in the tactics most relevant to your threat model (Credential Access, Lateral Movement, and Exfiltration are commonly under-detected)
- Prioritize new detection development for the red cells with the highest likelihood given your environment
Finding Coverage Gaps
A common mistake is building detections reactively — only adding rules after incidents. ATT&CK enables proactive gap analysis.
A structured approach:
Step 1: Define your threat model. Which threat actor groups target organizations in your sector? Look up their profile in ATT&CK (Threat Groups section) and review their known techniques.
Step 2: Check your data sources. ATT&CK lists the data source required for each technique. If you do not have Sysmon deployed, you cannot detect many endpoint techniques. If you do not collect DNS logs, you cannot detect many C2 techniques. Data gaps become detection gaps.
Step 3: Prioritize by likelihood and impact. Not all techniques are equally likely for your environment. Focus first on high-frequency techniques that your threat actors commonly use. ATT&CK’s procedure examples reference specific threat groups — use that to weight your priorities.
Step 4: Fill gaps systematically. Add one new detection area per sprint. Track progress in Navigator. Over time, your coverage heatmap shifts from red to green.
Common Mistakes to Avoid
Treating ATT&CK as a checklist. Coverage percentages are meaningless without quality. One well-tuned, high-fidelity detection for T1059.001 is worth more than five noisy rules that fire 1000 times a day.
Ignoring sub-techniques. The sub-technique level is where detections live. T1059 (Command and Scripting Interpreter) is too broad to detect directly. T1059.001 (PowerShell) is specific enough to write a rule for.
Skipping data source assessment. Technique coverage is impossible without the right data. Before writing detections, confirm you actually have the logs that technique requires.
Using ATT&CK IDs without understanding behavior. Tagging a rule with T1059.001 without understanding why does not help. The value comes from understanding the behavior so you can tune the detection appropriately.
Getting Started Today
- Go to
attack.mitre.organd browse the techniques for two tactics: Execution and Credential Access - Pick one technique your org has no detection for
- Read the detection opportunities section on that technique page
- Check if you have the required data source
- Write a SIGMA rule or KQL query targeting that technique
- Repeat weekly
ATT&CK is not a destination — it is a map. The goal is not to “complete” ATT&CK coverage; the goal is to have better visibility than your adversaries expect. Used consistently, it transforms reactive incident response into proactive detection engineering.