Skip to content

How do you use MITRE ATT&CK for threat-informed defense?

Short answer

ATT&CK is a knowledge base of real adversary tactics (the why), techniques (the how), and procedures. You use it to map your existing detections onto the matrix, identify coverage gaps, and prioritize the techniques used by threat actors that actually target your sector. It gives a common language across CTI, detection engineering, and IR, turning 'are we secure?' into a concrete, measurable coverage map driven by real-world adversary behavior.

MITRE ATT&CK is the lingua franca of modern detection and threat intel. Interviewers ask about it to see whether you can move a SOC from chasing isolated alerts to a deliberate, measurable, threat-informed defense.

What ATT&CK actually is

It is a curated knowledge base of observed adversary behavior, structured as:

  • Tactics — the adversary's goal at a stage (the why): Initial Access, Persistence, Lateral Movement, Exfiltration, and so on.
  • Techniques (and sub-techniques)how they achieve that goal, e.g., T1059 Command and Scripting Interpreter.
  • Procedures — the specific real-world implementations seen in the wild, tied to named threat groups and software.

Because it is built from real incidents, it grounds defense in what attackers actually do, not in theory.

Using it for defense

  1. Map detections to the matrix. Take your existing SIEM/EDR rules and place each on the technique it detects. The result is a coverage heatmap (the ATT&CK Navigator is purpose-built for this).
  2. Find the gaps. Empty cells are blind spots — techniques you cannot currently see or alert on.
  3. Prioritize with threat intel. You can't cover everything, so let CTI decide order: which groups target your industry, and which techniques do they favor? Close those gaps first.
  4. Drive purple teaming and detection engineering. Test the prioritized techniques, write or tune detections, and re-test to confirm coverage.
  5. Speak one language. CTI, detection engineers, IR, and red teams all reference the same technique IDs, so handoffs lose nothing.

Why it beats alert-chasing

Alert-by-alert SOC work has no way to answer "what can't we see?" ATT&CK reframes the question as measurable coverage against real adversary behavior, so investment is deliberate rather than reactive.

What interviewers look for

They want the tactic/technique/procedure distinction, the map-then-find-gaps-then-prioritize workflow, threat intel driving prioritization, and ATT&CK as a shared language across functions — not a product you buy.

Likely follow-ups

  • What's the difference between a tactic, a technique, and a procedure?
  • How would you build an ATT&CK coverage heatmap for your SOC?
  • How does cyber threat intelligence drive which techniques you prioritize?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.