How would you use the MITRE ATT&CK framework to improve your detection coverage?
Short answer
ATT&CK is a knowledge base of real-world adversary tactics and techniques. In a SOC you map each detection rule to the techniques it covers, build a coverage map (often with the ATT&CK Navigator), then prioritize closing gaps based on which techniques are most relevant to your threat model and which you have no visibility into.
MITRE ATT&CK has become the shared language for talking about attacker behavior, so interviewers expect a SOC analyst to know more than just the name. The good answer connects ATT&CK to a concrete workflow for improving detection.
What ATT&CK actually is
ATT&CK is a curated knowledge base of how real adversaries operate, organized as tactics (the attacker's goal, such as Persistence or Lateral Movement) and techniques (the specific way they achieve it, such as scheduled tasks or pass-the-hash). Each technique has documentation, detection ideas, and references to groups that use it. It describes behavior, not signatures, which makes it durable as malware changes.
Mapping detections to techniques
The core SOC use is mapping. For every detection rule you maintain, tag the technique(s) it covers. Once your rules are mapped, you can lay them over the ATT&CK matrix — the ATT&CK Navigator is the usual tool — and instantly see which techniques are well covered, weakly covered, or invisible.
Prioritizing the gaps
You can't detect everything at once, so prioritize. Weight the gaps by your threat model: which techniques do the groups targeting your sector actually use, which ones map to your crown-jewel systems, and where do you have no telemetry at all. Closing a high-likelihood gap with a feasible data source beats chasing an exotic technique you will never see.
Driving investigations too
ATT&CK also structures investigations: once you confirm one technique, you can hypothesize the adjacent tactics an attacker would attempt next and hunt for them.
Why this matters
Using ATT&CK turns "we have a lot of rules" into "here is our measured coverage and our plan to improve it." That shift from activity to measurable outcomes is exactly what interviewers look for in someone who can grow into detection engineering.
Likely follow-ups
- What is the difference between a tactic and a technique in ATT&CK?
- How would you prioritize which technique gaps to close first?
- What is the ATT&CK Navigator and how would you use it?