Academy

Module 4 Β· MITRE ATT&CK in Operations πŸ”’

Manish Garg
Manish Garg Associate CISSP Β· RingSafe
April 22, 2026
5 min read

MITRE ATT&CK is the industry’s shared language for describing how adversaries operate. It is a taxonomy of 14 tactics, 200+ techniques, and 500+ sub-techniques, updated continuously. Used well, it structures CTI reports, maps detection coverage, scopes red-team exercises, and communicates across teams. Used as a checklist to pad reports, it produces noise. This module covers operational use of ATT&CK.

Structure of ATT&CK

  • Tactic β€” the adversary’s goal (Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, plus Reconnaissance and Resource Development for the pre-compromise phase)
  • Technique β€” how they achieve it (T1059 Command and Scripting Interpreter)
  • Sub-technique β€” specific variant (T1059.001 PowerShell, T1059.003 Windows Command Shell)
  • Procedure β€” exactly how a specific actor used the technique (free-form text, tied to group / software records)

ATT&CK also tracks Groups (named threat actors) and Software (malware and tools), each linked to the techniques they use.

The matrices

ATT&CK has several matrices, each scoped to a platform:

  • Enterprise β€” Windows, macOS, Linux, IaaS, SaaS, Office 365, Azure AD, Network, Containers
  • Mobile β€” Android, iOS
  • ICS β€” industrial control systems

Use the matrix relevant to your environment. Cloud and SaaS-heavy organisations: focus on the cloud-specific tactics within Enterprise.

Operational uses

1. Describe a threat group

Every threat report should include an ATT&CK mapping: “APT29 uses T1566.002 (spearphishing link), T1059.001 (PowerShell), T1078.004 (valid cloud accounts)…” This lets defenders parse the report into detection work: “what techniques do we lack coverage for?”

πŸ” Intermediate Module Β· Basic Tier

Continue reading with Basic tier (β‚Ή499/month)

You've read 26% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
11 more sections locked below