MITRE ATT&CK Mapping: A Practical Workflow Guide for SOC Teams

mitre att&ckthreat detectionsoc workflowsdetection engineeringthreat intelligencectemsecurity operations
MITRE ATT&CK Mapping: A Practical Workflow Guide for SOC Teams

Most SOC teams have a MITRE ATT&CK navigator spreadsheet somewhere. It was probably built during a compliance review, filled in optimistically, and hasn't been touched since. The colors look good in a board deck. The operational value is close to zero.

The problem isn't the framework. ATT&CK is genuinely useful — it gives teams a shared language for describing adversary behavior across the full attack lifecycle. The problem is that teams treat ATT&CK mapping as a documentation exercise rather than an operational workflow. They map what they think they detect, not what they've actually validated. The gap between those two things is where breaches happen.

Teams think the problem is incomplete coverage. The real problem is that the mapping process itself is disconnected from detection engineering, threat intelligence, and incident response. It lives in a spreadsheet instead of in the tools where analysts actually work.

This guide is about fixing that. Not about what ATT&CK is — you already know — but about how to build a mapping workflow that drives real detection improvements, connects to threat actor tracking, and feeds your continuous exposure management program.

Table of Contents

Why Most ATT&CK Mappings Are Theater

Abstract visualization of MITRE ATT&CK technique matrix coverage gaps shown as a heat map with dark empty cells and glowing validated nodes

The mistake teams make is conflating having a detection rule with having validated coverage. A Sigma rule tagged T1055 (Process Injection) doesn't mean you can detect process injection in your environment. It means someone wrote a rule at some point. Whether that rule fires correctly against your log sources, whether it survives tuning, whether it catches the variant used by the threat actor you actually care about — those are separate questions that the mapping exercise almost never asks.

This produces what practitioners call a "green map problem": the ATT&CK navigator looks well-covered, but when red teams or adversaries actually probe those techniques, detection rates are embarrassing.

The Three Sources of False Confidence

1. Mapping rules instead of validated detections. A rule in your SIEM is not a detection. It's a hypothesis. Until you've run it against known-good adversary behavior (purple team, breach simulation, or replay of real incident data), you don't know if it works.

2. Ignoring data source gaps. T1078 (Valid Accounts) requires authentication logs, privileged account telemetry, and potentially cloud identity logs. If you don't have those log sources ingested and normalized, the rule doesn't matter. Most mappings don't track data source coverage separately from rule coverage.

3. Treating ATT&CK as a checklist, not a model. ATT&CK describes techniques at an abstraction level designed for communication, not for detection engineering. Sub-techniques matter. Procedure variations matter. A team that maps at the technique level and stops there will miss the specific implementation a real threat actor uses.

Practical rule: Before marking any technique as "covered," require proof: a detection rule, a confirmed data source, and at least one validated test result. Three columns, not one.

The Architecture Problem: Where Mapping Breaks Down

ATT&CK mapping fails as an operational tool when it lives outside the systems where analysts work. The practical question is: where does the mapping live, and who updates it when something changes?

In most organizations the answer is: a spreadsheet owned by someone in security engineering, updated quarterly if you're lucky, with no connection to the SIEM, the threat intel platform, or the incident response workflow. That's not an operational tool. That's a reporting artifact.

A useful way to think about it is as a state management problem. Your detection coverage state changes continuously — new log sources come online, rules get disabled during tuning, threat actors adopt new techniques. If your mapping doesn't track that state in near real-time, it's always stale.

What a Connected Architecture Looks Like

A functional ATT&CK mapping architecture has four connected layers:

  1. Data source inventory — which log sources are ingested, normalized, and queryable, mapped to ATT&CK data source objects
  2. Detection rule registry — every rule tagged with technique/sub-technique, data source dependency, and validation status
  3. Threat intelligence layer — threat actor profiles linked to technique clusters, updated as new reporting comes in
  4. Coverage dashboard — live view of validated coverage vs. threat-actor-relevant techniques, with gaps surfaced for prioritization

Without all four layers connected, you're not doing ATT&CK mapping. You're doing ATT&CK decoration.

Building a Detection-First Mapping Workflow

Layered architecture diagram showing detection rule registry connected to threat intelligence and SIEM data sources

Detection-first means the mapping follows the detection engineering work, not the other way around. You don't start by filling in the navigator and then build detections. You build detections, validate them, and the mapping reflects reality.

Step-by-Step: Detection-First ATT&CK Mapping

  1. Identify priority techniques — Start from threat actor profiles relevant to your industry and attack surface. Which techniques appear in the campaigns you're actually at risk from? This gives you a prioritized list of 30–60 techniques, not all 600+.

  2. Audit data source coverage — For each priority technique, identify the required ATT&CK data sources. Cross-reference against your actual ingested log sources. Flag gaps immediately — no log source means no detection regardless of rules.

  3. Inventory existing rules — Pull all detection rules from your SIEM/SOAR and tag each with the technique it claims to cover. Note validation status: untested, tested-passing, tested-failing, disabled.

  4. Run validation tests — Use atomic tests, purple team exercises, or breach simulation tooling to validate each rule against actual technique execution. Update validation status in the rule registry.

  5. Update the ATT&CK map from validated state — Only mark a technique as covered once data source + rule + passing validation are all confirmed. Use separate colors for "rule exists" vs. "validated coverage."

  6. Assign ownership and review cadence — Each technique cluster should have an owner in detection engineering. Coverage degrades over time; schedule quarterly re-validation for high-priority techniques.

  7. Feed gaps into the work queue — Unvalidated or uncovered priority techniques become detection engineering backlog items, not just gaps on a chart.

Practical rule: A technique is either validated, in-progress, or a gap. "Assumed covered" is not a valid state.

Mapping to Threat Actors, Not Just Techniques

Generic ATT&CK coverage is less useful than coverage targeted at the threat actors your organization actually faces. The framework's threat actor profiles (Groups in ATT&CK terminology) give you exactly this: a curated list of techniques attributed to specific adversary clusters.

The operational shift is significant. Instead of asking "are we covered across the matrix?" you ask "are we covered against the technique clusters used by groups targeting our sector?" That changes the conversation from a completeness exercise to a risk-based prioritization exercise.

Using ATT&CK Groups in Practice

For each threat actor group relevant to your organization:

  • Pull the associated technique list from ATT&CK (or your threat intel platform)
  • Cross-reference against your validated coverage map
  • Identify technique gaps specific to that group
  • Prioritize detection engineering work against those gaps

This is the workflow described in detail in the threat analysis guide on the ThreatCrush blog, which covers how to operationalize threat actor profiles within SOC workflows.

A Practical Comparison: Generic vs. Actor-Targeted Coverage

ApproachCoverage ScopePrioritizationOperational Value
Generic ATT&CK coverageAll ~600+ techniquesLow — everything is equalLow — hard to act on
Actor-targeted coverage30–80 techniques per actorHigh — tied to real riskHigh — drives detection backlog
Hybrid (actor + sector)60–120 techniquesMedium-highHigh — scalable

The hybrid approach works best in practice: start with the threat actors most relevant to your sector, layer in any specific intelligence about actors known to target your organization, and use that combined set as your prioritized coverage target.

Integrating ATT&CK Mapping into Your SIEM and SOAR

The map is useless if analysts can't see it during an investigation. The goal is to surface technique context at the point where it matters: when an alert fires, when an incident is triaged, when a threat hunt returns a hit.

SIEM Integration

Most modern SIEMs support custom fields or metadata on detection rules. Tag every rule with:

  • ATT&CK Tactic (e.g., TA0003 — Persistence)
  • ATT&CK Technique/Sub-technique (e.g., T1053.005 — Scheduled Task)
  • Data source dependency
  • Validation status and last-tested date

This tagging turns your SIEM rule library into a living coverage map. Query it directly: "show me all validated rules covering Credential Access" or "show me all rules whose data source dependency is Windows Security logs."

SOAR Integration

In automated playbooks, ATT&CK technique context should be injected into every alert automatically. When a playbook fires, it should pull the technique tag from the triggering rule and enrich the alert with:

  • The technique description and common procedure examples
  • Related techniques in the same tactic cluster
  • Any threat actor groups known to use this technique
  • Recommended investigation steps from your runbook library

This reduces investigation time because analysts don't have to context-switch to the ATT&CK website mid-investigation. The context comes to them.

Practical rule: If your ATT&CK mapping doesn't surface inside your SIEM and SOAR workflows, it won't influence analyst behavior. Platform integration is not optional.

Coverage Validation: What Breaks in Practice

Continuous validation pipeline concept showing automated adversary behavior testing and coverage regression monitoring

Validation is where most programs fall apart. Teams know they should validate detections but don't have a repeatable process, so it either doesn't happen or happens once and never again.

What Fails

  • Ad hoc purple teaming — periodic exercises that don't feed back into a maintained coverage registry. The results live in a report, not in the detection tooling.
  • Atomic testing without remediation tracking — running Atomic Red Team tests and logging failures without creating backlog items to fix them.
  • Log source churn — a cloud migration or EDR swap changes what telemetry is available, silently breaking existing rules. No one updates the coverage map.
  • Rule tuning that breaks detection — suppressing noisy rules to reduce alert volume can degrade coverage. If suppression decisions aren't tracked against technique coverage, you can tune your way to a blind spot.

What Works

  • Continuous validation pipelines — automated replay of adversary behavior (using tools like Atomic Red Team in CI/CD pipelines or breach simulation platforms) that run weekly and report coverage changes
  • Data source dependency tracking — automated checks that verify required log sources are still ingested and normalized before marking technique coverage as valid
  • Coverage regression alerts — if a rule is disabled or a data source drops, the coverage map updates automatically and flags the degradation
  • Quarterly adversary-scenario exercises — structured purple team exercises focused on the technique clusters of priority threat actors, not random technique sampling

The CTEM architecture guide covers how to build continuous validation into a broader exposure management workflow — the same principles apply directly to ATT&CK coverage programs.

ATT&CK Mapping and CTEM: Closing the Loop

ATT&CK mapping is most valuable when it's connected to your continuous threat exposure management program rather than running as a standalone exercise. The connection point is coverage gaps.

In a CTEM workflow, you're continuously discovering exposure — vulnerable assets, misconfigured controls, exploitable paths. ATT&CK mapping tells you whether your detective controls can see exploitation attempts when they happen. Neither is sufficient alone.

A gap in ATT&CK coverage for a technique that also has a high-severity exposure in your environment is a critical risk item. A gap in ATT&CK coverage for a technique with no relevant exposure in your environment is a lower priority. That prioritization requires the two programs to share data.

The Integration Points

  • Exposure discovery → technique mapping: When a vulnerability or misconfiguration is discovered, tag it with the ATT&CK techniques that could be used to exploit it. This tells you what detection coverage you need.
  • Detection gaps → exposure prioritization: Techniques with no validated detection coverage should raise the severity of any related exposures. You can't catch the attack if it happens.
  • Threat intel → both programs: Threat actor technique profiles inform both what you patch first (exposure management) and what you detect first (ATT&CK coverage). The same intel should drive both queues.

For teams building this kind of integrated architecture, ThreatCrush provides real-time threat feeds and attack surface monitoring that connects threat intelligence directly to both detection and exposure workflows — browse the ThreatCrush blog for additional coverage of CTEM, threat hunting, and SOC workflow topics.

Operationalizing the Workflow: A Practical Checklist

Here's a consolidated implementation checklist for teams moving from ATT&CK decoration to ATT&CK operations:

Foundation

  • Audit current log source coverage against ATT&CK data source objects
  • Tag all existing SIEM rules with technique/sub-technique and data source dependency
  • Establish "validated" vs. "rule exists" as distinct coverage states

Prioritization

  • Identify 3–5 threat actor groups relevant to your sector and attack surface
  • Pull technique lists for each group; combine into a prioritized coverage target (60–120 techniques)
  • Cross-reference priority techniques against current validated coverage; document gaps

Detection Engineering Integration

  • Convert coverage gaps into detection engineering backlog items
  • Assign technique cluster ownership to specific detection engineers
  • Establish validation gates: new detection rules require test evidence before being marked covered

Continuous Validation

  • Implement automated testing (Atomic Red Team or equivalent) on a weekly cadence
  • Set up coverage regression alerts for rule disablement and data source drops
  • Schedule quarterly adversary-scenario exercises focused on priority technique clusters

Platform Integration

  • Surface ATT&CK technique context in SOAR alert enrichment
  • Connect ATT&CK coverage gaps to CTEM exposure prioritization
  • Build a live coverage dashboard queryable by tactic, technique, actor, and validation status

Teams that want to go deeper on connecting these workflows to threat intelligence data can download the ThreatCrush whitepaper for architecture guidance, or review ThreatCrush platform documentation for integration specifics.

MITRE ATT&CK mapping done right is not a compliance deliverable. It's a detection operations system — one that tells you, continuously and honestly, where your coverage is validated, where it's assumed, and where adversaries can operate without being seen.

Try ThreatCrush

ThreatCrush delivers real-time threat intelligence, attack surface monitoring, and threat actor tracking for security teams that need to close the gap between knowing what adversaries do and detecting it in their environment. Start at threatcrush.com.

Try ThreatCrush

Real-time threat intelligence, CTEM, and exposure management — built for security teams that move fast.

Get started →