MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is the most widely-used catalog of real-world adversary behavior in cybersecurity. It is not itself a threat modeling methodology — but it is the vocabulary that threat models, detection engineering, and red-team exercises all reach for.
The ATT&CK Navigator is the free web tool MITRE provides for visualizing and annotating the matrix. This lab walks you through using it for a realistic scenario, then exporting a "layer file" that a blue team can drop into their detection tooling.
You are a security analyst at a mid-sized financial services firm. The CISO just shared news of a peer firm that was breached two weeks ago. Initial reporting suggests the attackers used a phishing email leading to credential theft, then moved laterally using stolen SSH keys, exfiltrated data through DNS tunneling, and maintained persistence via a scheduled task.
Your job: map this attack chain to ATT&CK techniques, then mark which techniques your team currently has detection coverage for and which are gaps. The output is a Navigator layer file that the SOC team will use for their next detection-engineering sprint.
Go to https://mitre-attack.github.io/attack-navigator/. Click "Create New Layer" → "Enterprise ATT&CK v15" (or whichever current version).
The full matrix loads. Columns are tactics (the attacker's goal at each stage); cells under each column are techniques (how the goal is achieved).
You should see 14 tactic columns from Reconnaissance on the left to Impact on the right, with several hundred techniques distributed underneath.
For each step in the scenario, identify the ATT&CK tactic and technique. Use the search box (? key) to find techniques by name. The mapping for our scenario:
Click each technique in the Navigator UI. Set the score to 1 (meaning "applies to this scenario"). Optionally set a color — conventionally yellow for "applies," red for "detection gap," green for "covered."
For each technique in your map, ask: do we have detection coverage for this? Coverage means a sensor (EDR, SIEM rule, network monitoring, etc.) would alert if the technique were attempted in your environment.
- T1566.001 (Phishing attachment) — your email security gateway scores attachments. ✓ Covered.
- T1078.004 (Valid Cloud Accounts) — you have impossible-travel alerts from Entra ID. ✓ Partial coverage.
- T1021.004 (SSH Lateral Movement) — SSH sessions are logged but not alerted on by default. ✗ Gap.
- T1552.004 (Unsecured Private Keys) — no tooling specifically for this. ✗ Gap.
- T1071.004 (DNS C2) — you have DNS query logging but no anomaly detection. ✗ Gap.
- T1048.003 (Exfil over alt protocol) — not specifically monitored. ✗ Gap.
- T1053.005 (Scheduled Task) — EDR alerts on new scheduled tasks. ✓ Covered.
Color-code in the Navigator: green for covered, yellow for partial, red for gap. The matrix now shows at a glance where the team needs to invest.
In the Navigator: Menu → Download Layer as JSON. The layer file is a small JSON document that can be re-imported into Navigator by anyone on the team or fed into SOAR/SIEM tooling that consumes ATT&CK mappings.
A trimmed example of what gets exported:
You should have a JSON file with at least seven technique entries, each scored and colored, with comments explaining the coverage state.
The detection gaps from step 3 become the SOC's next sprint. Each gap should produce one or more concrete deliverables:
- T1021.004 gap → "Build a SIEM rule that alerts on SSH logins from sources never seen for that user before." · Detection engineering
- T1552.004 gap → "Deploy secret-scanning across our internal repositories; baseline private key exposure." · Tooling
- T1071.004 gap → "Enable DNS query frequency anomaly detection in Defender for Endpoint." · Configuration
- T1048.003 gap → "Add egress-bytes anomaly detection per workload; alert on >10x baseline." · Network monitoring
Each work item gets a Jira ticket. The ATT&CK technique ID goes in the ticket. When the work ships, the layer file is updated and re-shared. This is the cycle that turns threat modeling into a continuous practice.
Why this pattern matters
Threat modeling produces a list of threats. Detection engineering closes them. ATT&CK is the shared vocabulary that lets the two stay synchronized. When the threat model uses T1071.004, the SIEM rule references T1071.004, the post-mortem references T1071.004, the executive summary references T1071.004. Everyone talks about the same thing.
The Navigator layer file format is the artifact this whole loop runs on. Several teams in a large organization can publish their layers; a meta-layer overlays them to show coverage across the whole fleet. Threat groups publish layers showing which techniques they use; defenders import them to see where their coverage matches.
Submit:
- The layer JSON file exported from Navigator (named with your last name).
- A screenshot of the colored matrix showing your scenario mapping.
- A one-paragraph writeup identifying the single highest-priority detection gap and what you would build to close it.
- One improvement to the scenario: name an ATT&CK technique the attackers likely used that wasn't in the brief.
References
Formatted in APA 7. Alphabetized by first author's last name.
- MITRE Corporation. (n.d.). ATT&CK Navigator. https://mitre-attack.github.io/attack-navigator/
- MITRE Corporation. (n.d.). MITRE ATT&CK: Enterprise matrix. https://attack.mitre.org/matrices/enterprise/
- Strom, B. E., Applebaum, A., Miller, D. P., Nickels, K. C., Pennington, A. G., & Thomas, C. B. (2018). MITRE ATT&CK: Design and philosophy (Technical Report MP180360R1). The MITRE Corporation. https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf