Executive Summary
Penetration test reports, vulnerability scans, and incident investigations all produce findings. The challenge is translating those findings into a language that threat intelligence teams, security architects, and executive leadership can act on consistently. MITRE ATT&CK provides that common language.
This post is not a high-level overview of ATT&CK. It is a practical guide for security practitioners who need to take real findings from assessments, incidents, and scans, and map them to ATT&CK techniques in a way that drives measurable defensive improvement.
Key Takeaways:
- ATT&CK mapping transforms isolated findings into a structured view of adversary behavior across your environment
- Mapping to sub-technique level (e.g., T1059.001, not T1059) produces actionable results; tactic-level mapping does not
- Consistent mapping requires a repeatable methodology, not ad hoc interpretation
- Mapped findings enable gap analysis, detection prioritization, and trend tracking across engagements
Why Map Findings to ATT&CK?
The Problem with Unstructured Findings
Security assessments generate findings in varied formats:
- Penetration tests produce narrative-style findings: “Attacker obtained domain admin through Kerberoasting”
- Vulnerability scans produce CVE-based output: “CVE-2024-1234 – Critical – Remote Code Execution”
- Incident investigations produce timelines: “Malware executed via scheduled task at 02:14 UTC”
- Red team exercises produce kill chain narratives: “Initial access via spearphishing, lateral movement via PsExec”
Each format serves its purpose, but they create silos. A penetration test finding about Kerberoasting and an incident response case involving NTDS.dit extraction are both credential access techniques, but without ATT&CK mapping, that connection is invisible.
What ATT&CK Mapping Enables
| Without ATT&CK | With ATT&CK |
|---|---|
| “We found 47 vulnerabilities” | “Adversaries can execute 12 distinct ATT&CK techniques in our environment” |
| “We need better endpoint security” | “We have zero detection coverage for T1003 (OS Credential Dumping) sub-techniques” |
| “Last year’s pentest found issues” | “Credential Access techniques appeared in 4 of our last 5 engagements, indicating a systemic weakness” |
| “How bad is this incident?” | “The adversary executed techniques across 8 of 14 ATT&CK tactics, indicating advanced capability” |
| “Are we improving?” | “Detection coverage for Initial Access techniques increased from 40% to 85% over 12 months” |
ATT&CK turns findings into data. Data enables measurement. Measurement enables improvement.
The ATT&CK Framework: A Quick Orientation
For practitioners who need a refresher, ATT&CK organizes adversary behavior into three layers:
Tactics (The “Why”)
Tactics represent the adversary’s objective at each stage of an operation. There are 14 Enterprise tactics:
| Tactic | Objective |
|---|---|
| Reconnaissance | Gather information for planning |
| Resource Development | Establish infrastructure and capabilities |
| Initial Access | Get into the network |
| Execution | Run malicious code |
| Persistence | Maintain access across restarts |
| Privilege Escalation | Gain higher-level permissions |
| Defense Evasion | Avoid detection |
| Credential Access | Steal credentials |
| Discovery | Learn about the environment |
| Lateral Movement | Move through the network |
| Collection | Gather data of interest |
| Command and Control | Communicate with compromised systems |
| Exfiltration | Steal data out of the network |
| Impact | Disrupt, destroy, or manipulate systems |
Techniques (The “How”)
Techniques describe the specific method used to achieve a tactic. For example, under Credential Access:
- T1003: OS Credential Dumping
- T1110: Brute Force
- T1558: Steal or Forge Kerberos Tickets
- T1552: Unsecured Credentials
Sub-Techniques (The “Specifically How”)
Sub-techniques provide granular detail. Under T1003 (OS Credential Dumping):
- T1003.001: LSASS Memory
- T1003.002: Security Account Manager (SAM)
- T1003.003: NTDS
- T1003.004: LSA Secrets
- T1003.006: DCSync
Mapping at sub-technique level is critical. “OS Credential Dumping” is too broad to drive specific defensive action. “DCSync” tells you exactly what to detect and how.
Mapping Methodology: A Repeatable Process
Step 1: Normalize the Finding
Before mapping, express the finding in terms of what the adversary (or tester) actually did, not what the vulnerability is.
Transformation Examples:
| Raw Finding | Normalized Action |
|---|---|
| “CVE-2023-44487 – HTTP/2 Rapid Reset” | Adversary can cause denial of service via HTTP/2 protocol exploitation |
| “LLMNR/NBT-NS poisoning captured NTLMv2 hashes” | Adversary captured credential material via network protocol poisoning |
| “Kerberoasted 3 service accounts with weak passwords” | Adversary extracted service account Kerberos tickets and cracked them offline |
| “Gained RCE via deserialization in Java app” | Adversary executed arbitrary code on application server via exploitation of public-facing application |
| “Created scheduled task for persistence” | Adversary established persistence via scheduled task creation |
| “Exfiltrated 2GB via HTTPS to external C2” | Adversary transferred collected data out of the network over encrypted web traffic |
The normalized action describes adversary behavior. This is what maps to ATT&CK.
Step 2: Identify the Tactic
Ask: What was the adversary trying to accomplish?
Using the examples above:
| Normalized Action | Tactic |
|---|---|
| Denial of service via HTTP/2 exploitation | Impact |
| Captured credentials via protocol poisoning | Credential Access |
| Extracted and cracked Kerberos tickets | Credential Access |
| Executed code via deserialization | Initial Access + Execution |
| Created scheduled task for persistence | Persistence + Privilege Escalation |
| Transferred data over HTTPS | Exfiltration |
Note: A single finding can map to multiple tactics. Creating a scheduled task is both Persistence (maintaining access) and Privilege Escalation (if the task runs as SYSTEM).
Step 3: Identify the Technique and Sub-Technique
Ask: How specifically did the adversary accomplish the objective?
| Normalized Action | Technique | Sub-Technique |
|---|---|---|
| Denial of service via HTTP/2 | T1499: Endpoint Denial of Service | T1499.001: OS Exhaustion Flood |
| Captured credentials via LLMNR poisoning | T1557: Adversary-in-the-Middle | T1557.001: LLMNR/NBT-NS Poisoning and SMB Relay |
| Extracted and cracked Kerberos tickets | T1558: Steal or Forge Kerberos Tickets | T1558.003: Kerberoasting |
| Code execution via deserialization | T1190: Exploit Public-Facing Application | (no sub-technique) |
| Scheduled task for persistence | T1053: Scheduled Task/Job | T1053.005: Scheduled Task |
| Data transfer over HTTPS | T1041: Exfiltration Over C2 Channel | (no sub-technique) |
Step 4: Document the Evidence
Every mapping needs supporting evidence. Without evidence, mappings are opinions.
Evidence Template:
Finding ID: PT-2025-017
ATT&CK Mapping: T1558.003 (Kerberoasting)
Tactic: Credential Access
Evidence:
- Tool used: Rubeus (kerberoast command)
- Target: 3 service accounts with SPNs registered
- Result: TGS tickets extracted, 2 of 3 cracked within 4 hours
- Impact: Cleartext passwords for svc_backup (Domain Admins member)
and svc_sql (db_owner on finance database)
Detection Status: No SIEM alert triggered during extraction or cracking
Remediation: Enforce 25+ character managed passwords on all service accounts,
implement Group Managed Service Accounts (gMSA) where supported,
monitor Event ID 4769 for anomalous TGS requests
Step 5: Validate the Mapping
Cross-reference your mapping against the official ATT&CK technique page:
- Read the technique description at attack.mitre.org
- Verify the behavior matches the documented definition
- Check the “Procedure Examples” section for similar real-world usage
- Review the “Detection” section for monitoring guidance
- Check the “Mitigations” section for remediation alignment
Common mapping mistakes:
- Mapping too broadly: Using T1059 (Command and Scripting Interpreter) when T1059.001 (PowerShell) is accurate
- Wrong tactic: Mapping lateral movement tools to Execution instead of Lateral Movement
- Missing multi-tactic mappings: A technique like T1053.005 (Scheduled Task) spans Persistence, Privilege Escalation, and Execution
- Confusing vulnerability with technique: CVE-2024-1234 is not an ATT&CK technique; the technique is what the CVE enables (e.g., T1190 Exploit Public-Facing Application)
Practical Application: Mapping a Full Penetration Test
Scenario: Internal Network Penetration Test
An internal penetration test produced 23 findings. Here is how the critical path maps to ATT&CK:
Attack Path:
| Step | Action | ATT&CK Technique | Tactic |
|---|---|---|---|
| 1 | Sent phishing email with malicious macro document | T1566.001: Spearphishing Attachment | Initial Access |
| 2 | Macro executed PowerShell download cradle | T1059.001: PowerShell | Execution |
| 3 | PowerShell downloaded Cobalt Strike beacon | T1105: Ingress Tool Transfer | Command and Control |
| 4 | Beacon established HTTPS C2 channel | T1071.001: Web Protocols | Command and Control |
| 5 | Enumerated Active Directory domain | T1087.002: Domain Account | Discovery |
| 6 | Discovered service accounts with SPNs | T1069.002: Domain Groups | Discovery |
| 7 | Kerberoasted service accounts | T1558.003: Kerberoasting | Credential Access |
| 8 | Cracked svc_backup password offline | T1110.002: Password Cracking | Credential Access |
| 9 | Used svc_backup creds to access file server | T1021.002: SMB/Windows Admin Shares | Lateral Movement |
| 10 | Extracted sensitive financial data | T1005: Data from Local System | Collection |
| 11 | Exfiltrated data over existing C2 channel | T1041: Exfiltration Over C2 Channel | Exfiltration |
ATT&CK Coverage Analysis:
From this single engagement, the tester exercised techniques across 8 of 14 tactics:
| Tactic | Techniques Used | Detection Triggered? |
|---|---|---|
| Initial Access | T1566.001 | No |
| Execution | T1059.001 | Partial (logged but no alert) |
| Discovery | T1087.002, T1069.002 | No |
| Credential Access | T1558.003, T1110.002 | No |
| Lateral Movement | T1021.002 | No |
| Collection | T1005 | No |
| Command and Control | T1071.001, T1105 | No |
| Exfiltration | T1041 | No |
Key Insight: Zero detections fired across 11 techniques spanning 8 tactics. This is not a list of 23 random findings. It is a structured view of exactly where the organization’s detection capability failed, mapped to a framework the detection engineering team can act on directly.
Mapping Vulnerability Scan Results
Vulnerability scans produce CVE-based output, not behavior-based findings. Mapping requires an extra translation step.
The CVE-to-ATT&CK Translation
CVEs describe what is vulnerable. ATT&CK describes what an adversary can do with that vulnerability.
| CVE | Vulnerability Description | What an Adversary Can Do | ATT&CK Mapping |
|---|---|---|---|
| CVE-2021-44228 | Log4Shell – JNDI injection in Log4j | Execute arbitrary code on vulnerable servers | T1190: Exploit Public-Facing Application |
| CVE-2023-23397 | Outlook NTLM relay via calendar invite | Steal NTLMv2 hashes without user interaction | T1187: Forced Authentication |
| CVE-2024-21762 | FortiOS out-of-bounds write | Gain initial access to network perimeter device | T1190: Exploit Public-Facing Application |
| CVE-2020-1472 | Zerologon – Netlogon privilege escalation | Become Domain Admin from any domain-joined machine | T1068: Exploitation for Privilege Escalation |
| CVE-2021-36934 | HiveNightmare – SAM database readable | Extract local account password hashes | T1003.002: Security Account Manager |
When Not to Map
Not every vulnerability scan finding maps meaningfully to ATT&CK:
- Informational findings (SSL certificate expiring, HTTP headers missing) – These are configuration weaknesses, not adversary techniques
- Denial of service only – If the CVE only enables DoS with no code execution, the ATT&CK value is limited
- False positives – Validate the finding exists before mapping it
Focus mapping efforts on findings that represent realistic adversary capabilities in your environment.
Mapping Incident Response Findings
Incident investigations produce the richest ATT&CK mapping data because they document actual adversary behavior.
Incident Timeline to ATT&CK
| Time | Event | Evidence Source | ATT&CK Mapping |
|---|---|---|---|
| 09:14 | Phishing email received | Email gateway logs | T1566.002: Spearphishing Link |
| 09:17 | User clicked link, entered credentials | Proxy logs, IdP logs | T1078.004: Cloud Accounts |
| 09:18 | Adversary authenticated with stolen credentials | Azure AD sign-in logs | T1078.004: Cloud Accounts |
| 09:22 | Inbox rules created to forward email | M365 audit logs | T1114.003: Email Forwarding Rule |
| 09:45 | OAuth app registered for persistence | Azure AD audit logs | T1098.003: Additional Cloud Roles |
| 10:12 | Email search for “wire transfer”, “payment” | M365 compliance logs | T1114.002: Remote Email Collection |
| 10:34 | BEC email sent from compromised account | Email gateway logs | T1534: Internal Spearphishing |
Post-Incident Value: This mapping tells the detection engineering team exactly which techniques succeeded. Each unmapped or undetected technique becomes a detection engineering backlog item with clear requirements.
Building a Findings-to-ATT&CK Database
Why Track Mappings Across Engagements
Individual mapping is useful. Aggregated mapping across multiple engagements reveals patterns.
Example: 12 Months of Penetration Test Data
| ATT&CK Technique | Engagements Where Found | Exploited Successfully | Detection Rate |
|---|---|---|---|
| T1558.003 Kerberoasting | 8 of 10 | 7 of 8 | 12% |
| T1557.001 LLMNR Poisoning | 6 of 10 | 6 of 6 | 0% |
| T1021.002 SMB/Admin Shares | 7 of 10 | 5 of 7 | 28% |
| T1059.001 PowerShell | 9 of 10 | 8 of 9 | 44% |
| T1053.005 Scheduled Task | 4 of 10 | 4 of 4 | 0% |
| T1003.001 LSASS Memory | 5 of 10 | 3 of 5 | 60% |
Insights from aggregated data:
- Kerberoasting appears in 80% of engagements – This is a systemic issue requiring organizational remediation (gMSA deployment, password policy for service accounts), not point fixes
- LLMNR Poisoning has 0% detection rate – Disable LLMNR and NBT-NS network-wide via GPO
- PowerShell detection is improving (44%) – Detection engineering investments in Script Block Logging and AMSI are paying off
- LSASS protection is partially effective (60%) – Credential Guard or PPL deployment is working but incomplete
This is the difference between “we did 10 pentests” and “we have measurable improvement data across our most common attack vectors.”
Database Schema
For organizations building their own tracking:
Finding:
- finding_id: Unique identifier
- engagement_id: Which assessment
- engagement_type: pentest | red_team | incident | vuln_scan
- date: When discovered
- description: What happened
- attck_technique_id: T-number (e.g., T1558.003)
- attck_tactic: Tactic name
- tools_used: Tools or procedures observed
- success: boolean (was the technique successful)
- detected: boolean (did existing controls detect it)
- detection_source: What detected it (if detected)
- evidence: Supporting logs, screenshots, artifacts
- remediation: Recommended fix
- severity: Critical | High | Medium | Low
Common Mapping Challenges
Challenge 1: One Finding, Multiple Techniques
A single finding often involves multiple ATT&CK techniques. Map each technique separately.
Example: “Used Mimikatz to dump LSASS and extract Kerberos tickets”
This is two techniques:
- T1003.001: LSASS Memory (dumping credentials from LSASS process)
- T1558.003: Kerberoasting (if extracting TGS tickets) or T1550.003: Pass the Ticket (if reusing existing tickets)
Challenge 2: Custom Tools and Techniques
Not every technique maps neatly to an existing ATT&CK ID. When using custom tools or novel techniques:
- Find the closest matching technique
- Document the deviation in notes
- If the behavior is genuinely new, consider submitting a contribution to MITRE
Challenge 3: Mapping Defensive Findings
Some findings are defensive gaps rather than offensive techniques:
- “No centralized logging for Active Directory” – This does not map to an ATT&CK technique directly. Instead, identify which techniques this gap leaves undetected (T1003, T1558, T1087, etc.) and map those.
- “Endpoint protection disabled on 15 servers” – Map the techniques that become possible when protection is absent.
Challenge 4: Granularity Decisions
Map at the most specific level supported by your evidence:
| Evidence Available | Map To |
|---|---|
| “PowerShell was used” | T1059.001: PowerShell |
| “A script was executed” (type unknown) | T1059: Command and Scripting Interpreter |
| “Something ran on the system” | T1204: User Execution (if user-initiated) |
When in doubt, choose the most specific sub-technique your evidence supports.
Integrating ATT&CK Mapping Into Your Workflow
For Penetration Testers
- During testing: Log each technique as you execute it with the ATT&CK ID
- In the report: Include an ATT&CK mapping table alongside traditional findings
- In the debrief: Walk the client through the ATT&CK Navigator heatmap showing which techniques were successful
- Across engagements: Track technique frequency and detection rates over time
For Vulnerability Management Teams
- Prioritize remediation by mapping CVEs to ATT&CK techniques and cross-referencing with your threat model
- Focus on exploitable chains – A medium-severity CVE that enables T1190 (Initial Access) feeding into T1068 (Privilege Escalation) is higher priority than an isolated critical finding
- Validate scanner output by confirming the mapped technique is actually achievable in your environment
For Detection Engineers
- Use mapped findings as detection requirements – Each undetected technique from a pentest becomes a detection engineering ticket
- Prioritize based on frequency – Techniques that appear in 80% of engagements need detection before techniques that appear in 10%
- Validate detections – After building a detection rule for T1558.003, run Rubeus in a test environment and confirm the alert fires
For Security Leadership
- Track coverage metrics – “We can detect X of Y ATT&CK techniques relevant to our threat model”
- Measure improvement – “Detection coverage increased from 35% to 62% over 12 months”
- Communicate risk – “Our last three pentests show recurring credential access gaps that map to the same 4 ATT&CK techniques”
- Justify budget – “Investing in EDR capabilities addresses 15 currently undetected ATT&CK techniques across 3 critical tactics”
Tools for ATT&CK Mapping
ATT&CK Navigator
The ATT&CK Navigator is a web-based tool for creating layered heatmaps of ATT&CK coverage.
Practical Uses:
- Red layer: Techniques successfully exploited during a pentest (red)
- Blue layer: Techniques your SIEM has detection rules for (blue)
- Overlay: Where red has coverage but blue does not = detection gaps
This produces a visual gap analysis that communicates complex coverage data to technical and non-technical stakeholders.
STIX/TAXII
ATT&CK data is available in STIX (Structured Threat Information Expression) format. This enables:
- Programmatic access to technique definitions
- Automated mapping validation
- Integration with threat intelligence platforms
- Bulk operations across technique databases
Mapping Templates
Maintain a standard template for your organization. Consistency in mapping format is as important as mapping accuracy.
The Bottom Line
ATT&CK mapping is not academic exercise. It is the difference between a pile of disconnected findings and a structured, measurable view of your security posture.
The process is straightforward:
- Normalize findings into adversary behavior descriptions
- Map to sub-technique level using the five-step methodology
- Document evidence for every mapping
- Aggregate across engagements to identify patterns
- Drive action through detection engineering, remediation prioritization, and coverage tracking
Organizations that systematically map findings to ATT&CK can answer questions that organizations without mapping cannot: Which techniques are we most vulnerable to? Are we getting better? Where should we invest next?
Those answers are worth the effort.
Next Steps
Immediate Actions:
- Take your most recent penetration test report and map each finding to ATT&CK using the methodology above
- Open the ATT&CK Navigator and create a heatmap of the mapped findings
- Identify which mapped techniques your SIEM currently has detection rules for
Short-Term (30 Days):
- Establish a mapping template for your organization
- Map findings from your last three engagements to build an initial dataset
- Identify the top 5 techniques by frequency and assess your detection coverage for each
Long-Term (90 Days):
- Integrate ATT&CK mapping into your standard pentest reporting template
- Build a findings database that tracks technique success and detection rates over time
- Use aggregated data to drive quarterly detection engineering priorities
Need Help?
If your organization needs assistance mapping findings to ATT&CK or building a detection engineering program based on assessment data, contact us.
References and Further Reading
- MITRE ATT&CK Framework – attack.mitre.org
- ATT&CK Navigator – mitre-attack.github.io/attack-navigator
- MITRE ATT&CK STIX Data – github.com/mitre-attack/attack-stix-data
- NIST SP 800-53 to ATT&CK Mapping – center-for-threat-informed-defense.github.io
- CISA Best Practices for MITRE ATT&CK Mapping – cisa.gov
