Cyber Horizon
Back to Blog
MITRE ATT&CKThreat IntelDetection

MITRE ATT&CK for Defenders: A Practical Primer

4 June 2026·8 min read·Cyber Horizon Team

MITRE ATT&CK has quietly become the shared language of cyber defence. Threat reports cite its technique IDs, detection tools map to it, and security teams use it to answer a deceptively hard question: against the ways attackers actually operate, how much can we really see?

What ATT&CK actually is

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a free, continuously updated knowledge base of real-world adversary behaviour, maintained by MITRE. Rather than cataloguing malware, it catalogues behaviour — the things attackers do once they are in. That focus is what makes it durable: tools change constantly, but the underlying techniques change slowly.

Tactics, techniques, and sub-techniques

Tactics: The adversary's goal — the “why.” For example, initial access, persistence, privilege escalation, exfiltration.
Techniques: How they achieve a goal — the “how.” For example, phishing for initial access.
Sub-techniques: More specific variants of a technique, for finer-grained mapping.
Procedures: The exact way a specific group or tool implements a technique in the wild.

The Enterprise matrix lays the tactics out as columns and the techniques beneath them, giving you a single board on which to plot what you can detect, what you can prevent, and where you are blind.

How defenders use it

The real value of ATT&CK is not reading it — it is mapping your own defences onto it. A few high-impact uses:

Coverage mapping: Plot which techniques your controls and detections actually cover, and where the gaps are.
Threat-informed defence: Prioritise the techniques used by the groups that target your sector.
Detection engineering: Write and track detections against specific techniques rather than vague categories.
Purple teaming: Have red emulate techniques and blue confirm they are detected — technique by technique.
Communication: Describe an incident in shared IDs everyone understands, internally and externally.

Getting started without boiling the ocean

The matrix is large, and trying to cover every technique at once is a fast route to giving up. Start narrow and iterate:

Pick the threat groups and techniques most relevant to your industry.
Map your existing detections and controls to those techniques first.
Mark each as covered, partially covered, or a gap — be honest.
Close the highest-impact gaps, then widen coverage over time.
Re-assess as ATT&CK and your environment evolve.

A common pitfall: chasing 100% coverage

Full matrix coverage is neither realistic nor the goal. Some techniques are far more relevant to you than others, and some are better mitigated than detected. Aim for strong, evidenced coverage of the techniques that matter to your threat model — not a wall of green for its own sake. Tie this back to your wider programme and incident readiness; our guide to running a tabletop exercise is a good way to pressure-test whether your mapped coverage holds up under a real scenario.

Map your ATT&CK coverage in Cyber Horizon

Visualise the full ATT&CK matrix, see which techniques your controls cover, and turn the gaps into prioritised, threat-informed actions.

Book a Demo