Mapping Attacks to Detections

MITRE ATT&CK is a curated knowledge base of adversary tactics, techniques, and procedures observed in the real world. It gives red and blue a shared vocabulary.

Mapping every test and every detection to an ATT&CK ID lets you answer one question precisely: which adversary behaviors can we actually see?

• Tactics = the adversary's goal (the 'why')
• Techniques = how they achieve it (the 'how')
• Procedures = the specific implementation (the 'what')

Each technique has a stable identifier you will use everywhere in purple teaming.

• T1059 — Command and Scripting Interpreter (technique)
• T1059.001 — PowerShell (sub-technique)
• TA0002 — Execution (the tactic it belongs to)

A single technique can serve multiple tactics. For example, valid accounts (T1078) support Initial Access, Persistence, Privilege Escalation, and Defense Evasion simultaneously.