Threat model
What is MITRE ATT&CK?
MITRE ATT&CK is a globally recognised framework that describes how real-world adversaries behave. It provides a structured way to understand tactics, techniques, and procedures (TTPs) used in cyber attacks.
But while ATT&CK gives organisations a common language for threats, it does not provide a system for managing detection coverage, measuring effectiveness, or driving continuous improvement.
What is MITRE ATT&CK?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a publicly available knowledge base of adversary behaviour.
It organises cyber attacks into:
- Tactics — the objective of an attack (e.g. Initial Access, Persistence)
- Techniques — how that objective is achieved
- Procedures — real-world implementations observed in the wild
This structure allows security teams to map threats in a consistent and repeatable way.
Why organisations use ATT&CK
ATT&CK has become a standard across security operations because it enables:
- A shared language between teams (SOC, CTI, detection engineering)
- Threat-informed detection design
- Mapping of controls and coverage to real-world adversary behaviour
- Alignment between tooling (SIEM, EDR, BAS) and threat models
It is widely used to create ATT&CK heatmaps, showing which techniques are covered.
The limitation: ATT&CK is not an operational system
ATT&CK is powerful — but it is often misused.
Most organisations rely on:
- Static heatmaps
- Manual mapping exercises
- One-off assessments (purple team / BAS)
These approaches create visibility without validation.
They do not answer critical questions:
- Are detections actually working?
- Do they trigger on real threats?
- Are they noisy, broken, or never firing?
- How has coverage changed over time?
This leads to a false sense of confidence.
Teams think they have coverage — but they don’t know if it actually works.
The gap: from mapping to measurement
ATT&CK defines what should be detected — but it does not define:
- How detections are managed
- How effectiveness is measured
- How improvements are tracked over time
This is where many security programmes stall.
From ATT&CK to a Detection System of Record
To move beyond static mapping, organisations need a system that:
- Links ATT&CK techniques to actual detection rules
- Tracks how those detections perform in the real world
- Continuously validates effectiveness
- Provides a persistent view of detection coverage
This is exactly the gap a Detection System of Record is designed to solve.
ATT&CK is the model. DSoR is the system.
ATT&CK → defines threats
DSoR → measures detection
How SecuMap uses MITRE ATT&CK
In a modern detection programme:
- MITRE ATT&CK defines what to detect
- MaGMa defines how detections are managed
- SecuMap (DSoR) makes both measurable and operational
SecuMap uses ATT&CK as the threat model layer:
- Every detection is mapped to ATT&CK techniques
- Coverage is measured continuously through live detection signals, not static mapping
- Validation results are tied back to techniques
- Gaps are identified based on real-world effectiveness
ATT&CK becomes:
Not just a mapping framework — but a measurable part of an operational system.
Bringing ATT&CK to life
On its own, ATT&CK answers:
“What should we detect?”
SecuMap extends this to:
- What are we detecting?
- What is actually working?
- Where are we exposed right now?
- What should we do next?
Next steps
- What is a Detection System of Record?
- What is MaGMa? (detection use case framework)
- Detection coverage and confidence
- SecuMap methodology
For the product view of how techniques connect to performance, start with Platform or Detection System of Record (category hub).