MITRE ATT&CK 108: My favourite talks from MITRE’s ATT&CKCON 3.0


If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on for the full interactive viewing experience. In this post I end the tutorial series with some real world examples of how ATT&CK is being used from the most recent ATT&CKCON. Note: this tutorial is written for MITRE ATT&CK version 11.0 (published on 2022–04–24). Some of the concepts discussed are not correct for other versions of ATT&CK.

MITRE’s ATT&CKcon (v3.0) returned to an in-person event at their headquarters in McLean, Virginia, a little over a month ago (March 29 and 30), and was in-part the inspiration for my last two posts; MITRE ATT&CK 101, and MITRE ATT&CK 102.

It is also a celebration of the recent release of version 11 of ATT&CK.

There was a great list of speakers, including many old colleagues, talking about a range of topics centered on how the ATT&CK framework is leveraged.

You can watch all the talks on-demand here (sign up required). Here are four of my favourites.

Knowledge for the Masses: Storytelling with ATT&CK!

By Ismael Valenzuela and Jose Luis Sanchez Martinez

Creating and sharing compelling stories about cyber threats (with the help of ATT&CK) is a powerful way for raising awareness to enable action against cyber threats.

In this talk Ismael and Jose share their experiences leveraging ATT&CK to disseminate threat knowledge to different audiences by captivating them with a story (Software Development teams, Managers, Threat detection engineers, etc.).

Watch on-demand.

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interactive Intrusion Campaigns

By Jason Wood and Justin Swisher

Security teams need tools and processes that allow the mapping of hands-on adversary tradecraft.

Jason and Justin show how their threat hunting team uses MITRE ATT&CK to understand and categorise adversary activity over time.

Watch on-demand.

It’s Just a Jump to the Left (of Boom): Prioritizing Detection Implementation with Intelligence and ATT&CK

By Lindsay Kaye and Scott Small

A wealth of open-sourced, ATT&CK-mapped, detections and intelligence now exists for security teams.

Lindsay and Scott show how real-world defensive strategies can be strengthened by encompassing a full-spectrum view of this data to ensure that detection efforts are prioritised and focused effectively (with the help of ATT&CK).

Watch on-demand.

Threat Modelling: It’s Not Just for Developers

By Tim Wadhwa-Brown

Most intel teams take public information about threat actors, vulnerabilities, and incidents (and use them to build better defenses).

Tim takes the audience through 3 real world examples where he leveraged such data and how he used ATT&CK information (particularly data sources) to achieve a successful outcome.

Watch on-demand.


You have made it to the end of this short course.

Whilst there is a little more to ATT&CK than covered in these posts, you now have enough to start putting the framework to work, whether you are a red, blue, or purple teamer.

Here are some useful links to bookmark following this course, some I have covered, some I have not, that you I find useful when working with MITRE ATT&CK:

  • The MITRE ATT&CK website is very useful for looking up Objects in the framework
  • MITRE recently release a new Chrome browser extension. ATT&CK Powered Suit, for Object lookups which saves you jumping between tabs
  • Use the Navigator is great for modelling ATT&CK Tactics and Techniques
  • TRAM for automation of assigning ATT&CK to raw intelligence
  • And the Workbench for extending ATT&CK:
  • A less known product from MITRE is ATT&CK Flow, designed to help defenders easily understand how attackers compose and execute on ATT&CK techniques
  • MITRE are also running a pilot of a new initiative called ATT&CK Sightings. ATT&CK Sightings aims to be a central collection of reported sightings of Techniques from the ATT&CK community

If you have any questions about the content in this tutorial, please do not hesitate to drop us a message on Discord.

ATT&CK Certification (Virtual and In Person)

The content used in this post is a small subset of our full training material used in our ATT&CK training.

If you want to join a select group of certified ATT&CK professionals, subscribe to our newsletter below to be notified of new course dates.

Similar Posts You Will Enjoy Reading…

Originally published at on July 24, 2022.



I help early stage cyber-security companies to build products that make users go; “Wow! That’s what I need!”.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
David G

I help early stage cyber-security companies to build products that make users go; “Wow! That’s what I need!”.