Help us understand how ATT&CK techniques are interpreted in practice
Join our study and explore how you assign and structure attacker behavior using the MITRE ATT&CK framework.
To know more about the process of our study:
What Is This Study About?
In cybersecurity practice, observed attacker behavior is commonly mapped to the MITRE ATT&CK framework, linking evidence to tactics, techniques, and sub-techniques to support threat analysis, detection engineering, and knowledge sharing.
As a widely adopted and highly valuable framework, ATT&CK provides a shared language for describing adversary behavior. However, mapping decisions are inherently influenced by context, available evidence, and analyst interpretation, leading to variation in technique assignments.
Rather than viewing such variation as an error, this study considers it an inherent and analyzable characteristic of real-world ATT&CK usage. We investigate how ambiguity arises, how mapping decisions can be better structured, and how additional information can support interpretation.
In particular, we examine how variation in mapping can inform structured grouping approaches and ultimately contribute to improving the consistency, transparency, and practical use of ATT&CK in different operational and research contexts.
What We Investigate
How often do ATT&CK technique assignments differ, and how does context influence ambiguity?
Improve consistency and reduce ambiguity in ATT&CK-based decision-making.
How can MITRE ATT&CK techniques be meaningfully clustered?
Enable structured guidelines, support different use cases, and allow ML-based classification.
How does Participation work?
There are no strictly correct answers. We are interested in how you interpret, structure, and reason about cyber attacks.
Contact
Do you have questions or additional feedback?
We’d love to hear from you — feel free to get in touch.
Project Team
Marleen Steinhoff
Researcher
University of Applied Sciences