MITRE ATT&CK Mapping Skill
Post-analysis enrichment tool that maps existing security findings to the MITRE ATT&CK framework. This skill does NOT discover new vulnerabilities. It takes findings produced by other skills (OWASP, STRIDE, SANS/CWE Top 25) and enriches them with ATT&CK tactics, techniques, attack chain analysis, and threat actor TTP cross-references.
This skill operates on findings, not on source code directly.
Supported Flags
Read ../../shared/schemas/flags.md for the full flag specification. This skill supports the following flags.
Flag Skill-Specific Behavior
--scope
Not used directly. Findings are sourced from prior analysis or .appsec/findings.json .
--depth
Controls enrichment depth. standard maps techniques. deep builds kill chains. expert adds threat actor TTPs and DREAD scoring.
--severity
Filter input findings before mapping. Only findings at or above this severity are processed.
--format
Applied to final output.
--quiet
Mappings only, suppress narrative descriptions.
--explain
Add detailed ATT&CK context and learning material per mapping.
Framework Reference
Read ../../shared/frameworks/mitre-attck.md
for the full MITRE ATT&CK specification including tactic definitions, technique descriptions, code-level patterns, cross-framework mapping tables, and kill chain construction guidance.
Workflow
Step 1: Acquire Findings
Collect existing findings from one or more sources, checked in priority order:
-
Current conversation context: If findings are present from a prior analysis step (e.g., /appsec:owasp or /appsec:stride ), use those.
-
Findings file: Check .appsec/findings.json for persisted findings.
-
User-specified file: If the user provides a path, read and parse it.
If no findings are available, inform the user and suggest running /appsec:owasp , /appsec:stride , or /appsec:sans25 first.
Step 2: Validate and Normalize Findings
Verify each finding conforms to shared/schemas/findings.md . Ensure required fields are present (id , title , severity , location.file , description ). Discard malformed entries with a warning.
Normalize existing cross-references for mapping priority:
-
references.cwe — primary key for ATT&CK mapping.
-
references.owasp — secondary, via OWASP-to-ATT&CK table.
-
references.stride — tertiary, via STRIDE-to-ATT&CK table.
Step 3: Map Findings to ATT&CK Techniques
For each finding, determine applicable ATT&CK techniques using the cross-framework mapping tables in mitre-attck.md :
-
CWE-based: "ATT&CK Techniques to CWE" table (e.g., CWE-89 maps to T1190, T1059).
-
OWASP-based: "ATT&CK Techniques to OWASP Top 10" table (when CWE unavailable).
-
STRIDE-based: "ATT&CK Techniques to STRIDE" table (tertiary source).
-
Pattern-based: Analyze description and title keywords against technique descriptions.
For each mapped technique, record technique_id , technique_name , tactic_id , and tactic_name . Update references.mitre_attck with the primary technique ID.
Step 4: Build Tactic Coverage Matrix
Each technique belongs to one or more tactics. Produce a matrix showing which tactics each finding touches:
Finding ID Recon Initial Access Execution Priv Esc Cred Access Collection Exfiltration Impact
INJ-001
T1190 T1059
T1552 T1005 T1041 T1485
AUTH-003 T1589 T1078
T1548 T1110
Step 5: Build Attack Chains
Group findings that chain into multi-step attack scenarios from reconnaissance through impact. For each chain:
-
Entry point: A finding enabling Initial Access (TA0001) or Reconnaissance (TA0043).
-
Lateral steps: Trace technique-to-technique transitions through the kill chain.
-
Terminal impact: Map to Impact tactics (TA0040): data destruction (T1485), manipulation (T1565), ransomware (T1486), or DoS (T1498).
-
Chain severity: Maximum terminal impact severity, elevated one level if 3+ findings compound.
CHAIN-001: SQL Injection to Data Exfiltration Severity: critical Steps: 1. [INJ-001] SQL injection in /api/users (T1190 -> Initial Access) 2. [INJ-001] Database dump via UNION SELECT (T1005 -> Collection) 3. [CRYPT-002] Credentials stored in plaintext (T1552 -> Credential Access) 4. [AUTH-003] No MFA on admin portal (T1078 -> Privilege Escalation) Impact: Full database compromise, credential theft, admin takeover
Step 6: Kill Chain Visualization
Produce a text-based kill chain diagram mapping findings onto Lockheed Martin Cyber Kill Chain stages aligned with ATT&CK tactics:
Reconnaissance Initial Access Execution Collection Exfiltration | | | | | v v v v v [T1595 Scan] -> [T1190 SQLi] --> [T1059 Cmd] -> [T1005 Dump] -> [T1041 Exfil] INJ-001 INJ-001 INJ-001 | v [T1552 Creds] -> [T1078 Acct] -> [T1548 Priv] CRYPT-002 AUTH-003 AUTH-003
For --format json , produce a structured chain object with nodes and edges.
Step 7: Cross-Reference Threat Actor TTPs
Available at --depth deep and --depth expert . For each technique, note which threat actor groups commonly use it:
Technique Known Usage
T1190 Exploit Public-Facing App APT28, APT41, Lazarus Group, FIN7, most initial access brokers
T1078 Valid Accounts APT29, APT41, FIN6 -- commonly after credential theft
T1552 Unsecured Credentials APT33, FIN7 -- harvesting from config files
T1505.003 Web Shell APT41, Hafnium -- persistent access via uploaded shells
This is NOT a threat intelligence assessment. It shows that identified techniques are actively used in real-world attacks.
Step 8: Produce Output
{ "tool": "mitre", "input_findings": 12, "mapped_findings": 10, "unmapped_findings": 2, "techniques_identified": 8, "tactics_covered": 6, "attack_chains": 2, "tactic_coverage": { "reconnaissance": ["T1595"], "initial_access": ["T1190", "T1078"], "execution": ["T1059"], "credential_access": ["T1552", "T1110"], "collection": ["T1005"], "exfiltration": ["T1041"], "impact": ["T1485"] }, "chains": [ ... ], "enriched_findings": [ ... ] }
Step 9: Present Results
Output the report in the requested --format . Include:
-
Mapping summary: findings mapped, techniques identified, tactics covered.
-
Tactic coverage matrix: ATT&CK tactics represented and gaps.
-
Technique breakdown: findings per technique with parent tactic.
-
Attack chains: step-by-step narrative with kill chain visualization.
-
Coverage gaps: tactics with no mapped findings flagged as areas needing further analysis.
Expert Mode
If --depth expert is set, additionally:
Read ../../shared/frameworks/dread.md
for DREAD scoring criteria. Assign a DREAD score to each attack chain.
Threat actor profiling: For each chain, identify the most likely threat actor class (opportunistic, insider, APT, nation-state) based on complexity and resources required.
Detection gap analysis: For each technique in a chain, assess whether the codebase has logging or alerting to detect the attack at that stage. Cross-reference with OWASP A09 findings if available. Flag chains where multiple stages lack detection as highest priority.
Mitigation roadmap: For each chain, produce a prioritized list of mitigations that break the chain at the earliest stage. Prefer mitigations that break multiple chains simultaneously.
Append expert findings with prefix ATK and metadata.tool set to "mitre-attck" .