One of the biggest challenges in cybersecurity is not technical, it is communication.

SOC, CTI, Red Team, Blue Team, GRC, security awareness, and executive management teams often talk about the same threats, but use different languages. The result is misalignment, noise, increased risk of exposure to attacks, and decisions based on divergent interpretations. It is exactly at this point that the MITRE ATT&CK framework has consolidated itself as something greater than a mere technical basis: it has become a common language for cybersecurity.

The problem: teams speak “security” in different dialects
Consider common day-to-day situations:

• The SOC speaks in alerts, events, and logs
• The CTI speaks in groups, campaigns, and TTPs
• The Red Team speaks in payloads, exploits, and attack chains
• The GRC speaks in risk, impact, and control
• The Security Awareness team speaks in user behavior, perception, and decision-making.
• The leadership speaks in exposure, priority, and cost

Everyone is right — but without a common vocabulary, integration is lost. When an analyst says “we detected suspicious behavior on the endpoint,” what exactly does that mean?
When CTI warns about an active group, how does that translate into practical action?

What is MITRE ATT&CK
The MITRE ATT&CK is a knowledge base that describes how real adversaries conduct attacks, and it is organized by:

• Tactics (the attacker’s objective)
• Techniques (how that objective is achieved)
• Sub-Techniques (specific variations)
• Procedures (specific implementation or use in real situations that the adversary uses to execute the techniques or sub-techniques).

It is maintained by MITRE, a non-profit organization that operates research centers funded by the US government, and is updated based on real observations of attack campaigns. The key point: ATT&CK describes behavior, not specific tools.

ATT&CK as a translator between teams
The great value of MITRE ATT&CK lies in its ability to translate contexts between disciplines.

CTI → SOC
When CTI says:
“This group uses Credential Dumping followed by Lateral Movement via SMB”
The SOC knows exactly:

• Where to look
• Which logs to prioritize
• Which detections to validate

It is no longer an abstract alert; it is a clear operational hypothesis.

CTI → Red Team
The Red Team stops simulating generic attacks and starts to:

• Emulate real groups
• Reproduce observed attack chains
• Test controls against specific TTPs

Result: more realistic and actionable exercises.

SOC / Red Team → GRC
With ATT&CK, the discourse changes from:
“We have X vulnerabilities”
To:
“We have low detection coverage for exfiltration techniques used by groups that attack our sector”
This connects threat → risk → decision.

CTI → Security Awareness
Without a common model, the discourse is usually generic:
“We need to train users against phishing.”
With CTI integrated into awareness, the discourse changes to:
“We are observing active campaigns that use HR pretexts and password reset links, exploiting Phishing and Valid Accounts techniques associated with groups that already attack companies in our sector.”
This change allows for:

• Training based on real threats, not hypothetical scenarios
• Simulations aligned with TTPs effectively used at the moment
• More specific messages for the right areas, roles, and contexts
• Awareness metrics connected to real risk, not just click rate

In August 2025, I presented a lecture specifically on how CTI can support awareness areas. Full presentation available at

True Crime: CTI as the Basis for Cybersecurity Education – Carlos Cabral | HumanConf 2025

ATT&CK in practice: concrete examples
Imagine the following scenario:

• CTI identifies the growing activity of a group that exploits valid credentials.
• The behavior is mapped as:
  • Tactic: Initial Access
  • Technique: Valid Accounts

From this:

• The SOC reviews anomalous authentications
• The Red Team simulates abuse of legitimate accounts
• The GRC evaluates MFA and identity controls
• The Awareness team issues a specific bulletin for the case
• Leadership understands why identity has become a priority

All of this using the same reference.

ATT&CK is not a checklist — it is context
A common mistake is to treat MITRE ATT&CK as:

• A list of controls to implement
• A spreadsheet of “complete coverage”

In practice, covering 100% of ATT&CK is unfeasible and unnecessary. The real value lies in:

• Prioritizing techniques relevant to your risk profile
• Understanding which stages of the attack you detect well (and which you don’t)
• Guiding decisions based on real adversaries, instead of subjective ghosts.

Why ATT&CK is essential for CTI
For Cyber Threat Intelligence, ATT&CK is the link between:

• External observation (campaigns, groups, forums)
• Internal action (detection, response, testing)

It allows for:

• Standardizing reports
• Facilitating intelligence dissemination
• Increasing the adoption of CTI by technical teams
• Transforming intelligence into operational decision-making

Without this, CTI runs the risk of becoming merely a producer of interesting, but not very actionable, reports.

To conclude
Cybersecurity is a collective effort.
And collective efforts, without a common language, end in confusion. In security, confusion is vulnerability. MITRE ATT&CK does not solve all problems — but it solves one of the most critical: alignment.
When everyone speaks the same language:

• CTI becomes action
• The SOC gains focus
• The Red Team gains realism
• The GRC gains clarity
• The awareness team gains pragmatism
• Leadership gains confidence