MITRE ATT&CK Assessment — Map Your Defenses to Real Adversary Behavior
Pick a real threat group. Execute their documented TTPs against your environment. Get an ATT&CK heatmap of what was caught, what was missed, and the specific detections to build next.
Why an ATT&CK-aligned engagement
A list of CVEs and CVSS scores does not tell you whether you can detect a real attack. The MITRE ATT&CK framework does — it catalogs the techniques actual threat groups use, and an ATT&CK assessment shows you which of those techniques succeed against your environment and which get caught.
If you have a SIEM, an EDR, a SOC (in-house or MSSP), or a cyber-insurance carrier asking pointed questions, you need an ATT&CK-aligned pentest. That is the gap this engagement fills.
What we assess
- Initial access — phishing, exposed services, supply chain, valid accounts
- Execution & persistence — scripting, services, scheduled tasks, registry
- Privilege escalation — token theft, exploit-for-priv-esc, abuse elevation
- Defense evasion — process injection, obfuscation, indicator removal
- Credential access — dumping, brute force, password spraying
- Discovery & lateral movement — network sniffing, remote services, pass-the-hash
- Collection & exfiltration — staging, channel choice, encryption
Methodology
We pick the threat profile that matches your industry — FIN7 for retail, APT41 for tech, ransomware affiliates for everyone. We then execute that group's documented TTPs against your environment, in coordination with your blue team (purple-team mode) or unilaterally (red-team mode).
Every technique attempted is logged with timestamp, source, target, and detection outcome. The deliverable is an ATT&CK heatmap showing exactly which techniques succeeded, which were detected, which were blocked, and which slipped past your stack quietly.
Process & timeline
- Threat profile selection (1 week)
- Engagement letter + rules of engagement (1 week)
- Execution (2 to 4 weeks depending on scope)
- Draft report + purple-team debrief
- Final report + detection-gap remediation tracking
Deliverables
- ATT&CK heatmap of techniques tested, succeeded, detected, and blocked
- Per-technique evidence — logs, screenshots, payloads
- Detection gap report with proposed alert rules
- Tabletop debrief with security team
- Executive summary + board-ready scorecard
- Optional purple-team workshops to tune detections post-engagement
- Attestation letter for cyber-insurance, auditors, or enterprise customers
Pricing
Fixed-fee per engagement. Typical MITRE ATT&CK assessment: $18k – $55k. Purple-team mode (continuous coordination with your defenders) at the higher end. Pure red-team (no coordination) at the lower end.
Reference engagements
Related work in production: an Active Directory pentest with documented attack chain mapped to MITRE ATT&CK techniques, and ProtectWithBri's web application coverage. Engagements served from Atlanta, Macon, Savannah, and Augusta.
FAQs
Is this a pentest or a red team?
It is closer to a red team or purple team, scoped to specific ATT&CK techniques rather than open-ended objective-based engagement. Most clients run it in purple-team mode so their defenders learn in real time.
Do you map findings to specific threat groups?
Yes. We pick a threat profile — real groups documented in ATT&CK — that matches your industry and threat model, and report results against those groups' actual TTPs.
Will this satisfy our cyber-insurance carrier?
ATT&CK-aligned assessments are increasingly the format insurers ask for. Our reports are formatted to drop into the response templates carriers use.
What if we do not have a SOC or EDR yet?
Then the assessment doubles as a baseline — it shows you which techniques succeed today and informs your detection-engineering roadmap. We have run this for clients building a security program from scratch.
Can you re-run the assessment annually?
Yes, and most ATT&CK clients put us on an annual cadence. Year-over-year heatmap trends are the cleanest way to show security program ROI to a board.
Red team reading
All postsWhat Is the MITRE ATT&CK Framework
Tactics, techniques, and how red and blue teams use the matrix.
Read postRed Team vs Pen Test vs Audit
Three engagement types, three buyer profiles, and when to use each.
Read postWhat Is Penetration Testing? A Founder's Buyer Guide
What a pentest actually is, the five types you can buy, and what a real report looks like.
Read post
Related services
Find out what your defenses actually catch.
Call William Beltz at (770) 652-1282 or book a scoping call. Purple-team or red-team, your call. Founder-led, audit-ready.