Helping Cyber Defenders “Decide” to Use MITRE ATT&CK


Bonnie Limmer, Chief of Production, Joint Cyber Defense Collaborative, CISA

Since the Cybersecurity and Infrastructure Security Agency (CISA) announced its first edition of Best Practices for MITRE ATT&CK® Mapping nearly two years ago, the ATT&CK framework has evolved, expanded, and improved its ability to support more than just optimized cyber threat intelligence to the cybersecurity community. To match these advances, CISA recently published a second edition of our mapping guide and today announces a new accompaniment to the guide, CISA’s Decider tool


This tool walks users through a mapping process, asking them a series of guided questions about adversary activity to help them arrive at the correct tactic, technique, or sub-technique. Along with the tool, users are also provided with a fact sheet and brief video that will familiarize them with key features and capabilities of Decider.

Key features include guided questions about adversary activity in plain language to help users confirm they are mapping correctly, and a powerful search and filter functionality to allow users to focus on what is most relevant to their analysis.  

Why was Decider developed

Many stakeholders communicated that they either did not know how to start mapping to ATT&CK, or they were unsure if they were accurately mapping adversary behavior. CISA partnered with the Homeland Security Systems Engineering and Development Institute™ (HSSEDI), which worked with the MITRE ATT&CK team, to develop a tool that was easy to understand with minimal technical language and could help users quickly and properly go through the framework steps.

Decider is currently compatible with Enterprise ATT&CK versions 11.0 and 12.0.

Updates to CISA’s mapping guide

CISA’s recent update of Best Practices for MITRE ATT&CK® Mapping, completed in partnership with HSSEDI, incorporates significant updates of MITRE ATT&CK version 9 through version 12. Some of the updates include expansion of macOS and Linux coverage; increased equity between the industrial control systems (ICS), mobile, and enterprise matrices; addition of adversary campaigns, and redefined data sources and detections.


In nearly every Cybersecurity Advisory and Risk and Vulnerability Assessment reports, CISA provides adversary behavior mapped to the MITRE ATT&CK. Our intent is to help more cybersecurity partners, whether novice or seasoned cyber defenders, get in the routine practice of using MITRE ATT&CK—a common lexicon does make a difference for the organization and broader community. When correctly applied, the ATT&CK framework allows users to identify defensive gaps, assess security tool capabilities, organize detections, hunt for threats, engage in red team activities, and validate mitigation controls.

As cyber adversaries evolve; incorporate malicious campaigns; and seek to disrupt, destroy or disable systems of U.S. and international critical infrastructure and governments, CISA will continue to work closely with likeminded domestic and international partners to ensure our resources, tools, and advisories are timely, accurate and useful.