Findings Without ATT&CK Context Feel Random
Clients increasingly expect MITRE ATT&CK mapping in penetration test reports. Mapping a Kerberoasting success to T1558.003 or lateral movement via SMB to T1021.002 helps defenders prioritize detections — not just patch single hosts.
How to Map Without Overdoing It
- Map the technique you used to achieve impact, not every recon sub-step
- Include tactic (Initial Access, Persistence, etc.) in the finding title or metadata
- Link ATT&CK IDs in appendix tables for SOC teams
- Avoid mapping informational findings — reserve for proven exploitation paths
From Chain to ATT&CK Table
Attack Chain Builder steps map naturally to techniques: recon → T1595, credential access → T1110, execution → T1059. Export chains into Report Builder so ATT&CK references sit next to evidence instead of being added in a last-minute spreadsheet.