Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
ATT&CK is the canonical taxonomy of what attackers actually do — derived from observed incidents, organised into tactics (the 'why') and techniques (the 'how'). For web work the relevant matrices are Initial Access, Credential Access, Lateral Movement, and Exfiltration. Mapping your detection coverage to ATT&CK techniques is how mature security teams prove they're not just patching whatever's loudest.
A real attacker chain on a web app might be: T1190 (Exploit Public-Facing Application) → T1071 (Application Layer Protocol C2) → T1003 (OS Credential Dumping) → T1041 (Exfiltration over C2). Each ID has a description, real-world examples, and recommended detections.
Use these three in order. Each builds on the one before.
In one paragraph, describe ATT&CK and how it differs from a vulnerability list.
Walk me through using ATT&CK to plan a detection roadmap for a web product.
Some critics argue ATT&CK over-emphasises post-exploit and under-emphasises initial access. Where do you agree, where not?