MITRE ATT&CK
What it is — MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations, maintained by MITRE Corporation . It categorizes adversary behavior into Tactics (the “why”) and Techniques (the “how”) across the attack lifecycle, from initial reconnaissance through impact. ATT&CK is used for threat modeling, detection engineering, red teaming, and security gap analysis.
Appsec relevance — While ATT&CK covers the full spectrum of adversary behavior, several tactics and techniques are directly relevant to web application and API security — particularly Reconnaissance, Initial Access, and specific Execution techniques that involve exploiting public-facing applications.
How Detectify Maps to MITRE ATT&CK
Detectify’s DAST and ASM capabilities detect or prevent techniques within a subset of ATT&CK tactics. Coverage is strongest for techniques targeting web applications and internet-facing infrastructure.
Reconnaissance (TA0043)
| Technique | What it is | Detectify Capability | Coverage |
|---|---|---|---|
| T1595 — Active Scanning | Adversary scans victim IP blocks, ports, and services to identify targets and vulnerabilities | Surface Monitoring replicates attacker reconnaissance — scanning IP ranges, discovering hosts, enumerating subdomains. Gives defenders the same view an attacker would build | Full (defensive) |
| T1592 — Gather Victim Host Information | Adversary gathers information about victim hosts such as software, hardware, and configuration details | Surface Monitoring fingerprints technologies, frameworks, versions, and server software on external assets — the same information adversaries collect | Full (defensive) |
| T1593 — Search Open Websites/Domains | Adversary searches freely available websites and domains for information about victims | Surface Monitoring discovers subdomains and associated assets. Does not cover OSINT from social media or code repositories | Partial (defensive) |
| T1596 — Search Open Technical Databases | Adversary searches technical databases (DNS, WHOIS, certificates) for victim information | Surface Monitoring uses DNS, certificate transparency logs, and related data sources for asset discovery | Partial (defensive) |
Discovery (TA0007)
| Technique | What it is | Detectify Capability | Coverage |
|---|---|---|---|
| T1046 — Network Service Discovery | Adversary discovers running services on remote hosts to identify exploitable services | Surface Monitoring discovers and fingerprints all externally running services, giving defenders the same view network service discovery would reveal | Full (defensive) |
Initial Access (TA0001)
| Technique | What it is | Detectify Capability | Coverage |
|---|---|---|---|
| T1190 — Exploit Public-Facing Application | Adversary exploits a vulnerability in an internet-facing application to gain access | Core Detectify capability: Application Scanning, API Scanning, and Surface Monitoring identify exploitable vulnerabilities in public-facing applications covering multiple CWEs | Full |
| T1078 — Valid Accounts | Adversary obtains and uses existing account credentials to gain access | Default credential detection, authentication bypass testing (CWE-287 , CWE-306 ) | Partial |
Execution (TA0002)
| Technique | What it is | Detectify Capability | Coverage |
|---|---|---|---|
| T1059 — Command and Scripting Interpreter | Adversary abuses command and script interpreters to execute commands and scripts | OS command injection detection CWE-78 , code injection CWE-94 | Full |
| T1203 — Exploitation for Client Execution | Adversary exploits software vulnerabilities in client applications to execute code | XSS detection CWE-79 identifies vulnerabilities that enable client-side execution | Full |
Credential Access (TA0006)
| Technique | What it is | Detectify Capability | Coverage |
|---|---|---|---|
| T1212 — Exploitation for Credential Access | Adversary exploits software vulnerabilities to collect credentials | Detects vulnerabilities that could lead to credential theft: information exposure (CWE-200 ), cleartext storage (CWE-312 ), sensitive data in error messages (CWE-209 ) | Partial |
Collection (TA0009)
| Technique | What it is | Detectify Capability | Coverage |
|---|---|---|---|
| T1213 — Data from Information Repositories | Adversary uses information repositories (wikis, databases, file shares) to mine valuable data | Detects exposed information repositories, directory listings (CWE-548 ), and sensitive file exposure (CWE-538 ) | Partial |
What Detectify Covers
Detectify’s strongest ATT&CK alignment is with T1190 — Exploit Public-Facing Application, which is a primary initial access technique used by adversaries. The entire DAST testing suite — Application Scanning, API Scanning, and Internal Scanning — identifies and validates exploitable vulnerabilities before adversaries can use them.
Surface Monitoring provides defensive coverage for Reconnaissance tactics by identifying the same information and assets an adversary would discover, allowing organizations to reduce their exposed attack surface.
Coverage is limited to techniques involving web applications, APIs, and internet-facing infrastructure. ATT&CK techniques targeting endpoints, networks, Active Directory, cloud infrastructure, and other domains are outside DAST scope.
Complementary Tools You May Need
- EDR / endpoint protection — For Execution, Persistence, and Lateral Movement techniques
- SIEM — For detection across all ATT&CK tactics
- Network detection and response (NDR) — For network-based techniques
- Cloud security posture management (CSPM) — For cloud-specific techniques
- Identity threat detection — For Credential Access and Privilege Escalation
- Red teaming / adversary simulation — For comprehensive ATT&CK coverage assessment