Using MITRE ATT&CK to Prioritize Your Hunt Backlog

ATT&CK as a Coverage Map, Not a Checklist

Most teams use MITRE ATT&CK as a labelling exercise. A hunt completes, someone tags it with a tactic, and the tag gets filed away. The framework becomes a taxonomy, not a tool.

The more powerful use of ATT&CK is as a continuous coverage map — a living picture of which adversary behaviours your team has actively hunted, which you've only partially covered, and which remain completely blind spots.

Building Your Coverage Heatmap

Start by cataloguing every hunt your team has completed in the past 12 months. For each hunt, identify the primary ATT&CK techniques it addressed — not just the tactic, but the specific technique (T-number) and where possible the sub-technique.

Now plot these on the ATT&CK matrix. What you'll see is almost always the same: dense coverage in a handful of familiar areas (often Execution and Persistence, because that's where detection rules already exist), and large uncovered regions in areas like Defense Evasion, Collection, and Exfiltration.

This heatmap is your backlog prioritization engine.

Layering Threat Intelligence

A coverage heatmap alone doesn't tell you which gaps matter most. For that, you need to layer in your threat profile — who is likely targeting your organization, and what techniques do they actually use?

Cross-reference your coverage gaps against the ATT&CK Groups and Software pages for adversaries relevant to your sector. A gap in T1055 (Process Injection) is very different depending on whether Lazarus Group or a commodity ransomware operator is your primary threat.

The techniques where your coverage is lowest AND your threat profile is highest — those are your highest priority hypotheses.

Operationalizing This in Practice

The manual version of this workflow takes days. You're pulling hunt logs from disparate sources, mapping them to ATT&CK manually, cross-referencing threat intel, and assembling a report in a slide deck that will be outdated by the time the CISO reads it.

The automated version — which is what Vel's Leadership Dashboard is designed to provide — makes this a live view. Every hunt automatically maps to ATT&CK. Coverage gaps update in real time. The heatmap is always current.

Whether you build this infrastructure manually or use a purpose-built platform, the discipline of coverage-driven hunt prioritization is the difference between a program that hunts what's comfortable and one that hunts what matters.