TL;DR - MITRE ATT&CK is vast, with most tools only consuming it using the direct group-to-technique relationships, missing up to 76% of actual technique coverage. MITRESaw solves this by traversing all three STIX attribution paths - direct, via software, and via campaign - then extracting concrete indicators (ports, registry keys, event IDs, CVEs, commands) and mapping them to log sources.
The MITRE ATT&CK framework is the industry standard for understanding adversary behaviour. It catalogues 14 tactics, 216 techniques, and 475 sub-techniques across Enterprise alone, with 172 tracked threat groups using 784 known software tools - and that is just ATT&CK v18.1 (November 2025). The framework is extraordinarily comprehensive. It is also, for most security teams, extraordinarily difficult to operationalise.
MITRESaw was built to solve that problem. It cuts through the full breadth of ATT&CK and extracts the specific identifiers, indicators, and detection mappings your team actually needs - filtered by the threat groups, platforms, and industries relevant to you - then outputs ready-to-use search queries for Splunk, Azure Sentinel, and Elastic/Kibana.
This post walks through the real problems MITRESaw addresses, with concrete examples drawn from three very different threat groups: APT29 (Russian state espionage), Wizard Spider (financially motivated ransomware), and Lazarus Group (North Korean state-sponsored operations).
<aside> 📌
Note: MITRESaw’s extraction core also powers Archer, a detection engineering platform that takes these indicators further - generating production-ready YAML detections, multi-stage correlations, and AI-enhanced queries across Splunk, Sentinel, Elastic, and Google SecOps.
</aside>
MITRE ATT&CK is a knowledge base, not a detection tool. When a SOC analyst or detection engineer opens the ATT&CK website, they are met with hundreds of techniques, thousands of procedure examples, and dense descriptions that mix operational context with technical detail. Extracting actionable intelligence from this data requires significant manual effort:
For a single technique applied by a single group, answering these questions might take 15–30 minutes of careful reading and cross-referencing. Multiply that across the dozens of techniques used by a single adversary, and the task becomes impractical without automation.
There is also a deeper, less obvious problem: most tools that parse ATT&CK data are silently incomplete. This was a critical discovery made during the development of Archer, a detection engineering platform that shares MITRESaw’s extraction core. MITRE attributes techniques to groups through three distinct STIX relationship paths:
| Path | Relationship | Example |
|---|---|---|
| Direct | Group uses Technique | APT29 uses T1059.001 PowerShell |
| Via Software | Group uses Tool, Tool uses Technique | Wizard Spider uses Cobalt Strike, Cobalt Strike uses T1055 Process Injection |
| Via Campaign | Campaign attributed to Group, Campaign uses Technique | Operation Dream Job attributed to Lazarus Group, campaign uses T1566.002 Spearphishing Link |
Most ATT&CK parsers only follow Path 1. The result? For a group like Scattered Spider (G1015), a direct STIX extraction yields just 78 techniques - 50% of actual coverage. Adding all three paths reveals 155 techniques. MITRESaw and Archer both traverse all three paths, ensuring complete coverage.