ShadowMap

Appearance

MITRE ATT&CK

ShadowMap maps threat intelligence data to the MITRE ATT&CK framework, providing a visual matrix and sortable list of tactics and techniques used by threat actors relevant to your organization. The matrix includes a heat map based on actor intensity and an optional coverage overlay that lets you mark which techniques your defenses cover -- revealing gaps in your detection posture.

Overview

MITRE ATT&CK

View Modes

The page supports two views, toggled via buttons in the header:

  • Matrix View -- Visual ATT&CK matrix with tactics as columns and techniques as cells, color-coded by actor intensity. This is the primary view.
  • List View -- Sortable table of all techniques with filters. Best for searching and bulk review.

Matrix View

Reading the Matrix

  • Columns represent ATT&CK tactics -- the attacker's goal at each stage (Reconnaissance, Initial Access, Execution, Persistence, etc.)
  • Cells represent techniques -- specific methods used to achieve those goals
  • Each cell shows the technique's MITRE ID and name
  • A count badge on each tactic header shows how many techniques fall under it

Heat Map

Cells are color-coded by actor intensity -- how many tracked threat actors are known to use each technique:

ColorIntensityMeaning
No colorNoneNo tracked actors use this technique
Light shadeLowA small number of actors use this technique
Medium shadeMediumMultiple actors use this technique
Dark shadeHighMany actors use this technique
Darkest shadeCriticalA large number of actors use this technique -- high priority for detection

Hover over any cell to see a tooltip with the technique's MITRE ID, name, and exact actor count.

Coverage Overlay

Click the Coverage button in the header to enable the coverage overlay. When active:

  • Covered techniques show a shield icon and green border -- these are techniques your team has marked as having detection or prevention controls
  • Gap techniques show a red indicator -- these are techniques without coverage
  • Right-click any technique cell to toggle its coverage status
  • The legend updates to show both the heat map and coverage indicators

The coverage overlay persists across sessions, building a living map of your defensive posture.

List View

The list view presents techniques in a filterable, sortable table:

ColumnDescription
IDMITRE ATT&CK technique ID (e.g., T1059, T1566.001)
NameTechnique name (e.g., Command and Scripting Interpreter, Spearphishing Attachment)
TacticThe ATT&CK tactic this technique belongs to
PlatformsOperating systems and platforms where this technique applies
ActorsCount of threat actors known to use this technique

Filters (List View)

FilterOptions
TacticFilter by ATT&CK tactic
PlatformFilter by target platform (Windows, Linux, macOS, etc.)
SearchFree-text search across technique IDs and names

Export (List View)

Click the export button to download the current filtered technique list as an Excel file.

How to Use the ATT&CK Matrix

Use CaseHow
Identify gapsEnable coverage overlay. Techniques with high actor intensity but no coverage are your highest-priority detection gaps.
Prioritize detectionsFocus on Initial Access and Persistence techniques used by actors targeting your sector -- stopping or detecting attackers early is the most cost-effective defense.
Brief stakeholdersUse the matrix view in board presentations for at-a-glance coverage. Export the list view for compliance audit evidence.
Map to controlsCross-reference techniques with NIST CSF, CIS Controls, ISO 27001, or PCI DSS to validate control effectiveness.
Purple teamingSelect techniques from actors targeting your sector, build attack chains across tactics, test whether detections fire, and update coverage based on results.

ShadowMap by Security Brigade

Copyright 2024-present Security Brigade