The Azure Security Podcast Episode 125: Origins of MITRE ATT&CK
Feb 27, 2026
Blake Strom, cybersecurity researcher who founded MITRE ATT&CK and worked at MITRE and Microsoft. He recounts the Fort Meade experiment origins, how red/blue tests shaped the ATT&CK matrix, and why sub-techniques were added. He discusses ATT&CK evaluations, common misuses, and the project's unexpected rise in influence.
AI Snips
Chapters
Transcript
Episode notes
ATT&CK Focuses On Observed Adversary Behavior
- ATT&CK is a knowledge base of observed attacker tactics, techniques, and procedures focused on what adversaries actually do rather than theoretical possibilities.
- Blake Strom created it from MITRE's Fort Meade experiment to shift detection from IOCs to behavior-based sensing on internal networks.
Fort Meade Experiment Drove ATT&CK's Origins
- MITRE ran the Fort Meade experiment using a live corporate network with red teams performing operations and blue teams trying to detect them.
- Early tooling resembled Sysmon and teams mapped red team actions to Splunk analytics to learn defender gaps.
Use ATT&CK To Map Purpose To Concrete Defenses
- Use the ATT&CK matrix to create a common language linking attacker purpose (tactics) to concrete techniques and mitigations for detection.
- Drill into technique pages for platform specifics, procedure examples, and suggested detection/mitigations.