A vulnerability backlog answers one question well. It tells you what is broken. It says far less about how an attacker would actually use what is broken. Two findings can carry the same CVSS score and still mean very different things to a defender. One exposes a path to initial access. The other only matters once an adversary already has a foothold. Severity alone does not separate them.
MITRE ATT&CK closes that gap. It is the shared vocabulary that security teams use to describe adversary behaviour, organised as tactics, techniques, and sub-techniques. When a finding carries an ATT&CK technique tag, it stops being an isolated defect and becomes a labelled step in a possible attack. That label is what turns a flat list of issues into a structured threat picture.
This article looks at how PMAP maps findings to MITRE ATT&CK techniques. It covers the built-in ATT&CK Enterprise reference catalogue, the typeahead picker analysts use to tag findings, the way technique and sub-technique hierarchy is preserved, the automatic backfill from vulnerability templates, and how the resulting tags feed coverage heatmaps and reports. The goal is to show why mapping belongs in the workflow rather than in a spreadsheet kept on the side.
PMAP follows a clear path for every finding. It moves from ingest to correlate to triage to remediate. ATT&CK mapping is an enrichment layer that sits across correlation and triage. It adds threat context to findings that have already been ingested and deduplicated, so analysts triage with attacker intent in view rather than severity alone. If you want the broader picture of how PMAP enriches findings before triage, the vulnerability intelligence enrichment pillar sets that context.
Why ATT&CK Tags Turn a Backlog Into a Threat Picture
Most vulnerability programmes start from a sorted list. Findings arrive from scanners and manual testing, they get a severity, and they get queued for remediation. That ordering is useful for triage throughput. It is poor for threat communication. A queue sorted by CVSS tells a remediation owner what to fix first. It does not tell a security manager which adversary behaviours the organisation is currently exposed to.
ATT&CK technique tags add the second dimension. Once findings carry technique IDs, you can ask different questions of the same backlog. Which tactics are most represented in the open findings. Where the exposure clusters along the attack lifecycle. Which techniques recur across assets and which appear only once. None of these questions is answerable from severity. All of them become answerable the moment findings are mapped.
The practical payoff shows up in three places. The first is coverage gap analysis. When you lay open findings against the ATT&CK matrix, the empty cells are as informative as the full ones. They show where your scanning and testing have not produced evidence, which is a prompt to look harder rather than a clean bill of health. The second is attack-path reporting. A report that groups findings by tactic reads as a narrative of how an intrusion could unfold, which lands with technical and non-technical audiences alike. The third is framework-aligned risk communication. Many security teams already report against ATT&CK to leadership, auditors, and partners. Findings that are mapped at source feed those reports without a manual cross-referencing step.
PMAP treats this mapping as a first-class enrichment rather than a cosmetic tag. Technique IDs are stored on every finding and resolved by the reporting and analytics layers into full technique detail. The tag is not a label that sits idle. It is data that downstream views consume.
The Built-In ATT&CK Enterprise Catalogue
Mapping only works if the reference data is reliable and always available. PMAP ships a built-in, read-only reference catalogue of MITRE ATT&CK Enterprise techniques and sub-techniques. The catalogue covers ATT&CK Enterprise v14, with roughly 180 techniques organised across the 12 Enterprise tactics. It is a curated in-process snapshot of the framework rather than a live external feed, which means tagging never depends on reaching an outside service at runtime.
That design choice matters in operational terms. There is no external API call when an analyst opens the technique picker. There is no dependency on Redis, on object storage, or on a third-party connector. The catalogue lives in the application and is loaded into a PostgreSQL table that PMAP queries directly. Tagging keeps working in restricted network environments where outbound calls to the public internet are limited, which is common in the kind of segmented enterprise estate PMAP is built for.
The catalogue is populated through a seed operation. The seed endpoint upserts every entry from the built-in v14 data set, and it is idempotent by design. Re-running it updates existing rows in place using an ON CONFLICT (id) DO UPDATE strategy rather than inserting duplicates. That means an operator can re-seed at any time without fear of corrupting the table or losing data. The operation reports how many techniques were written, and because the catalogue is around 180 entries, the seed completes inside a normal request timeout with no background job or queue involved.
Read-only is the other key property. Techniques are never created or modified by user action. Analysts consume the catalogue, they do not edit it. The single managed entry point is the seed operation, which keeps the reference set authoritative and consistent across the platform. There is one canonical version of each technique, and every finding that references it points at the same record.
For readers who want the source of truth behind these IDs, the canonical framework lives at the MITRE ATT&CK website, and the full Enterprise matrix is published at attack.mitre.org/matrices/enterprise. PMAP’s catalogue mirrors that framework so the IDs you tag in the platform resolve to the same techniques you would read on the MITRE site.
Tagging a Finding With the Technique Picker
ATT&CK mapping in PMAP has no standalone screen. It lives where the work lives, inside the Findings experience. That placement is deliberate. Tagging a finding with a technique is part of triage, not a separate administrative task, so the control sits in the finding form rather than in a parallel module an analyst has to remember to visit.
The control is a typeahead selector. When an analyst is working a finding, the picker offers a search box that filters the catalogue in real time. The search matches against both the technique ID and the technique name, so an analyst can type T1566 and land on Phishing directly, or type a keyword from the name and let the dropdown narrow the candidates. The match is a case-insensitive substring search, which keeps it forgiving. Partial input still surfaces the right technique.
Multiple techniques can be selected on a single finding. A finding rarely maps to exactly one adversary behaviour, and the picker does not force that constraint. An analyst can attach every technique that genuinely applies, which keeps the mapping honest rather than artificially flattening a multi-step exposure into a single tag.
Because the picker reads from the same in-process catalogue that the seed operation populates, the candidate list is consistent for every analyst. There is no risk of one tester tagging against a stale technique set while another works from a newer one. The catalogue is shared, and the picker is the same surface everywhere a finding is edited.
Filtering the Picker by Tactic
Search by ID and name is fast when an analyst already knows what they are looking for. Often they do not. They know the phase of the attack they are reasoning about, but not the exact technique ID. The picker supports that workflow with a tactic filter.
The tactic filter narrows the candidate set to a single ATT&CK phase. An analyst who is reasoning about initial access can collapse the dropdown to techniques in that tactic and browse from there, rather than scrolling the full catalogue. The filter matches against the tactic associated with each technique, and it combines with the text search when both are supplied. Filtering to a tactic and typing a keyword applies both conditions together, which is the natural way an analyst narrows in. Start from the phase, then refine by name.
This tactic-first path is also how analysts who think in ATT&CK terms prefer to work. They map an exposure to a phase of the intrusion lifecycle first, then pick the specific technique within it. The picker matches that mental model instead of forcing an ID-first lookup.
Technique and Sub-Technique Precision
ATT&CK is not flat. Many techniques have sub-techniques that describe a more specific variant of a broader behaviour. Phishing is a technique. Spearphishing Attachment is a sub-technique of it. The distinction matters because a generic tag and a specific tag carry different precision, and a defender who can attribute a finding to the exact sub-technique communicates more than one who can only reach the parent.
PMAP preserves that hierarchy. Each sub-technique carries a reference to its parent technique, so the relationship between a technique like T1566 and its sub-technique T1566.001 is explicit in the data rather than inferred from the ID string alone. Top-level techniques carry no parent reference, and sub-techniques are flagged as such, so the platform can tell the two apart cleanly.
That structure is what lets a pentester tag a finding with the precise sub-technique when the evidence supports it. A manual finding authored after a successful test can attribute the exact variant the tester used, not just the family it belongs to. The mapping is as precise as the analyst’s knowledge allows, and the catalogue does not blunt that precision by collapsing sub-techniques into their parents.
The hierarchy also pays off downstream. Because the parent and child relationship is preserved, a navigator or heatmap view can roll sub-techniques up to their parent for a high-level summary, or drill down to the sub-technique for detail, without losing information either way. The data carries both levels, so the presentation layer can choose the granularity that fits the audience.
Ordering reinforces this. The catalogue returns techniques in lexicographic ATT&CK ID order, so a parent technique and its sub-techniques sit next to each other in the list. T1001 is followed by T1001.001, which keeps related entries grouped wherever the catalogue is displayed in full.
Automatic Backfill From Vulnerability Templates
Manual tagging is the right tool when an analyst is reasoning about a specific finding. It does not scale on its own. A scanner can produce thousands of findings, and asking analysts to tag every one by hand would defeat the point of enrichment. PMAP addresses this with automatic backfill from vulnerability templates.
PMAP’s vulnerability template library carries ATT&CK technique IDs on each template, alongside the other enrichment a template holds. When a finding is matched to a template and that template is applied, the technique IDs from the template flow onto the finding automatically. The analyst does not have to look up the technique. It arrives with the rest of the template enrichment as part of the same operation. This is the same template apply path that drives the rest of PMAP’s auto-fill behaviour, which the Smart Match template matching article covers in full.
The backfill follows one precise rule that protects analyst intent. Template technique IDs are written onto a finding only when the finding’s technique array is currently empty. If an analyst has already tagged the finding with one or more techniques, the template apply leaves those tags untouched. A finding that an analyst deliberately mapped to T1566 keeps that mapping even when a template carrying T1190 is later applied. The human decision wins.
This rule resolves the tension between automation and accuracy cleanly. Automation fills the gap where no human has expressed an opinion, which is the overwhelming majority of a large backlog. It steps back where a human has, because an analyst who took the time to tag a finding knows something the template author could not. The result is broad coverage from templates and preserved precision from analysts, with no conflict between the two.
In practice this means the work compounds. Every technique mapping a VulnDB author adds to a template propagates to every untagged finding that matches that template, now and in the future. The author maps the attack pattern once. The platform applies it many times. That leverage is what makes ATT&CK coverage achievable across a large finding population rather than a goal a team chips away at by hand.
Multi-Tactic Techniques Handled Once
ATT&CK has a structural wrinkle that naive implementations get wrong. Some techniques belong to more than one tactic. Valid Accounts, T1078, is the classic example. The same technique appears under Initial Access, Persistence, Privilege Escalation, and Defense Evasion, because valid credentials serve an adversary across several phases of an intrusion. A modelling approach that duplicates the technique once per tactic creates redundant records and inflated counts.
PMAP represents each technique as a single record that carries all of its tactics. A multi-tactic technique like T1078 is one row, and that row lists every tactic it belongs to as an array of tactic identifiers and names. There is no duplication. The technique exists once, with full knowledge of every phase it spans.
The tactic filter respects this. Filtering the picker by any one of a technique’s tactics returns that technique, because the filter matches against the full set of tactics the technique carries. An analyst filtering to Privilege Escalation finds T1078 there, and an analyst filtering to Initial Access finds the same single record, without the platform ever creating two copies. One technique, one row, correctly visible under each tactic it touches.
This matters for analytics as much as for tagging. When a heatmap counts findings per tactic, a multi-tactic technique contributes to each of its tactics from one underlying mapping, so the picture is accurate without double-counting the technique itself. The single-row model keeps the counts honest while still reflecting the full reach of techniques that span the matrix.
Deep-Linking to the Canonical ATT&CK Page
A technique ID is precise but not self-explanatory. T1566 means Phishing to someone who has the framework memorised, and means nothing to everyone else. Mapping is only useful if a reader can move from the tag to the full description without friction.
PMAP carries the canonical ATT&CK URL with every technique. In the Findings views, each mapped technique renders as a clickable pill, and clicking it opens the canonical technique page on the MITRE ATT&CK website. A report consumer who sees a technique on a finding can read the full MITRE description in one click, without searching for the technique by hand or guessing what the ID stands for.
That link is what makes the mapping legible to a mixed audience. An analyst may know the techniques cold. A manager reviewing a report may not. The deep link removes that gap. Every tag is a door to the authoritative description, which keeps the platform’s mapping anchored to the framework rather than to local shorthand that only the security team understands.
It also keeps PMAP honest about its source. The platform does not paraphrase or reinterpret ATT&CK. It points directly at MITRE’s published page for each technique, so the canonical description is always the one the reader sees. PMAP supplies the mapping. MITRE remains the authority on what each technique means.
Feeding Coverage Heatmaps and Reports
Tagging is the input. Coverage analysis is the output. The reason to map findings to ATT&CK at all is so the mapping can be aggregated into a view that tells a story the raw findings cannot.
PMAP’s reporting and analytics layers consume the technique tags through a bulk resolution path. The technique IDs stored on findings are resolved into full technique objects, so a report or heatmap can show technique names, tactics, and detail rather than bare IDs. The resolution is done in bulk, which means a report covering many findings resolves all of their techniques efficiently rather than one lookup at a time.
What this enables is the coverage view security teams actually want. A heatmap that lays mapped findings across the ATT&CK matrix shows where exposure concentrates and where it is absent. The metrics that matter become measurable. The share of open findings that carry at least one technique tag tells you how complete the mapping itself is. The top techniques by finding count tell you which adversary behaviours your environment exposes most. The tactics with zero tagged findings tell you where your coverage has blind spots that may reflect either genuine strength or untested ground.
These are programme-level signals, and they are only available because the mapping was captured at the finding level in the first place. The discipline of tagging during triage, supported by template backfill so the tagging scales, is what makes the heatmap meaningful rather than sparse. Mapping is the work. The heatmap is the reward.
It is worth noting the boundary of what PMAP claims here. The descriptions of techniques are reserved for future enrichment and are not part of the current built-in catalogue, so the deep link to MITRE remains the route to full technique narrative. The platform’s job is to capture, preserve, and aggregate the mapping accurately, and to send readers to the canonical source for the prose.
How PMAP Aligns Findings to ATT&CK
Pull the threads together and a consistent design emerges. PMAP makes ATT&CK mapping reliable, low-friction, and durable, so that mapping happens as a side effect of normal triage rather than as a separate project a team has to staff.
Reliable comes from the built-in catalogue. A read-only, idempotently seeded snapshot of ATT&CK Enterprise v14 with no external runtime dependency means the reference data is always there and always consistent. Low-friction comes from the picker. A typeahead that searches by ID and name and filters by tactic, embedded in the finding form, puts mapping inside the analyst’s existing flow. Durable comes from the data model. Preserved technique and sub-technique hierarchy, single-row multi-tactic techniques, and free-form technique arrays on every finding mean the mapping carries full fidelity into reporting.
Scale comes from backfill. Template-driven technique propagation, gated so it never overwrites a human decision, is what lets a large finding population reach meaningful ATT&CK coverage without manual tagging of every record. And legibility comes from the deep link. Every tag opens the canonical MITRE page, so the mapping speaks to analysts and managers alike.
The combined effect is that an organisation using PMAP accumulates ATT&CK coverage as it works its findings, rather than retrofitting it later. By the time a report is due, the mapping is already there. That is the difference between ATT&CK as a framework a team admires and ATT&CK as a lens the platform applies to every finding by default.
For the methodology behind using ATT&CK in a vulnerability management programme, see the upcoming practical guide to MITRE ATT&CK in vulnerability management. For a plain-language definition of the framework itself, see what is MITRE ATT&CK. This article has stayed deliberately on the product side. It is about how PMAP maps findings to techniques in practice. The methodology and definition belong to those companion pieces.
Ready to see your own backlog as a threat picture rather than a sorted list? See how PMAP maps findings to ATT&CK and start building your coverage heatmap.
Frequently Asked Questions
How do I tag a finding with a MITRE ATT&CK technique?
Tagging happens inside the finding form, with no separate ATT&CK screen to visit. The form includes a typeahead picker that searches the built-in ATT&CK catalogue by technique ID or by name. Type a technique ID such as T1566, or a keyword from the technique name, and the dropdown filters in real time. You can select more than one technique on a single finding, so a finding that maps to several adversary behaviours can carry all of the relevant tags.
Can ATT&CK techniques be filled in automatically?
Yes. PMAP’s vulnerability templates carry ATT&CK technique IDs, and when a finding is matched to a template and that template is applied, those technique IDs flow onto the finding automatically. The backfill runs only when the finding’s technique array is currently empty, so it never overwrites tags an analyst has already set. Automation fills the gaps, and human decisions are preserved.
How does PMAP handle sub-techniques like T1566.001?
PMAP preserves the full ATT&CK hierarchy. Each sub-technique carries a reference to its parent technique, so the relationship between T1566 and T1566.001 is explicit in the data, and top-level techniques are distinguished from sub-techniques. This lets analysts tag a finding with the precise sub-technique when the evidence supports it, and lets reporting views either roll sub-techniques up to their parent or drill down to the detail.
Which ATT&CK version does PMAP use?
PMAP ships a built-in reference catalogue covering MITRE ATT&CK Enterprise v14, with roughly 180 techniques across the 12 Enterprise tactics. The catalogue is a curated in-process snapshot of the framework rather than a live external feed, so tagging works without any runtime call to an outside service. An operator re-seeds the catalogue through an idempotent seed operation that updates existing entries in place.
How does PMAP handle techniques that belong to more than one tactic?
Several ATT&CK techniques span multiple tactics. Valid Accounts, T1078, is one example. PMAP stores each such technique as a single record that lists all of its tactics, rather than duplicating the technique once per tactic. The tactic filter matches against the full set, so filtering by any one of a technique’s tactics returns the same single record. This keeps counts and heatmaps accurate without double-counting the technique.
Where do the ATT&CK tags show up after I apply them?
Mapped techniques render as clickable pills in the Findings views, and each pill deep-links to the canonical technique page on the MITRE ATT&CK website. Beyond the finding itself, the tags feed PMAP’s reporting and analytics layers, which resolve the technique IDs into full technique detail for ATT&CK coverage heatmaps and technique distributions. The mapping you capture during triage is what makes those programme-level views meaningful.
Does PMAP call the MITRE ATT&CK API to look up techniques?
No. The ATT&CK reference data lives inside PMAP as a built-in catalogue loaded into the platform’s own database, and there is no live call to an external ATT&CK service when you search or tag. The only external link is the deep link on each technique pill, which opens the canonical MITRE page in your browser when you click it. The mapping function itself runs entirely within the platform.
