← All Interview Questions
SOC / Incident Response Mid Level

What is the MITRE ATT&CK framework?

S
Situation
MITRE ATT&CK has become the universal language for describing adversary behavior.
T
Task
Explain the framework structure and how it is used operationally.
A
Action
MITRE ATT&CK is a knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. Structure: 14 Tactics (why), hundreds of Techniques (how), Sub-techniques (specific methods). Use cases: threat intelligence mapping, detection gap analysis, red team planning, SOC detection engineering, and vendor evaluation. Updated regularly with new techniques.
R
Result
ATT&CK literacy is expected in most security roles. Showing you can map detections to ATT&CK techniques and identify gaps in coverage demonstrates advanced security operations maturity.

💡 Interview Tips

  • Use specific examples from your experience — generic answers are immediately detected
  • Mention tools, frameworks, and standards by name to demonstrate hands-on knowledge
  • Connect your answer to business outcomes — security exists to protect business value
  • If you lack direct experience, describe how you would approach the scenario methodically

Related SOC / Incident Response Questions

Describe the incident response lifecycle
Entry
What is a SIEM and how does it work?
Entry
What is the kill chain model?
Mid
What is threat hunting?
Mid
What is Sigma detection rules?
Mid
What is Suricata vs Snort comparison?
Mid