Score your defenses against the 2026 MITRE ATT&CK matrix in two hours, not two weeks.

The original MITRE ATT&CK Maturity Worksheet was built around the 2023 Enterprise matrix and has been completed by hundreds of small and mid-market IT teams. The framework holds up — but the matrix has moved. The 2025 update added 14 new sub-techniques in the identity tactic alone, and the 2026 update materially expanded the cloud and container coverage that most SMBs were under-mapping. v2 is the rebuild for those updates, plus a couple of changes we wanted to make based on field feedback from teams who completed v1.

The biggest substantive change is in identity coverage. Token theft, MFA bypass, OAuth abuse, and refresh-token chaining are now standard attacker workflow for the ransomware groups that target the 25-to-500-employee range, and v1 was light on the detection coverage for that class of activity. v2 adds an explicit identity scoring lane that runs alongside the endpoint and network lanes from the original. The framework still rolls up to the four-tier label (Reactive, Developing, Defended, Proactive) so year-over-year comparison stays meaningful.

The instrument is built for IT managers, heads of IT, solo security leads, and fractional or virtual CISOs at companies in the 25-to-500-employee range. It is especially useful when an auditor, a customer security questionnaire, or a cyber insurance underwriter has asked where you sit on the MITRE ATT&CK framework and you do not have a documented answer.

It is also useful as a structured artifact for penetration testing scoping conversations — the self-assessment helps you and the testing team agree on which tactics deserve focused attack-side validation. Many of our web application pentest and network pentest engagements begin with a v2 review on the kickoff call.

You will leave with a coverage percentage for each of the 14 ATT&CK Enterprise tactics, a four-tier maturity label, a stack-ranked list of the highest-impact controls to close your largest gaps, and a one-paragraph board-and-auditor summary you can paste into a customer security questionnaire response, a SOC 2 readiness review, or a cyber insurance application. The summary template is deliberately written to read as honest rather than aspirational — auditors and underwriters catch aspirational summaries quickly and the failure mode is worse than the disclosure.

On the operational side, you will have a 30-60-90 remediation plan template that you can fill in with your top three gaps. The plan is structured so that the 30-day items are achievable with no budget, the 60-day items assume modest tooling spend, and the 90-day items capture the budget-cycle conversation you will need to have with finance to fix the structural gaps. We have seen this format survive the transition between two IT directors at one company and still produce action.

Pair this with our Web App Pentest Checklist if you are coordinating a paid pentest engagement alongside the self-assessment.

Every MITRE ATT&CK assessment engagement starts with a v2 review on the kickoff call. The instrument gives both sides a shared vocabulary so the engagement scope is honest about which tactics deserve deep external validation and which the internal team is already covering well. If the v2 review surfaces gaps in identity or cloud coverage, the Active Directory pentest or a focused cloud assessment is typically the right next step.

We also use v2 to scope full penetration testing engagements that pair external attack-side validation with documented internal self-assessment, which is what most cyber insurance underwriters and SOC 2 auditors are actually looking for. Read our pricing or book a call to scope. For a sense of how we operate, see our about page.