Score your defenses across all 14 MITRE ATT&CK tactics without hiring a SOC.

Five years ago, MITRE ATT&CK was an esoteric framework used by red teams and threat-intel analysts at large enterprises. Today, it is the lingua franca of cyber insurance underwriters, SOC 2 auditors, and the security questionnaires that enterprise customers send to their SMB suppliers. If a customer asks where you sit on ATT&CK and your honest answer is "we have not looked at that," you have already lost a percentage of the deal. The worksheet is the smallest amount of work that turns that answer into a defensible one.

It is the same self-assessment our cybersecurity practice runs through with a prospect before scoping a full MITRE ATT&CK assessment or a pentest engagement. The point of the worksheet is to do this calibration in 90 minutes instead of a $30K-plus engagement — and to surface the controls worth investing in before you decide whether a full engagement is actually worth it.

The worksheet is built for three roles. First, IT managers and heads of IT at 25-to-500-employee companies with no dedicated SOC and possibly an MSSP relationship. They are the ones who get the customer security questionnaire forwarded to them and need a defensible response by Friday. Second, solo security leads and vCISOs who run multiple companies and need a consistent framework for documenting maturity across clients. Third, founders and COOs of regulated startups (fintech, healthtech, SaaS handling PII) who need to give their first SOC 2 auditor or cyber-insurance underwriter a real answer.

If you have a full security team and an established threat-intel function, this worksheet is too basic — we run a more involved internal assessment in our MITRE ATT&CK assessment service. If you are pre-revenue with no customer security pressure yet, the worksheet is premature — focus on the controls covered in Section 5 (MFA, EDR, DMARC, backups) rather than completing the full scoring.

You will learn what each of the 14 ATT&CK Enterprise tactics actually means in plain English, and which of them your organization has any visibility into. You will learn the five highest-leverage controls for SMBs — and why the standard recommendation order (firewall first, EDR later) is actually backwards for most modern threat profiles. You will learn the maturity-tier framework your cyber-insurance underwriter and SOC 2 auditor are now using internally, and how to communicate your position in their language.

You will leave with three concrete artifacts. A scored worksheet you can drop into a board deck. A one-paragraph maturity summary you can paste into a customer security questionnaire. A stack-ranked list of the next three controls worth investing in this quarter. If you are above 60% overall coverage, you will also know whether it is time to validate your defenses with a pentest or whether continuing to invest in controls is the higher-leverage move.

You will also learn how ATT&CK posture connects to other security programs you may be running — SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF. Section 7 includes a mapping cheat sheet that shows how each ATT&CK tactic correlates with the controls in those frameworks, which makes the worksheet useful as a cross-framework gap analysis rather than just a standalone exercise.

The worksheet is the qualifying conversation we run with prospects before scoping a full MITRE ATT&CK assessment or a multi-vector penetration testing engagement. When the worksheet output shows below-40% coverage in any Credential-Access, Lateral-Movement, or Exfiltration row, the next conversation is usually about scoping a web application pentest, a network pentest, or an Active Directory pentest to validate the gap and produce a remediation roadmap.

The worksheet pairs well with the Web App Pentest Checklist if you are scoping the testing side of your security program. For pricing and engagement model, see the pricing page or read about the QUANT LAB security practice. Recent cybersecurity engagements are summarized at the work page.