1. home icon for breadcrumbs >
  2. Discover and Manage Security Risks >
  3. Prioritize Findings >
  4. Prioritization using MITRE ATT&CK Matrix >
  5. Prioritization using MITRE ATT&CK Matrix

Prioritization Using MITRE ATT&CK Matrix 

This section explains how to use the MITRE ATT&CK Matrix in ETM which maps vulnerabilities and misconfigurations to real-world attacker tactics-techniques, enabling proactive, threat-informed risk management and decision-making.

Prerequisites

To use this feature, you must meet the following prerequisites:

  • ETM subscription
  • MITRE- View role-based permission 

 The Manager and Reader user has this permission by default.

Consider a scenario where a threat actor wants to install malware to infect workstations on the network. The threat actor can initially use the Initial Access Tactic to gain network access. The Initial Access Tactic consists of10 Techniques. The attacker can use any of these techniques to get network access maliciously. Once the attacker gains access, they can further use the Lateral Movement Tactic to infect the systems in the network. The Lateral Movement Tactic consists of9 Techniques. To evaluate, determine, and remediate such attacks, the MITRE ATT&CK Matrix in theRisk Managementtab helps you enhance the robustness of your organization's products and services.

To get in-depth information about MITRE ATT&CK Matrix, perform the following steps:

  1. Go to Risk Management tab > MITRE ATT&CK Matrix.
  2. Select the Business entities or asset tag as per the requirement.

    View Mitre Attack window.

    The following pictorial representation of the matrix depicts the Tactics and Techniques based on vulnerabilities and misconfigurations.  

    View details of technique and tactics.

     Edit Scope: To edit the scope, click the pencil icon in the top corner.

    TruRisk Score Graph: The graph displays the TruRisk Score, providing a visual representation of risk levels.

     Legend Indicators: The legend uses color codes to indicate risk levels: Amber: Potential risk, Green: No risk

     Vulnerability and Misconfiguration Details.

  3. Hover over any Tactic Name to view associated vulnerabilities and Technique Name along with related Risk Findings Associated Tactics (based on the MITRE ATT&CK framework), displaying:
    • Total number of vulnerabilities
    • Number of affected assets

    Color Indicators in the matrix:

    • Amber: Potential risk
    • Green: No risk
  4. If you want more details about the technique with the highest Risk Finding, click the Technique Name. In this example, the Exploitation for Privilege Escalation Technique has the highest number of Vulnerabilities and Assets. Thus, when you click a Technique Name, complete information about the technique name is displayed.

    View complete information about the technique name.

    The following screenshot highlights the information about each Technique widget: 

    View Technique widget.

    The following screenshot provides details about each Technique widget.

    TruRisk Widget: The TruRisk widget shows the average assets score for the selected scope, Tactic and Technique. In the TruRisk widget screenshot, the average score is 228

    Top Critical Assets Widget: The Top Critical Assets list includes host names with their TruRisk Score, selected scope (either tags or business entities), and risk findings in the form of vulnerabilities and misconfigurations.

    Internet Exposed Asset Findings Widget: Internet-facing assets are the most vulnerable assets. Using the system-defined Internet-facing Assets, the Internet Exposed Asset Findings widget lists the vulnerable host names, expediting the process of addressing vulnerabilities and securing your internal sensitive information.

    Internet Exposed Assets with RDP open ports Widget: Threat Actors can use Open Ports for backdoor entries or system identification. The widget gives you the asset count by categorizing the data as External Assets with RDP open ports. It gives the count of External Assets with RDP open ports for ETM Application. If a value exists, click on the count, and you will be redirected to the Findings page.This widget also displays details of the Ports with Vulnerabilities, Open Database Ports, and Open Risky Ports.

    Vulnerability Findings Widget: This widget displays a list of CVEs along with their titles and detection counts. Click on any of the CVEs listed in the Vulnerability Findings widget to get more details.

    Misconfiguration Widget- This widget displays a list of misconfigurations (having critical and high QDS) with their titles, QDS and Host name.

    In all the widgets, the numbers or text in blue are hyperlinks. When clicked, these links are converted into QQL queries and navigate to the specific filter associated with that number. For example, clicking on Top Risk Factor will take you to the CISA Known Exploitable findings.
    clicking on Top Risk Factor will take you to the CISA Known Exploitable findings.

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.