By The Core Concept: MITRE’s framework library is extensive enough to overwhelm any security team trying to get started — Steve Winterfeld cuts through it with three specific capabilities that give defenders an immediate, practical understanding of the threat landscape: the ATT&CK framework, criminal group profiles, and the ATT&CK Navigator.
The Guest: Steve Winterfeld, Advisory CISO at Akamai
The Bottom Line:
• For most defenders, the fastest path to value from MITRE starts with three things: understanding the ATT&CK framework, learning how criminal groups are profiled within it, and using the Navigator to visualize how those TTPs map to your existing controls — everything else branches from there based on your industry and role
Speaking with TFiR, Steve Winterfeld, Advisory CISO at Akamai, offered a practical roadmap for security leaders who want to begin using MITRE resources but aren’t sure where to start — cutting through the breadth of the framework library to identify the highest-value entry points by role and industry.
THE CHALLENGE: TOO MANY TOOLS, NO CLEAR STARTING POINT
MITRE’s security ecosystem has grown substantially over the years — ATT&CK, ATLAS, CRAFT, FIGHT, Caldera, ADAPT, and a growing set of industry-specific frameworks. For a security leader evaluating the library for the first time, the scale can be paralyzing. Winterfeld’s approach is to anchor on intent: what are you trying to do, and what is your operating environment?
THE THREE CAPABILITIES EVERY DEFENDER SHOULD START WITH
For security practitioners on the defensive side — particularly those responsible for enterprise networks — Winterfeld identified three MITRE capabilities that deliver the most immediate, practical value.
First, the ATT&CK framework itself: understanding the 14-tactic adversarial methodology, how techniques are organized by infrastructure type, and how it maps to a real attack sequence. Second, criminal group profiles: learning how named threat actor groups such as the Lazarus Group and APT39 are documented within ATT&CK, including their specific techniques, malware, and sequencing. Third, the ATT&CK Navigator: the visualization tool that overlays criminal group TTPs onto the framework, instantly showing which stages of the attack chain a specific adversary would use and where current controls would intercept them.
“Understand the attack framework, the criminal groups, and the Navigator — those three capabilities will let you walk away with a better understanding of the threat and how to protect against it.”
ROLE-BASED AND INDUSTRY-SPECIFIC STARTING POINTS
Winterfeld acknowledged that the right starting point shifts depending on role and industry. Security leaders focused on AI and generative AI deployments should start with MITRE ATLAS — the adversarial threat framework purpose-built for externally facing LLM systems. Organizations in healthcare or critical infrastructure should explore MITRE’s SCADA and ICS-specific frameworks, as well as the healthcare AI security breakout. Financial sector security teams should look at ADAPT for payment technology threat modeling.
FREE TRAINING RESOURCES
MITRE offers free training resources including YouTube videos covering core framework concepts and the MITRE ATT&CK Defender (MAD) certification program — a structured path for practitioners who want formal proficiency in ATT&CK for both offensive and defensive applications.
Watch the full TFiR interview with Steve Winterfeld here.
