Technique-Level Coverage Across Windows and macOS
BallisKit tools map to specific ATT&CK technique IDs, enabling red teams to verify scenario accuracy against threat intelligence reports.
What is MITRE ATT&CK
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It documents how threat actors operate, from initial compromise through data exfiltration, and provides a common taxonomy that offensive and defensive security teams use to communicate, plan, and validate.
ATT&CK serves as the shared language between threat intelligence providers, red teams, blue teams, and regulators. When a TI report documents that a threat actor uses specific techniques, the red team must reproduce those techniques, not substitute generic alternatives. ATT&CK IDs make that mapping explicit and verifiable.
- Tactics - The adversary's tactical goal, the "why" behind an action (e.g., Initial Access, Persistence, Defense Evasion)
- Techniques - The "how" - specific methods used to achieve a tactical goal (e.g., Phishing, Process Injection)
- Sub-techniques - More granular variants of a technique (e.g., T1566.001 Spearphishing Attachment under T1566 Phishing)
- Procedures - Specific implementations of techniques by real threat actors or tools
Why ATT&CK Matters for Red Teams
TIBER-EU Compliance
The Threat Intelligence Report specifies ATT&CK technique IDs the red team must reproduce. Tools must map directly to those IDs for the engagement to satisfy regulatory requirements.
Scenario Accuracy Verification
Regulators and white teams verify red team execution against documented techniques. Mapped coverage proves fidelity between the TI report and the actual attack simulation.
Consistent Reporting
ATT&CK IDs in engagement reports create auditable, comparable results across engagements and teams. Technique-level documentation removes ambiguity from deliverables.
Combined Technique Coverage by Tactic
All ATT&CK techniques covered by BallisKit tools, organized by adversary tactic. Each technique card shows the ATT&CK ID, implementation detail, and which product(s) provide coverage.
Initial Access
5 techniquesExecution
7 techniquesPersistence
3 techniquesPrivilege Escalation
5 techniquesDefense Evasion
13 techniquesCredential Access
1 techniqueProduct Technique Summary
MacroPack Pro
Windows- Initial Access
- Execution
- Privilege Escalation
- Defense Evasion
DarwinOps
macOS- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
ATT&CK Coverage for TIBER-EU Engagements
TIBER-EU mandates that red teams reproduce specific threat actor techniques documented in the Threat Intelligence Report. BallisKit's mapped ATT&CK coverage across Windows and macOS enables red teams to demonstrate technique-level fidelity between the TI report and the executed adversary simulation.
Learn how BallisKit supports TIBER-EUEvaluate BallisKit for Your Next Engagement
Professional email required. Response within 24 hours.