Panther acquires Datable to power the next generation of AI-driven security. Learn More

close

Panther acquires Datable to power the next generation of AI-driven security. Learn More

close

Panther acquires Datable to power the next generation of AI-driven security. Learn More

close

BLOG

BLOG

My Top 4 Takeaways from MITRE ATT&CKcon 6.0

Ariel

Ropek

Oct 17, 2025

This year’s MITRE ATT&CKcon felt a little lackluster. Amid the thinly-veiled vendor pitches and CTI hipster snobbery, a few common themes emerged, and you’ll be shocked to learn how predictable they were.

  1. You’re using AI, right? RIGHT??

Speakers vacillated between showcasing their hastily vibe-coded CTI tools and assuring the audience that AI won’t replace CTI analysts. Several talks demonstrated AI-powered tools to extract MITRE ATT&CK techniques from written reports. Turns out this is super tedious and no one wants to do it, but make sure you review the tools’ output because they still hallucinate. One speaker practically begged us to let humans continue red teaming because there are still things AI can’t do (yet). If someone can vibe code 400 lines of spaghetti that is now used by every branch of the US military, so should you!

  1. Nothing is novel, except when it is

Cyber criminals use the same confidence tricks that have been used for hundreds of years to convince people to give them things they shouldn’t have. The same unpatched CVEs are exploited year after year. To be fair, this means MITRE ATT&CK is an effective framework. It can be used to categorize many different attacks without having to create new ATT&CK techniques to handle edge cases. So when an actual novel technique like T1204.004 User Execution: Malicious Copy and Paste shows up, it’s important that everyone piles on.

  1. You’re doing it wrong

The running joke is that nobody uses MITRE ATT&CK correctly. One speaker says, just because adversary X uses technique Y doesn’t mean you can attribute an attack using that technique to that adversary. Then the next talk is about how they attributed an attack to an adversary based on the techniques used. Everyone talks about how you shouldn’t play MITRE ATT&CK bingo by trying to cover every technique, and instead focus on what matters for your environment. Then the director of CTID comes on to announce the next MITRE ATT&CK bingo contest to see who has the most coverage.

  1. Seeing the trees through the forest

Despite all that, there was a common theme of extracting practical insights from ATT&CK to help defenders secure their networks, specifically around detections. One speaker talked about going beyond techniques to individual procedures within each technique, cataloging which procedures are relevant to your unique environment, and prioritizing detection coverage accordingly. Another spoke about the need for Signals Engineering as an evolution of Detection Engineering: looking beyond the atomic alerts to the risk patterns of users and entities over time. There were also some really nice STIX framework updates announced around Detection Strategy Objects and Analytics, making it even easier to link defensive measures to the ATT&CK techniques they are designed to detect.

Attack techniques evolve fast. Stay ahead with our NX Threat Analysis

Share:

Share:

Share:

Share:

Ready for less noise
and more control?

See Panther in action. Book a demo today.

Get product updates, webinars, and news

By submitting this form, you acknowledge and agree that Panther will process your personal information in accordance with the Privacy Policy.

Product
Resources
Support
Company