These definitions are used throughout the ATT&CK framework and this guide.
Core Terms
Adversary Emulation
The process of evaluating the security of a technology domain by simulating the tactics, techniques, and procedures (TTPs) used by specific adversaries. It uses cyber threat intelligence to understand how they operate, then applies that knowledge to test an organization's ability to detect and mitigate such threats.
Red Teaming
Adopting an adversarial perspective without relying on any known threat intelligence to perform an exercise, aiming to achieve specific objectives without detection.
Although adversary emulation and red teaming may sound identical, there are key differences. Adversary emulation replicates known threat actors' TTPs. Red teaming is broader — it is not limited to known adversaries and can include a wide range of attack vectors to simulate the unpredictability of real-world attacks.
Behavioral Analytics Development
Focuses on identifying potentially malicious behavior within a system or network based on how adversaries interact with specific platforms. These analytics can identify potentially malicious activity that does not depend on prior knowledge of adversary tools and indicators.
Defensive Gap Assessment
An evaluation to identify vulnerabilities and weaknesses in an organization's defensive abilities against potential threats, risks, or attacks — identifying gaps between the current defensive posture and the desired level of security.
SOC Maturity Assessment
Evaluates a company's Security Operations Center (SOC) capabilities and processes to determine its maturity level in effectively handling security incidents and threats.
Threat Intelligence
"Data that is collected, processed, and analyzed to understand a threat actor's motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors." — CrowdStrike