MITRE ATT&CK Incident Response: In Practice
RCCE students will learn the MITRE ATT&CK framework including enterprise, mobile, and ICS matrices, tactic and technique mapping, sub-technique analysis, and practical ATT&CK application. RCCE students will learn to navigate the ATT&CK framework, map observed adversary behavior to ATT&CK techniques, use ATT&CK for detection gap analysis, develop detection rules aligned to ATT&CK techniques, produce ATT&CK-based threat assessments, leverage ATT&CK Navigator for coverage visualization, integrate ATT&CK into threat intelligence workflows, and use ATT&CK evaluations to compare security product effectiveness. This incident response course prepares students to act decisively during security incidents with structured workflows and clear decision frameworks. Starting from foundational concepts, RCCE students will learn containment, evidence collection, eradication, and recovery procedures specific to this domain. Students practice incident scenarios that build the composure, coordination, and documentation skills essential for effective incident handling.
- SOC Analysts and Incident Responders
- Detection Engineers and SIEM Content Authors
- Threat Hunters improving adversary coverage
- Security Operations Team Leads
- Professionals implementing MITRE ATT&CK Incident Response: In Practice
- Build detections and response workflows for privilege escalation
- Execute hands-on tasks for learning objectives
- Explain Framework Overview fundamentals
- Execute hands-on tasks for core purpose — covering Common language for threat description.
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for cloud, network,
- Execute hands-on tasks for answer: what is the goal? — covering Techniques (HOW).
- Execute hands-on tasks for answer: what specific variant? — covering Example Chain:.
- Execute hands-on tasks for data sources — covering Represent categories of telemetry.
- Execute hands-on tasks for data components — covering Granular observable within a source.
- Execute hands-on tasks for matrix view
- Execute hands-on tasks for group profiles — covering Technique Pages.
| Module 01 | Structured Detection, Mapping, and Response Using the ATT&CK Framework |
| Module 02 | Learning Objectives |
| Module 03 | Framework Overview |
| Module 04 | Core Purpose |
| Module 05 | ATT&CK Matrix Architecture |
| Module 06 | Cloud, Network, |
| Module 07 | Answer: What is the goal? |
| Module 08 | Answer: What specific variant? |
| Module 09 | Data Sources |
| Module 10 | Data Components |
| Module 11 | Matrix View |
| Module 12 | Group Profiles |
| Module 13 | ATT&CK Navigator Overview |
| Module 14 | Navigator Workflow |
All hands-on labs run on Rocheston Rose X OS. Students practice mitre att&ck incident response: in practice by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Build detections and response workflows for privilege escalation
- Lab 2: Execute hands-on tasks for learning objectives
- Lab 3: Explain Framework Overview fundamentals
- Lab 4: Execute hands-on tasks for core purpose
- Lab 5: Design a scalable privilege management architecture with policy and enforcement
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for MITRE ATT&CK Incident Response: In Practice, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI