MITRE ATT&CK Operations Playbook
RCCE students will learn the MITRE ATT&CK framework including enterprise, mobile, and ICS matrices, tactic and technique mapping, sub-technique analysis, and practical ATT&CK application. RCCE students will learn to navigate the ATT&CK framework, map observed adversary behavior to ATT&CK techniques, use ATT&CK for detection gap analysis, develop detection rules aligned to ATT&CK techniques, produce ATT&CK-based threat assessments, leverage ATT&CK Navigator for coverage visualization, integrate ATT&CK into threat intelligence workflows, and use ATT&CK evaluations to compare security product effectiveness. This operations-focused course delivers production-ready playbooks, checklists, and standard operating procedures. Building on core knowledge, RCCE students will learn to build repeatable day-to-day operational workflows that ensure consistency and quality. Students receive templates and frameworks they can customize and deploy immediately in their security operations, reducing time to operational effectiveness.
- SOC Analysts and Incident Responders
- Detection Engineers and SIEM Content Authors
- Threat Hunters improving adversary coverage
- Security Operations Team Leads
- Professionals implementing MITRE ATT&CK Operations Playbook
- Execute hands-on tasks for mitre att&ck operations playbook
- Execute hands-on tasks for framework navigation — covering Navigate Enterprise, Mobile, ICS matrices.
- Execute hands-on tasks for adversary behavior mapping — covering observed behaviors to techniques.
- Build detections and response workflows for privilege escalation, including Identify detection gaps with Navigator.
- Execute hands-on tasks for operational workflows — covering Build repeatable SOPs and playbooks.
- Explain MITRE ATT&CK Framework Overview fundamentals
- Execute hands-on tasks for threat intel
- Execute hands-on tasks for → behavior mapping →
- Build detections and response workflows for privilege escalation
- Execute hands-on tasks for coverage gap — covering Curated knowledge base of real TTPs, Common language for threat description.
- Execute hands-on tasks for why att&ck matters — covering Curated knowledge base of real TTPs.
- Execute hands-on tasks for updated quarterly by mitre — covering Common language for threat description.
| Module 01 | MITRE ATT&CK Operations Playbook |
| Module 02 | Framework Navigation |
| Module 03 | Adversary Behavior Mapping |
| Module 04 | Detection Engineering |
| Module 05 | Operational Workflows |
| Module 06 | MITRE ATT&CK Framework Overview |
| Module 07 | Threat Intel |
| Module 08 | → Behavior Mapping → |
| Module 09 | Detection Rule |
| Module 10 | Coverage Gap |
| Module 11 | Why ATT&CK Matters |
| Module 12 | Updated quarterly by MITRE |
| Module 13 | Core Concepts |
| Module 14 | Fort Meade |
All hands-on labs run on Rocheston Rose X OS. Students practice mitre att&ck operations playbook by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for mitre att&ck operations playbook
- Lab 2: Execute hands-on tasks for framework navigation
- Lab 3: Execute hands-on tasks for adversary behavior mapping
- Lab 4: Build detections and response workflows for privilege escalation
- Lab 5: Execute hands-on tasks for operational workflows
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for MITRE ATT&CK Operations Playbook, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI