Decider

A tool to help the cybersecurity community map threat actor behaviour to the MITRE ATT&CK framework. Decider helps make mapping quick and accurate through guided questions, a powerful search and filter function, and a cart functionality that lets users export results to commonly used formats.

---

Decider starts with a series of questions to help network defenders properly identify adversary tactics, techniques, or sub techniques. With Decider, users can filter queries relevant to user analysis to determine the best possible identification method. After gaining proper mapping accuracy, users are then able to:

• Export results to tables, such as ATT&CK Navigator heatmaps.
• Publish threat intelligence reports.
• Identify and execute mitigation and/or detection procedures.
• Prevent exploitation from occurring by identifying threats early.

For guidance on how to properly use Decider, see CISAs Decider Fact Sheet , video, and blog. CISA encourages analysts and incident responders to use the tool in conjunction with the recently updated Best Practices for MITRE ATT&CK® Mapping guide.