As cloud adoption continues to accelerate, AWS environments have become an attractive target for threat actors, whether through misconfigurations, compromised credentials or exploitation of overly permissive access. As an AWS-centric MSSP, deep visibility into adversarial behavior is essential to delivering proactive detection and response services for our customers. That’s why the Threat Technique Catalog for AWS, released by AWS’s Customer Incident Response Team (CIRT) in partnership with MITRE, is such a critical resource.
What Is the Threat Technique Catalog for AWS?
The Threat Technique Catalog for AWS (TTC) is a curated matrix of observed adversarial tactics and techniques specifically for AWS environments. It builds on the well-known MITRE ATT&CK framework but with AWS-specific refinements and new techniques that capture how threat actors behave in real incidents on cloud infrastructure.
Key characteristics of the catalog:
- Grounded in real incidents: Techniques are derived from actual events handled by AWS CIRT.
- AWS service focus: Each technique can be filtered by the AWS service(s) it impacts (e.g., IAM, S3, EC2).
- Combines MITRE and AWS-specific TTPs: Some techniques come straight from MITRE ATT&CK Cloud while others are new to capture unique AWS behaviors.
This makes the catalog a practical threat tool for AWS defenders, bridging high-level adversary behavior with actionable detection signals.
Why This Matters for AWS focused MSSPs
1. Common Language Across Teams and Tools
MSSPs operate in a complex ecosystem of tools, security controls, and cloud services. The TTC provides common guidance (based on the MITRE ATT&CK framework) so teams can describe adversarial actions in a consistent, structured way. This enhances collaboration between:
- Detection engineers
- Threat hunters
- SOC analysts
- Incident responders
It also helps in conversations with customers to explain what was detected and why it matters.
2. Improved Detection Quality and Coverage
Mapping detection rules to specific threat techniques forces clarity in what you’re trying to observe. Instead of vague or generic alerts (e.g., “suspicious API usage detected”), detections can align to behaviors like Discovery via Cloud Storage Enumeration (T1619.A001). Mapping rules directly to the TTC helps reduce noise and increases the confidence that alerts represent genuine adversarial behavior rather than benign cloud operations.
3. Prioritization Based on Likelihood and Impact
AWS CIRT’s catalog prioritizes techniques observed in the wild, giving MSSPs the ability to focus on high-impact, real-world adversary behavior. That means:
- Hunting for techniques that historically lead to compromise
- Prioritizing rules which cover lateral movement and persistence
- Tuning low-value or noisy signals that don’t align to mapped techniques
Mapping RedBear’s MSSP Detection Rules to the Catalog
Unlocking the value of the catalog requires operationalizing it. At RedBear we define our detection rules as code. Every detection rule is tagged to the appropriate technique(s) from MITRE and/or this TTC. Hunting campaigns — whether scheduled or ad-hoc — are designed around the catalog tactics and techniques (e.g., Persistence, Defense Evasion). When new techniques are developed, we review our coverage to ensure we can detect the technique. This allows us to programmatically demonstrate our coverage using the running detection rules.
This tactic-first approach improves both coverage and relevance of our rules. The following heat map shows our current coverage against the threat technique catalog. 100% coverage as it should be for an AWS focused MSSP.
Wrapping up
The Threat Technique Catalog for AWS enables AWS MSSPs to map raw telemetry and logs from AWS environments into meaningful, adversary-centric detections. By mapping detection rules to this catalog, MSSPs can
✅ Improve clarity and consistency across detection logic
✅ Align SOC operations with observed real-world behavior
✅ Enable stronger hunting and automated threat detection
As threats evolve and cloud environments become increasingly complex, aligning defenses to a credible, community-driven threat catalog is no longer optional.
If you want to know more about RedBear’s MSSP or the MITRE ATT&CK framework, please contact us today.
