With so many possible threats, it might seem daunting to understand how we can learn from our previous incidents, or incidents experienced by other organisations. Traditionally when threat intelligence has been focused on Indicators of compromise (IOCs) it can seem a daunting task to know how to get all that information and put it to good use. The thing is, IOCs are not everything, IOCs are ephemeral. They have a shelf life, and that shelf life can be very short in some instances. So a defence plan that focuses on ingesting IOCs and blocking them will never increase the maturity of a detect and respond capability. This is why MITRE ATT&CK was developed.