Procurement processes slow down when systems don’t connect. Manual ordering, fragmented status updates, and disconnected asset data can create delays, increase effort, and limit visibility across the organization. For enterprises standardizing on ServiceNow^®, those inefficiencies are especially apparent when procurement happens outside of existing workflows.

How SHI^® NowConnect helps

Twenty-nine minutes.

That’s the average time it takes a cybercriminal to move from an initial compromise to lateral movement across a network, according to CrowdStrike’s 2026 Global Threat Report. The fastest recorded breakout last year took 27 seconds. In one case, data exfiltration began within four minutes of initial access.

The window for detection and response has never been smaller, and it continues to shrink. The same report found that AI-enabled attack operations surged 89% year over year in 2025, while 82% of detections involved no malware at all. Attackers are logging in with stolen credentials, abusing trusted tools, and blending into normal network activity. Traditional signature-based defenses can’t keep pace with adversaries who don’t look like adversaries.

Security teams need a framework built around attacker behavior rather than static indicators. The MITRE ATT&CK framework provides exactly that. Putting it to work starts with understanding what today’s attackers are actually doing once they’re inside your environment.

What is ATT&CK?

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. Created by MITRE in 2013, the framework is a free, globally accessible knowledge base that documents how real-world attackers operate. It catalogs specific tactics (the why behind an action), techniques (the how), and procedures (the step-by-step execution) that threat actors use across every stage of an intrusion.

The Enterprise matrix alone, as of the October 2025 v18 release, contains 14 tactics, 216 techniques, and 475 sub-techniques. MITRE also maintains separate matrices for Mobile and Industrial Control Systems (ICS), reflecting how attack surfaces have expanded into mobile devices, IoT, and embedded systems.

Think of ATT&CK as the attacker’s playbook, but in the defender’s hands. Adversaries chain together multiple behaviors across different phases of an intrusion. Each phase consists of a tactic supported by a set of techniques, carried out through specific procedures. That layering is where the acronym TTP comes from: tactics, techniques, and procedures.

The v18 release also overhauled the framework’s defensive side, replacing traditional detection entries with Detection Strategies and Analytics. This version provides more actionable, structured guidance on how to catch attacker behaviors in real environments, not just catalog them.

What is the pyramid of pain?

Not all threat indicators carry equal weight. David Bianco’s Pyramid of Pain captures this well.

At its base sit hash values and IP addresses. Easy to detect, but just as easy for attackers to rotate. Move higher through domain names, network artifacts, and tools, and you start making the attacker’s job harder. They have to retool, rebuild infrastructure, and invest more time.

At the apex are TTPs. When your defenses detect and respond to behavior rather than static indicators, the attacker’s entire playbook breaks down. They can’t just swap a file hash or rotate a domain. They must rethink their entire approach, and most threat actors, outside of well-funded nation-state groups, either can’t or won’t do that.

ATT&CK gives security teams a structured way to build detections at the top of that pyramid, where they do the most damage to an adversary’s operations.

Four ways security teams put ATT&CK to work

ATT&CK provides a common vocabulary for sharing threat information and building detection and response procedures. Security teams typically apply it in four ways:

1. Threat intelligence: Map the tactics and techniques adversaries actively use against your industry to anticipate threats before they arrive.
2. Detection and analytics: Build detection rules around specific ATT&CK techniques. The v18 framework now includes structured Detection Strategies and Analytics to support this directly.
3. Adversary emulation and purple teaming: Replicate real attacker TTPs and test whether your defenses catch them. Red teams chain techniques across tactics to probe for weaknesses; blue teams use the same framework to validate their response.
4. Assessment and engineering: Evaluate how current defenses stack up against ATT&CK techniques, identify coverage gaps, and prioritize investments.

Where to start when the framework feels overwhelming

Hundreds of techniques, thousands of analytics, dozens of threat groups. The instinct is to try to cover everything. Resist it. The organizations that get the most from ATT&CK start with their own environment and work outward.

1. Know yourself. Identify your most valuable assets, where sensitive data resides, how it flows, and where attackers would focus. That turns hundreds of techniques into a manageable set of priorities.
2. Avoid analysis paralysis. Focus on the techniques most relevant to your industry, infrastructure, and likely threat actors. A financial services firm and a healthcare system face overlapping but distinct profiles, and their ATT&CK priorities should reflect that.
3. Consider levels of difficulty. Some techniques require more sophisticated tooling or expertise to detect. Align your list with your team’s current capabilities. Build wins early, then expand.
4. Confirm your data sources. A detection is only as good as the telemetry behind it. Start with the data sources you already have, maximize the detections you can build from those, and use the gaps to guide future investments.
5. Evaluate solutions that help you automate. Many leading security vendors integrate with ATT&CK, enabling SOC teams to incorporate threat intelligence directly into their workflows. Define your use cases and preferred capabilities before choosing tools.

This is not a one-time fix

One of the most common mistakes with ATT&CK is treating it as a project rather than a process. You map your environment, build some detections, and check the box. But the threat landscape doesn’t sit still, and neither does the framework.

Patching alone remains one of the most persistent challenges across organizations of every size. Modern environments span on-premises infrastructure, cloud workloads, SaaS applications, and third-party integrations, and no team can address every vulnerability simultaneously. ATT&CK helps focus that effort, identifying where controls will have the greatest impact based on the behaviors attackers are most likely to use.

Security is always a balancing act between protection, cost, and business continuity. ATT&CK provides a structured way to make smarter decisions within that tension, but only if you treat it as a living practice rather than a one-and-done exercise.

Turning framework guidance into real-world defenses

ATT&CK tells you what good security practices look like. It doesn’t tell you which solutions to deploy, how to configure them, or whether your current setup aligns with the controls it recommends. That’s where SHI comes in.

Our cybersecurity practice helps organizations connect ATT&CK’s guidance to the technology, people, and processes required to act on it.

Whether you need identity and access management, application security, data-centric protection, cloud and network security, threat and vulnerability management, or program strategy and operations, our experts can assess the current state, recommend solutions, and validate that implementations work as intended.

Some come with a specific gap to close; others want a comprehensive assessment against ATT&CK, NIST 800-53, or industry-specific requirements like HIPAA, PCI, or SEC guidelines. Either way, we work across the full lifecycle, including advisory, solution design, implementation, and testing.

Cybersecurity is a three-legged stool: technology, people, and process. ATT&CK gives you the blueprint. SHI helps you build the stool.

The attackers are faster. Your response must be as well

The average breakout time has collapsed from hours to minutes. Most intrusions occur without a single identifiable piece of malware. ATT&CK won’t solve all of that on its own, but it gives security teams a structured, behavior-based approach to building defenses that match today’s threat actors’ speed and sophistication.

The attackers aren’t going to slow down. Your defenses shouldn’t either.

NEXT STEPS

Want to know where your security gaps are? Connect with our cybersecurity team to assess your environment against the ATT&CK framework and build a plan to close them.

Federal agencies are modernizing faster than they have in years. Legacy systems are being replaced, more services are moving online, and technology is reshaping how everyday work gets done across core mission areas.

But modernization alone is not success. Agencies increasingly need to show whether digital transformation investments are improving mission outcomes, customer experience (CX), service delivery, and operational resilience.

Recent oversight reviews, including the Government Accountability Office (GAO) 2025 High-Risk Series, highlight a familiar issue: Agencies are modernizing but often struggle to clearly explain how they measure results. In many cases, agencies don’t define success upfront. Instead, leaders are left pulling together metrics later, often during audits, budget reviews, or oversight discussions, when the stakes are already high.

At the same time, expectations have changed. Government-wide CX reporting, updated performance guidance, and increased scrutiny from the Office of Management and Budget (OMB) and GAO mean agencies need clearer, more consistent ways to show progress.

Meeting those expectations requires moving beyond activity-based reporting and focusing on outcomes agencies can explain with confidence.

So, what should agencies be measuring?

Most agencies already collect a wide range of performance data. The harder question is which measures actually help leaders understand whether modernization is working and which ones help them explain progress clearly to stakeholders.

The five areas below reflect SHI’s perspective on the measurement areas that matter most when evaluating digital transformation.

1. Mission-essential functions (MEFs)

Effective digital transformation starts with the mission. In the federal government, mission-essential functions (MEFs) are the activities an agency must perform to carry out its responsibilities.

Key performance indicators (KPIs) should show how technology supports those functions. That means understanding which mission-critical activities rely on digital systems, where technology failures create risk, and whether modernization efforts are reducing that risk over time.

When KPIs are tied to mission outcomes, leaders can track progress year over year and clearly explain why specific investments matter. This also helps with prioritization. When agencies know which systems are critical to mission continuity, and which aging platforms create the most exposure, it becomes easier to decide what to modernize first.

Over time, mission-based measurement helps agencies show that digital transformation is strengthening mission delivery.

2. Customer experience (CX)

Customer experience offers a practical view into how digital services perform in the real world. Simply put, CX reflects how easy it is for people to complete a task, get an answer, or receive a service.

Federal CX frameworks break experience into measurable areas such as trust, ease, effectiveness, and employee helpfulness. These measures help agencies identify where services fall short and where digital friction affects outcomes.

In its 2025 review of federal CX oversight, GAO found that agencies with clearer, more accessible digital services were better positioned to demonstrate progress, while fragmented or unreliable service experiences remained a challenge. Aligning CX measures with Government Performance and Results Act (GPRA) reporting helps agencies connect service quality directly to performance goals.

CX metrics help agencies surface problems early. Drops in trust or usability tend to appear before backlogs, complaints, or compliance issues show up elsewhere. Agencies that treat CX data as an operational input, not just a reporting requirement, are better positioned to intervene before problems escalate.

When collected securely and consistently at key moments, such as account creation or form submission, CX data becomes a reliable indicator of overall service health.

3. Operational risk and reliability

Agencies often track operational modernization by activity, systems deployed, platforms migrated, and tools purchased. While those milestones matter, they do not show whether day-to-day operations are actually improving.

Across federal agencies, the same operational issues surface repeatedly in oversight findings: legacy system sprawl, growing technical debt, reliability challenges, and slow recovery from outages.

Measures such as the number of legacy systems still in use, technical debt reduced, system availability, and mean time to restore (MTTR) help shift the conversation from delivery milestones to operational reality. These metrics show whether modernization is simplifying environments or quietly adding complexity.

Agencies do not need to invent new measures. Reviewing GAO-documented challenges allows leaders to prioritize the right operational KPIs earlier and avoid known risks.

4. Cybersecurity

Cybersecurity is inseparable from digital transformation success. As agencies modernize, they need visibility into whether security and resilience are improving alongside new capabilities.

Metrics such as incident rates, dwell time, and response speed provide early insight into cyber risk. Tracking progress across zero trust areas, including identity, device visibility, and network segmentation, helps agencies assess whether security architectures are evolving in step with modernization efforts.

Cybersecurity weaknesses remain a persistent challenge across federal modernization efforts, particularly when transformation initiatives move faster than security integration. Agencies that include cybersecurity as a core measurement area are better positioned to address these gaps before they become mission‑impacting issues.

5. Budget and investment performance

Clear performance measures give agencies a credible way to explain what is working, what is improving, and why it matters.

In the federal government, performance data often becomes critical during budget and oversight reviews. OMB Circular A-11 sets expectations for how agencies reference performance in budget materials, while Performance.gov is where the American taxpayer can review agencies’ publicly reported high-level goals and progress. When KPIs are clearly defined and consistent with those expectations, agencies are better prepared for discussions with OMB, GAO, and internal leadership during budget formulation and execution reviews.

Programs supported by clear performance trends are easier to defend and easier to sustain. Instead of reacting to questions late in the process, leaders can point to consistent measures that show how modernization investments are improving outcomes.

Strong measurement also improves internal decision-making. When leaders trust the data, discussions shift toward action rather than debate. Transparency strengthens accountability while helping agencies tell a clearer story about how modernization supports long-term mission outcomes.

Why now is the moment to get KPIs right

Digital transformation is no longer optional across the federal government. Long-term success depends on how clearly agencies define outcomes and measure progress.

Well-designed, outcome-driven KPIs help agencies show that modernization investments are improving service delivery, strengthening resilience, and supporting mission outcomes. This approach aligns with guidance from the GSA Office of Shared Solutions and Performance Improvement, which emphasizes using performance data to improve transparency, inform decision-making, and demonstrate results across federal programs and services.

Agencies that invest early in measurement are better positioned to sustain funding, adapt to workforce changes, and maintain public trust.

How SHI can help

Turning digital transformation into measurable progress takes more than new technology. SHI helps federal agencies define what success looks like early — then puts the right technology, data, and processes in place to track progress over time.

We support federal agencies across the full modernization lifecycle, including:

• Defining and operationalizing KPIs that align mission, operational, CX, and cybersecurity measures.
• Modernizing and managing complex IT environments to reduce legacy system sprawl and improve reliability.
• Improving CX and service delivery through secure, accessible digital services.
• Strengthening cybersecurity and zero-trust efforts with measurable security outcomes.
• Optimizing IT asset management (ITAM) to reduce risk tied to aging applications and misaligned investments.

NEXT STEPS

If you are working to define meaningful KPIs or improve how your agency measures digital transformation progress, SHI’s federal government team can help. Connect with a specialist to discuss your mission, oversight requirements, and modernization goals.

Software management doesn’t sound like a high-stakes task, but with SAP licensing, it often is. Your SAP landscape continues to grow and evolve. All the while, you prepare for audits, renewals, or S/4HANA migration. Limited visibility into license usage and entitlements can lead to unnecessary costs and increased risk.

NEXT STEPS

The time is now to streamline and optimize your software licensing. Contact our SAP experts to get started or download our solution brief below to learn more.

Managing IBM software licenses is a complex task, and the risks of getting it wrong can be significant. Inaccurate inventory data, incomplete reporting, or misaligned processes can quickly lead to compliance gaps, audit exposure, and unnecessary costs. Running IBM software across VMware, Hyper‑V, or other virtual platforms makes maintaining confidence in IBM License Metric Tool (ILMT) data essential.

How SHI’s assessment can help

Managing Oracle Java across a modern enterprise can be challenging. Organizations often struggle to understand where Java is deployed, which versions are in use, and how changes to licensing models may affect internal planning and governance. Without accurate data, internal reviews, technology decisions, and lifecycle strategies become increasingly difficult to manage.

How SHI can help

Oracle Database and Middleware environments are critical to business operations, but are also among the most complex to manage. Licensing rules, contract structures, and compliance considerations become even more challenging in virtualized and hybrid infrastructures, where limited visibility can lead to uncertainty during audits, renewals, or Unlimited License Agreement (ULA) certifications.

How SHI can help

Broadcom’s acquisition of VMware has introduced significant changes to licensing constructs, subscription models, and product packaging. For many organizations, these shifts have added uncertainty to an already complex VMware environment — especially when it comes to renewals, budgeting, and long‑term infrastructure planning.

How SHI can help