Product January 14, 2025 8 min read

We Memed Every MITRE ATT&CK Technique.
All 198 of Them.

It started as a dare at DEF CON 32. Six months later, we shipped ATT&CK Complete Coverage. Here's what we learned about AI-generated security humor and why it's harder than it sounds.

💻
Jordan Keys
CTO, MemeSec Factory

At DEF CON 32, Zara made an offhand comment that we should have a meme for every technique in the ATT&CK Enterprise matrix. Someone said "that's probably like two hundred." Someone else said "do it." This is the post-mortem.

Why ATT&CK Complete Coverage?

Security teams don't learn from compliance docs. They learn from war stories, from post-mortems, from the moment someone pastes a Slack message that makes the whole channel go quiet in recognition. We've always believed that a well-constructed meme communicates the essential truth of a technique faster than three paragraphs of documentation.

T1059 — Command and Scripting Interpreter — is funnier than T1078 — Valid Accounts — not because PowerShell abuse is inherently more absurd than credential stuffing, but because everyone in security has a PowerShell story. Coverage means meeting defenders where their scars are.

The Numbers

  • 198 techniques covered across 14 tactics
  • ~6,000 AI generation calls to reach the final 198 (we rejected a lot)
  • ~40% of first-pass generations were flagged by our quality filter
  • 3 techniques that took 20+ attempts to get right (T1562.001, T1036.005, T1071.004)
  • 1 meme that our CISO banned and then un-banned after a security review (T1003 — we won't say which variant)

What Makes a Good ATT&CK Meme

This is harder to answer than you'd think. Our quality filter (a combination of human review and an LLM scoring pass) looks for four properties:

Technical accuracy. The top text and bottom text have to represent something that actually happens. We threw out dozens of generations that were funny but wrong — the equivalent of a SQL injection meme that had the wrong payload format.

Recognition without explanation. The best memes don't need a footnote. If you need to understand the technique before the punchline lands, we regenerate. The goal is instant recognition — the kind that makes a senior analyst say "oh god yes" unprompted.

Appropriate absurdity. Some techniques are inherently dark — ransomware, data destruction, denial of service. We lean into the absurdity rather than the horror. The defender-as-protagonist framing helps: the meme acknowledges pain without wallowing in it.

Reusability. The best ATT&CK memes get posted in Slack, dropped into incident reports, and used in security awareness presentations. Generic enough to be universal, specific enough to mean something.

The Three Techniques That Broke Us

T1562.001 — Disable or Modify Tools. The problem: everyone has experienced this, but the experience is usually "the EDR just stopped logging." Hard to meme nothing happening. We eventually landed on a "surprised Pikachu face" framing: attacker disables your AV, SIEM notices five days later.

T1036.005 — Match Legitimate Name or Location. Masquerading is technically precise but visually boring. The breakthrough was framing it from the EDR's perspective: "svchost.exe in a temp folder" vs. "I'll allow it." Twenty-second generation on attempt 23.

T1071.004 — Application Layer Protocol: DNS. DNS exfiltration is security community folklore at this point, but the LLM kept generating technically correct but spiritually empty memes. The fix was adding explicit context in our prompt about the "DNS as a covert channel" trope and why it's funny. It worked on the next attempt.

Prompt Engineering for Meme Quality

The core of our generation pipeline is a structured prompt that includes: 

System: You are a security expert writing meme captions for information security professionals.
Your audience: SOC analysts, penetration testers, red teamers, and cloud security engineers.
They have 5-10 years of experience and will notice technical errors.

Context for this technique:
  - Technique: {technique_name} ({technique_id})
  - Tactic: {tactic}
  - Description: {technique_description}
  - Common real-world occurrence: {example_scenario}

Format: Two short lines in ALL CAPS — a setup and a punchline.
The setup should establish a recognizable security scenario.
The punchline should be the relatable, slightly painful truth.
Maximum 12 words per line. Impact font will be applied.

The key insight was adding example_scenario — a 1-2 sentence description of a real-world occurrence of the technique, pulled from our threat intelligence data. Generations with concrete scenarios scored 47% higher on our quality filter than generations with only the MITRE description.

What's Next

We're working on sub-technique coverage for the most common variants, starting with T1059 (nine sub-techniques, nine memes, all of them about PowerShell or the attempt to not use PowerShell). We're also building a "request a technique" feature so the community can surface the specific coverage they want.

If you want to browse the complete ATT&CK coverage, it's all filterable by tactic in the gallery. If you want to generate your own, the API is open — T1566 meme generation is particularly popular on Mondays for reasons we don't need to investigate.

Browse ATT&CK Coverage → View the API Docs
← All Posts Next: How We Built the Engine →