MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

User Training

Train users to detect malicious intent or activity, how to report it, etc.

User training involves teaching end users to be human sensors who know how to recognize cyber threats and the procedures for reporting them. Users can be effective sensors for social engineering attempts, phishing email detection, as well as other cyber threats.

ID: DTE0035
Tactics:  Detect Disrupt


DOS0018 Users trained and encouraged to report phishing can detect attacks that other defenses do not.
DOS0091 Users trained and encouraged to report unsolicited application authorization requests can detect attacks that other defenses do not.
DOS0131 There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.

Use Cases

DUC0018 A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.
DUC0091 A program to train users on how to recognize and report third-party applications requesting authorization can create "Human Sensors" that help detect application token theft.
DUC0236 A program to train users to report emails that they did not send but appear in their sent folder.


DPR0061 Train users to immediately report suspicious emails. Those emails could then be used for malware detonation or adversary engagement purposes.
DPR0062 Train users to report potentially compromised devices so they can be isolated or migrated into deception networks.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1528 Steal Application Access Token Credential Access
T1534 Internal Spearphishing Lateral Movement
T1566 Phishing Initial Access
T1585 Establish Accounts Resource Development
T1586 Compromise Accounts Resource Development
T1598 Phishing for Information Reconnaissance