The MITRE ATT&CK Evaluations have entered unexpected choppy waters. Several of the cybersecurity industry’s largest platform vendors have opted out this year, each using the same language about “resource prioritization” and “customer focus”. When multiple leaders step back at once, it raises some hard questions. Is this really about resourcing, or about avoiding scrutiny? Or is it the slow unraveling of a bellwether and much-loved institution?

Speculation is rife; some suggest these giants are wary of being outshone by newer challengers; other believe it reflects uncertainty inside MITRE itself. Whatever the case, the exits have forced a reckoning: does ATT&CK still matter? At Databahn, we believe it does – but only if it evolves into something greater than it is today.

What is MITRE ATT&CK and why it matters

MITRE ATT&CK was born from a simple idea: if we could catalog the real tactics and techniques adversaries use in the wild, defenders everywhere could share a common language and learn from each other. Over time, ATT&CK became more than a knowledge base – it became the Rosetta Stone of modern cybersecurity.

The Evaluations program extended that vision. Instead of relying on vendor claims or glossy datasheets, enterprises could see how different tools performed against emulated threat actors, step by step. MITRE never crowned winners or losers; it simply published raw results, offering a level playing field for interpretation.

That transparency mattered. In an industry awash with noise and marketing spin, ATT&CK Evaluations became one of the few neutral signals that CISOs, SOC leaders, and practitioners could trust. For many, it was less about perfect scores and more about seeing how a tool behaved under pressure – and whether it aligned with their own threat model.

The Misuse and the Criticisms

For years, ATT&CK Evaluations were one of the few bright spots in an industry crowded with vendor claims. CISOs could point to them as neutral, transparent – and at least in theory – immune from spin. In a market that rarely offers apples-to-apples comparisons, ATT&CK stood out as a genuine attempt at objectivity. In defiance of the tragedy of the commons, it remained neutral, with all revenues routed towards doing more research to improve public safety.

The absences of some of the industry’s largest vendors have sparked a firestorm of commentary. While their detractors are skeptical about their near-identical statements and suggest that this was strategic, it raises questions at a time when criticisms of MITRE ATT&CK Evaluations were also growing more strident, pointing to how results were interpreted – or rather, misinterpreted. While MITRE doesn’t crown champions, hand out trophies, or assign grades, vendors have been quick to award themselves with imagined laurels. Raw detection logs are taken and twisted into “best-in-class" coverage, missing the nuance that matters most: whether detections were actionable, whether alerts drowned analysts in noise, and whether the configuration mirrored a real production environment.

The gap became even more stark when evaluation results didn’t line up with enterprise reality. CISOs would see a tool perform flawlessly on paper, only to watch it miss basic detections or drown SOCs with false positives. The disconnect wasn’t the fault of the ATT&CK framework itself, which didn’t intend to simulate the full messiness of a live environment. But this gave critics the ammunition to question whether the program had lost its value.

And of course, there is the Damocles’ sword of AI. In a time of dynamic threats being spun up and vulnerabilities exploited in days, do one-time evaluations of solutions really have the same effectiveness? In short, what was designed to be a transparent reference point too often CISOs and SOC teams were left to sift through competing storylines–especially in an ecosystem where AI-powered speed rendered static frameworks less effective.

Making the gold standard shine again

For all its flaws and frustrations, ATT&CK remains the closest thing cybersecurity has to a gold standard. No other program managed to establish such a widely accepted, openly accessible benchmark for adversary behavior. For CISOs and SOC leaders, it has become the shared map that allows them to compare tools, align on tactics, and measure their own defenses against a common framework.

Critics are right to point out the imperfections in MITRE Evaluations. But in a non-deterministic security landscape – where two identical attacks can play out in wildly different ways – imperfection is inevitable. What makes ATT&CK different is that it provides something few others do: neutrality. Unlike vendor-run bakeoffs, pay-to-play analyst reports, or carefully curated customer case studies, ATT&CK offers a transparent record of what happened, when, and how. No trophies, no hidden methodology, no commercial bias. Just data.

That’s why, even as some major players step away, ATT&CK still matters. It is not a scoreboard and never should have been treated as one. It is a mirror that shows us where we stand, warts and all. And when that mirror is held up regularly, it keeps vendors honest, challengers motivated, and buyers better informed. And most importantly, it keeps us all safer and better prepared for the threats we face today.

Yet, holding up a mirror once a year is no longer enough. The pace of attacks has accelerated, AI is transforming both offense and defense, and enterprises can’t afford to wait for annual snapshots. If ATT&CK is to remain the industry’s north star, it must evolve into something more dynamic – capable of keeping pace with today’s threats and tomorrow’s innovations.

From annual tests to constant vigilance

If ATT&CK is to remain the north star of cybersecurity, it cannot stay frozen in its current form. Annual, one-off evaluations feel outdated in today’s fast-paced threat landscape. The need is to test enterprise deployments, not security tools in sterilized conditions.  

In one large-scale study, researchers mapped enterprise deployments against the same MITRE ATT&CK techniques used in evaluations. The results were stark: despite high vendor scores in controlled settings, only 2% of adversary behaviors were consistently detected in product. That kind of drop-off exposes a fundamental gap – not in MITRE’s framework itself, but in how it is being used.

The future of ATT&CK must be continuous. Enterprises should be leveraging the framework to test their systems, because that is what is being attacked and under threat. These tests should be a consistent process of stress-testing, learning, and improving. Organizations should be able to validate their security posture against MITRE techniques regularly – with results that reflect live data, not just laboratory conditions.

This vision is no longer theoretical. Advances in data pipeline management and automation now make it possible to run constant, low friction checks on how telemetry maps to ATT&CK. At Databahn, we’ve designed our platform to enable exactly this: continuous visibility into coverage, blind spots, and gaps in real-world environments. By aligning security data flows directly with ATT&CK, we help enterprises move from static validation to dynamic, always-on confidence.

Vendors shouldn’t abandon MITRE ATT&CK Evaluations; they should make it a module in their products, to enable enterprises to consistently evaluate their security posture. This will ensure that enterprises can keep better pace with an era of relentless attack and rapid innovation. The value of ATT&CK was never in a single set of results – but in the discipline of testing, interpreting, and improving, again and again.

In cybersecurity today, the most precious resource is not the latest tool or threat feed – it is intelligence. And this intelligence is only as strong as the data foundation that creates it from the petabytes of security telemetry drowning enterprises today. Security operation centers (SOCs) worldwide are being asked to defend at AI speed, while still struggling to navigate a tidal wave of logs, redundant alerts, and fragmented systems.

This is less about a product release and more about a movement​​—a movement that​​​​​​ places data at the foundation for agentic, AI-powered cybersecurity. It signals a shift in how the industry must think about security data: not as exhaust to be stored or queried, but as a living fabric that can be structured, enriched, and made ready for AI-native defense.

At DataBahn, we are proud to ​​partner with Databricks and fully integrate with their technology. Together, we are helping enterprises transition from reactive log management to proactive security intelligence,​​​​​​ transforming fragmented telemetry into trusted, actionable insights at scale.

From Data Overload to Data Intelligence

For decades, the industry’s instinct has been to capture more data. Every sensor, every cloud workload, and every application heartbeat is shipped to a SIEM or stored in a data lake for later investigation. The assumption was simple: more data equals better defense. But in practice, this approach has created more problems for enterprises.

Enterprises now face terabytes of daily data ingestion, much of which is repetitive, irrelevant, or misaligned with actual detection needs. This data also comes in different formats from hundreds and thousands of devices, and security tools and systems are overwhelmed by noise. Analysts are left searching for needles in haystacks, while adversaries increasingly leverage AI to strike more quickly and precisely.

What’s needed is not just scale, but intelligence: the ability to collect vast volumes of security data and to understand, prioritize, analyze, and act on it while it is in motion. Databricks provides the scale and flexibility to unify massive volumes of telemetry. DataBahn brings the data collection, in-motion enrichment, and AI-powered tiering and segmenting that transform raw telemetry into actionable insights.

Next-Gen Security Data Infrastructure Platform

Databricks is the foundation for operationalizing AI at scale in modern cyber defense, enabling faster threat detection, investigation, and response. It enables the consolidation of all security, IT, and business data into a single, governed ​Data Intelligence Platform​​​ – which becomes a ready ​​dataset​​​​​​ for AI to operate on. When you combine this with DataBahn, you create an AI-ready data ecosystem that spans from source to destination and across the data lifecycle.

DataBahn sits on the left of Databricks, ensuring decoupled and flexible log and data ingestion into downstream SIEM solutions and ​​Databricks. It leverages Agentic AI for data flows, automating the ingestion, parsing, normalization, enrichment, and schema drift handling of security telemetry across hundreds of formats. No more brittle connectors, no more manual rework when schemas drift. With AI-powered tagging, tracking, and tiering, you ensure that the ​​correct​​​​​​ data goes to the right place and optimize your SIEM license costs.

​​​Agentic AI​ is leveraged​ to deliver insights and intelligence not just to data at rest, stored in Databricks​,​​​ but also in flight via a persistent knowledge layer. Analysts can ask real questions in natural language and get contextual answers instantly, without writing queries or waiting on downstream indexes. Security tools and AI applications can access this layer to reduce time-to-insight and MTTR even more.

The solution brings the data intelligence vision tangible for security​​ and is in sync with DataBahn’s vision for Headless Cyber Architecture. This is an ecosystem where enterprises control their own data in Databricks, and security tools (such as the SIEM) do less ingestion and more detection. Your Databricks security data storage becomes the source of truth.

Making the Vision Real for Enterprises

Security leaders don’t need another dashboard or more security tools. They need their teams to move faster​​ and with confidence. For that, they need their data to be reliable, contextual, and usable – whether the task is threat hunting, compliance, or powering a new generation of AI-powered workflows.

By combining Databricks’ unified platform with DataBahn’s agentic AI pipeline, enterprises can:

• Cut through noise at the source: Filter out low-value telemetry before it ever clogs storage or analytics pipelines, preserving only what matters for detection and investigation.

• Enrich with context automatically: Map events against frameworks such as MITRE ATT&CK, tag sensitive data for governance, and unify signals across IT, cloud, and OT environments.

• Accelerate time to insight: Move away from waiting hours for query results to getting contextual answers in seconds, through natural language interaction with the data itself. Get insights from data in motion or stored/retained data, kept in AI-friendly structures for investigation.

• Power AI-native security apps: Feed consistent, high-fidelity telemetry into Databricks models and downstream security tools, enabling generative AI to act with confidence and explainability. Leverage Reef for insight-rich data to reduce compute costs and improve response times.

For SOC teams, this means less time spent triaging irrelevant alerts and more time preventing breaches. For CISOs, this means greater visibility and control across the entire enterprise, while empowering their teams to achieve more at lower costs. For the business, it means security and data ownership that scale with innovation.

A Partnership Built for the Future

Databricks’ Data Intelligence for ​Cybersecurity ​​​brings the scale and governance enterprises need to unify their data at rest as a central destination. With DataBahn, data arrives in Databricks already optimized – AI-powered pipelines make it usable, insightful, and actionable in real time.

This partnership goes beyond integration – it lays the foundation for a new era of cybersecurity, where data shifts from liability to advantage in unlocking generative AI for defense. Together, Databricks’ platform and DataBahn’s intelligence layer give security teams the clarity, speed, and agility they need against today’s evolving threats.

What Comes Next

The launch of Data Intelligence for ​Cybersecurity ​​​is only the beginning. Together, Databricks and DataBahn are helping enterprises reimagine how they collect, manage, secure, and leverage data.

The vision is clear – a platform that is:

• Lightweight and modular – collect data from any source effortlessly, including AI-powered integration for custom applications and microservices.

• Broadly integrated – DataBahn comes with a library of collectors for aggregating and transforming telemetry, while Databricks creates a unified data storage for the telemetry.

• Intelligently optimized – remove 60-80% of non-security-relevant data and keep it out of your SIEM to save on costs; eventually, make your SIEM work as a detection engine on top of Databricks as a storage layer for all security telemetry.
  ‍
• Enrichment-first – apply threat intel, identify, geospatial data, and other contextual information before forwarding data into Databricks and your SIEM to make analysis and investigations faster and smarter.

• AI-ready – feeding clean, contextualized, and enriched data into Databricks to be fed into your models and your AI applications – for metrics and richer insights, they can also leverage Reef to save on compute.

This is the next era of security – and it starts with ​​​data​​​. ​Together, Databricks and DataBahn provide a​​​n AI-native foundation in which telemetry is self-optimized and stored in a way to make insights instantly accessible. Data is turned into intelligence, and intelligence is turned into action.

Every enterprise handles sensitive data: customer personally identifiable information (PII), employee credentials, financial records, and health information. This is the information SOCs are created to protect, and what hackers are looking to acquire when they attack enterprise systems. Yet, much of it still flows through enterprise networks and telemetry systems in cleartext – unhashed, unmasked, and unencrypted. For attackers, that’s gold. Sensitive data in cleartext complicates detection, increases the attack surface, and exposes organizations to devastating breaches and compliance failures.

When Uber left plaintext secrets and access keys in logs, attackers walked straight in. Equifax’s breach exposed personal records of 147 million people, fueled by poor handling of sensitive data. These aren’t isolated mistakes – they’re symptoms of a systemic failure: enterprises don’t know when and where sensitive data is moving through their systems. Security leaders who rely on firewalls and SIEMs to cover them, but if PII is leaking undetected in logs, you’ve already lost half the battle.

That’s where sensitive data discovery comes in. By detecting and controlling sensitive data in motion – before it spreads – you can dramatically reduce risk, stop attackers from weaponizing leaks, and restrict lateral movement attacks. It also protects enterprises from compliance liability by establishing a more stable, leak-proof foundation for storing sensitive and private customer data. Customers are also more likely to trust businesses that don’t lose their private data to harmful or malicious actors.

The Basics of Sensitive Data Discovery

Sensitive data discovery is the process of identifying, classifying, and protecting sensitive information – such as PII, protected health information (PHI), payment data, and credentials – as it flows across enterprise data systems.  

Traditionally, enterprises focus discovery efforts on data at rest (databases, cloud storage, file servers). While critical, this misses the reality of today’s SOC: sensitive data often appears in transit, embedded in logs, telemetry, and application traces. And when attackers access data pipelines, they can find credentials to access more sensitive systems as well.

Examples include:

• Cleartext credentials logged by applications
• Social security information or credit card data surfacing in customer service logs
• API keys and tokens hardcoded or printed into developer logs

These fragments may seem small, but to attackers, they are the keys to the kingdom. Once inside, they can pivot through systems, exfiltrate data, or escalate privileges.

Discovery ensures that these signals are flagged, masked, or quarantined before they reach SIEMs, data lakes, or external tools. It provides SOC teams with visibility into where sensitive data lives in-flight, helping them enforce compliance (GDPR, PCI DSS, HIPAA), while improving detection quality. Sensitive data discovery is about finding your secrets where they might be exposed before adversaries do.

Why is sensitive data discovery so critical today?

Preventing catastrophic breaches

Uber’s 2022 breach had its root cause traced back to credentials sitting in logs without encryption. Equifax’s 2017 breach, one of the largest in history, exposed PII that was transmitted and secured insecurely. In both cases, attackers didn’t need zero-days – they just needed access to mishandled sensitive data.

Discovery reduces this risk by flagging and quarantining sensitive data before it becomes an attacker’s entry point.

Reducing SOC complexity

Sensitive data in logs slows and encumbers detection workflows. A single leaked API key can generate thousands of false positive alerts if not filtered. By detecting and masking PII upstream, SOCs reduce noise and focus on real threats.

Enabling compliance at scale

Regulations like PCI DSS and GDPR require organizations to prevent sensitive data leakage. Discovery ensures that data pipelines enforce compliance automatically – masking credit card numbers, hashing identifiers, and tagging logs for audit purposes.

Accelerating investigations

When breaches happen, forensic teams need to know: did sensitive data move? Where? How much? Discovery provides metadata and lineage to answer these questions instantly, cutting investigation times from weeks to hours.

Sensitive data discovery isn’t just compliance hygiene. It directly impacts threat detection, SOC efficiency, and breach prevention. Without it, you’re blind to one of the most common (and damaging attack vectors in the enterprise.

Challenges & Common Pitfalls

Despite its importance, most enterprises struggle with identifying sensitive data.

Blind spots in telemetry

Many organizations lack the resources to monitor their telemetry streams closely. Yet, sensitive data leaks happen in-flight, where logs cross applications, endpoints, and cloud services.

Reliance on brittle rules

Regex filters and static rules can catch simple patterns but miss variations. Attackers exploit this, encoding or fragmenting sensitive data to bypass detection.

False positives and alert fatigue

Overly broad rules flag benign data as sensitive, overwhelming analysts and hindering their ability to analyze data effectively. SOCs end up tuning out alerts – the very ones that could signal a real leak.

Lack of source-specific controls

Different log sources behave differently. A developer log might accidentally capture secrets, while an authentication system might emit password hashes. Treating all sources the same creates blind spots.

Manual effort and scale

Traditional discovery depends on engineers writing regex and manually classifying data. With terabytes of telemetry per day, this is unsustainable. Sensitive data moves faster than human teams can keep up.

This results in enterprises either over collecting telemetry, flooding SIEMs with sensitive data they can’t detect or protect with static rules, or under collect, missing critical signals. Either way, adversaries exploit the cracks.

Solutions and Best Practices

The way forward is not more manual regex or brittle SIEM rules. These are reactive, error-prone, and impossible to scale.

A data pipeline-first approach

Sensitive data discovery works best when built directly into the security data pipeline – the layer that collects, parses, and routes telemetry across the enterprise.

Best practices include:

1. In-flight detection
   Identify sensitive data as it moves through the pipeline. Flag credit card numbers, SSNs, API keys, and other identifiers in real time, before they land in SIEMs or storage.
2. Automated masking and quarantine
   Apply configurable rules to mask, hash, or quarantine sensitive data at the source. This ensures SOCs don’t accidentally store cleartext secrets while preserving the ability to investigate.
3. Source-specific rules
   Build edge intelligence. Lightweight agents at the point of collection should apply rules tuned for each source type to avoid PII moving without protection anywhere in the system.
4. AI-powered detection
   Static rules can’t keep pace. AI models can learn what PII looks like – even in novel formats – and flag it automatically. This drastically reduces false positives while improving coverage.
5. Pattern-friendly configurability
   Security teams should be able to define their own detection logic for sensitive data types. The pipeline should combine human-configured patterns with AI-powered discovery.
6. Telemetry observability
   Treat insensitive data detection as part of pipeline health. SOCs require dashboards to view what sensitive data was flagged, masked, or quarantined, along with its lineage for audit purposes.

When discovery is embedded in the pipeline, sensitive data doesn’t slip downstream. It’s caught, contained, and controlled at the source.

How DataBahn can help

DataBahn is redefining how enterprises manage security data, making sensitive data discovery a core function of the pipeline.

At the platform level, DataBahn enables enterprises to:

1. Identify sensitive information in-flight and in-transit across pipelines – before it reaches SIEMs, lakes, or external systems.
2. Apply source-specific rules at edge collection, using lightweight agents to protect, mask, and quarantine sensitive data from end to end.
3. Leverage AI-powered, pattern-friendly detection to automatically recognize and learn what PII looks like, improving accuracy over time.

This approach turns sensitive data protection from an afterthought into a built-in control. Instead of relying on SIEM rules or downstream DLP tools, DataBahn ensures sensitive data is identified, governed, and secured at the earliest possible stage – when it enters the pipeline.

Conclusion

Sensitive data leaks aren’t hypothetical; they’re happening today. Uber’s plaintext secrets and Equifax’s exposed PII – these were avoidable, and they demonstrate the dangers of storing cleartext sensitive data in logs.

For attackers, one leaked credential is enough to breach an enterprise. For regulators, one exposed SSN is enough to trigger fines and lawsuits. For customers, even one mishandled record can be enough to erode trust permanently.  

Relying on manual rules and hope is no longer acceptable. Enterprises need sensitive data discovery embedded in their pipelines – automated, AI-powered, and source-aware. That’s the only way to reduce risk, meet compliance, and give SOCs the control they desperately need.

Sensitive data discovery is not a nice-to-have. It’s the difference between resilience and breach.