Welcome to the 2020 Threat Detection Report

This in-depth look at the most prevalent ATT&CK® techniques is designed to help you and your team focus on what matters most.


investigative leads


confirmed threats



Welcome to Red Canary’s 2020 Threat Detection Report. Based on in-depth analysis of tens of thousands of threats detected across our customers’ environments, this research arms security leaders and their teams with a unique understanding of the threats they’re facing.

We’ve leveraged the common language of MITRE ATT&CK to categorize confirmed threats, but our analysis focuses on providing a comprehensive view of adversary techniques that are most likely to occur in your environment. You’ll find unique intelligence to inform your thinking, help you prioritize investments, and educate your team on how to detect and shut down adversaries.

How to use the report:

Watch this on-demand webinar for a behind the scenes look at our 2020 Threat Detection Report. Learn how we uncovered the most prevalent ATT&CK techniques and how you can use the findings to your advantage.

Since 2013, Red Canary has delivered high-quality threat detection to organizations of all sizes. Our platform collects hundreds of terabytes of endpoint telemetry every day, surfacing evidence of threats that are analyzed by our Cyber Incident Response Team (CIRT). Confirmed threats are tied to corresponding ATT&CK techniques so that our customers clearly understand what is happening in their environments. This report is a summary of confirmed threats derived from this data.

The report excludes low-severity detection of unwanted software, such as adware. We’ve tagged each confirmed threat with corresponding ATT&CK technique(s) based on the logic used to identify the threat.

Year-over-year trending

Last year’s inaugural report summarized all such data available across Red Canary’s entire history. This year’s report focuses on the more than 15,000 threats we detected between January and December 2019, comparing them to threats detected over the same period in the prior year.

Common co-occurrences

ATT&CK techniques do not occur in isolation, so it is important to understand how adversaries leverage multiple techniques to accomplish their goals. This year’s report identifies ATT&CK techniques that are used in concert by adversaries and their tools.

Additional research

Our threat rankings are determined entirely by detection volume. As a result, a sizable outbreak in one environment can have a disproportionate impact on our entire dataset. To combat that, we’ve included analysis on supplemental techniques that are outside the top 10 but affected many customers.

Actionable insights

Each technique section includes detailed guidance on data sources security teams can use to observe related threats. We also provide specific telemetry patterns that are useful for detecting threats, as well as those that are prone to false positives.

Keith McCammon
Brian Donohue
Jeff Felling
Tony Lambert

It takes an army to produce a research piece of this magnitude. Thanks to the detection engineers, data analysts, editors, designers, developers, and project managers who invested countless hours in this report. And a huge thanks to the MITRE ATT&CK team, whose framework has helped the community take a giant leap forward in understanding and tracking adversary behaviors.