"What are the threats relevant for us?" is likely one of the most common question the threat intelligence team is asked for by the management as well as technical stakeholders. Answering the question is challenging. Just picking some random insights from recently read threat reports certainly doesn't gives a holistic view. Not all threats that were reported publicly are relevant for the own organization and the other way around, the own sector is possibly underrepresented in public reporting and some threats like ransomware are opportunistic and simply don't care about the sector they attack. There are lots of further questions, e.g. if the usage of a technique that is mentioned in a threat report from ten years ago is still relevant? And what's about the observations of the own operational security teams?

In this talk I will show a pragmatic approach with reasonable-effort for building a technical threat landscape that results in a MITRE ATT&CK map of techniques by utilizing different (open and private) sources and own observations. All techniques are mapped to a relevance that allows to focus further efforts to the most relevant techniques. Furthermore, I will show how this threat landscape can be used to support governance and purple teaming efforts.

The talk will be concluded with some experiences and statistics to answer questions like:

• How much of the techniques documented in ATT&CK are really relevant?
• Are there really irrelevant techniques?
• How often should so a thread landscape be updated?
• How much value do the used sources provide? Are they possibly biased?