The correct answer is D because MITRE ATT & CK maps adversary tactics, techniques, and procedures to stages or tactical goals of an attack. When the incident response team can align observed activity to a specific ATT & CK stage, the team can better understand the attacker’s intent, determine what has likely already happened, and anticipate what the attacker may try next.

The CySA+ All-in-One guide explains that attack frameworks break a cyberattack “from initial reconnaissance to final exfiltration of data” into steps or phases. It also states that studying attacker TTPs helps analysts “better anticipate and prepare for potential attacks” and develop stronger incident response plans.

The guide further explains that MITRE ATT & CK provides a structured methodology for modeling and understanding attacker TTPs, with tactics representing high-level goals and techniques representing the methods attackers use to achieve those goals.

It also states that in incident response, analysts can map observed attacker behavior to the appropriate ATT & CK technique to better understand the attacker’s goals and motivations, identify other potentially compromised areas, and prioritize remediation.

Why the other options are incorrect:

A is partially true, but it focuses more on communicating indicators to monitoring teams, not on why stage alignment helps incident responders.

B is too narrow because it focuses on SIEM alert creation rather than incident response decision-making.

C is partially true because visualization can improve speed, but the best reason is not simply that a visual map is faster than a white paper.

D is correct because stage alignment helps the IR team understand attacker intent and anticipate the next likely action.