Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0849: Detection of Identify Business Tempo

DET0849 is a detection strategy entry for recognizing adversary reconnaissance around an organization’s business tempo, such as operational hours, business...

EnterpriseDET0849Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0849 is a detection strategy entry for recognizing adversary reconnaissance around an organization’s business tempo, such as operational hours, business cycles, or timing around purchases and shipments. The business value is not in treating this as a standalone alert, but in understanding whether reconnaissance signals are visible early enough to inform risk decisions before targeting becomes more direct.

Executive priority

This matters because business-tempo intelligence can help an adversary choose when to contact staff, time activity around low-coverage periods, or tailor targeting to operational events. Leaders should ask whether security monitoring, incident response staffing, vendor communications, and executive awareness cover predictable business rhythms such as after-hours operations, procurement windows, and shipment cycles. Because the ATT&CK detection strategy has no official detection text or platforms specified, priority should be on validating visibility and governance assumptions rather than claiming coverage from a named rule.

Technical view

The supplied relationship maps this detection strategy to T1591.003, Identify Business Tempo, under reconnaissance with a PRE platform context. SOC and detection teams should treat it as a pre-compromise intelligence and monitoring problem: identify where the organization could observe attempts to learn business schedules, procurement timing, shipment timing, or operational patterns, then correlate those signals with later suspicious outreach or access attempts. Since MITRE provides no official detection logic for this object, teams should document local hypotheses, data sources, thresholds, and escalation criteria.

Likely telemetry

  • External-facing web and content access logs for unusual interest in business hours, locations, schedules, procurement pages, or shipment-related information
  • Security mailbox, phishing-reporting, or communications records where staff receive questions about operations, schedules, purchases, or deliveries
  • Public-facing inquiry channels, helpdesk, sales, procurement, and vendor-contact records that may show elicitation attempts
  • Threat intelligence or brand monitoring observations about collection of company operational details
  • Case-management notes linking reconnaissance indicators to subsequent phishing, social engineering, or access attempts

Detection direction

  • Validate whether the organization has any monitored data sources that could show attempts to collect business-tempo information before compromise.
  • Use relationship context with T1591.003 to connect weak reconnaissance signals to later events rather than over-alerting on benign interest in business information.
  • Tune for context: normal customer, vendor, recruiting, investor, and logistics inquiries can resemble reconnaissance and require business-aware triage.
  • Look for repeated, targeted, or cross-channel questions about operating hours, delivery schedules, procurement timing, or staffing coverage rather than a single generic inquiry.
  • Record blind spots explicitly, especially where public information, third-party logistics, vendors, or informal staff communications are outside SOC visibility.

Mitigation priorities

  • Reduce unnecessary public exposure of sensitive operational timing while preserving legitimate business needs.
  • Prepare staff in procurement, logistics, reception, helpdesk, and executive support roles to recognize and report elicitation about business tempo.
  • Ensure incident response playbooks include early reconnaissance and social-engineering precursors, not only post-compromise alerts.
  • Coordinate with vendors and partners on how shipment, purchase, and operational schedule information is shared and verified.
  • Use findings from reconnaissance monitoring to inform awareness training, control prioritization, and evidence for compliance or audit discussions where relevant.
Analyst notes and limits

This object is a detection strategy with no official description, official detection text, platforms, or tactics specified. Its practical meaning comes from the supplied relationship showing it detects T1591.003, Identify Business Tempo, a reconnaissance technique in the PRE context. Treat any implementation as locally defined and evidence-driven.

The source fields do not provide concrete analytics, log sources, platforms, alert thresholds, or validated coverage. Any detection content, severity model, or operational workflow must be derived from the organization’s environment and tested against local business processes.

Official MITRE ATT&CK definition

Detection of Identify Business Tempo

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1591.003 Identify Business Tempo Sub-technique This object detects Identify Business Tempo.
Relationship explorer

All related ATT&CK context

detects · Technique T1591.003: Identify Business Tempo Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
93458be8e6fe220c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 93458be8e6fe…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0849
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use