Assessing the likelihood of threats is notoriously difficult for assessors. This session will demonstrate a new, evidence-based approach to leverage existing security control assessments in determining likelihood of specific MITRE ATT&CK TTPs. Through automation, we can not only develop organization-specific threat profiles for known adversaries, but also assist in strategic security program management.