How would you map attacker behavior to MITRE ATT&CK and identify gaps in current detections at T-Mobile?