What Is MITRE ATT&CK?

Updated on September 29, 2025

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible, curated knowledge base of adversary behaviors based on real-world cyber attack observations. It is a framework that provides a structured, comprehensive model for understanding and categorizing the actions an attacker might take during a cyber intrusion. Unlike a simple list of threats, ATT&CK details the specific methods—from initial access to impact—that adversaries use, making it an invaluable resource for security professionals to improve their defenses.

The framework was developed by the MITRE Corporation to address the need for a common language and a standardized taxonomy to describe adversary behavior. It shifts the focus from simple indicators of compromise (like IP addresses or file hashes) to the tactics, techniques, and procedures (TTPs) adversaries employ. This behavioral approach is more resilient to an attacker’s changing tools and infrastructure.

Definition and Core Concepts

MITRE ATT&CK is not a checklist or a security product; it is a reference model and a knowledge base. It is organized into matrices that visually represent the stages of a cyber attack from the adversary’s perspective.

• Tactics: The “why” behind an attack. These are the high-level adversarial goals, representing the various phases of an intrusion. Examples include “Initial Access,” “Execution,” “Persistence,” and “Lateral Movement.” In the ATT&CK matrix, these are the columns.
• Techniques: The “how” of an attack. These are the specific methods an adversary uses to achieve their tactical goals. For example, under the “Credential Access” tactic, a technique might be “OS Credential Dumping.” In the matrix, techniques are the cells under each tactic.
• Sub-techniques: A more granular description of a technique. For instance, “OS Credential Dumping” can be further broken down into sub-techniques like “LSASS Memory” or “Security Account Manager (SAM) Database.”
• Procedures: The real-world implementation of a technique or sub-technique. This refers to a specific adversary group (e.g., APT29) using a specific tool (e.g., PowerShell) to execute a technique (e.g., “PowerShell Execution”). The framework documents these as examples linked to techniques.

How It Works

The MITRE ATT&CK framework provides a structured methodology for cybersecurity teams. It is a living, continuously updated resource with multiple matrices tailored to different environments.

1. Matrices: The framework is presented as a matrix that maps techniques to tactics. The most widely used is the Enterprise ATT&CK Matrix, which covers Windows, macOS, Linux, and cloud environments. Other matrices exist for mobile platforms (Android, iOS) and Industrial Control Systems (ICS).
2. Mapping and Analysis: Security teams use the framework to map their defense capabilities, threat intelligence, and incident response data. By taking an alert or an incident and mapping the adversary’s actions to specific techniques in the matrix, analysts can gain a deeper understanding of the attack. For example, if a log shows an adversary using Invoke-Mimikatz, an analyst can map this to the “OS Credential Dumping” technique under the “Credential Access” tactic.
3. Threat Intelligence: The ATT&CK knowledge base includes threat intelligence on specific adversary groups and their common TTPs. This allows organizations to build “threat-informed defense” strategies, focusing their efforts on the behaviors most relevant to their industry and threat landscape.
4. Adversary Emulation: Red teams (offensive security teams) use the framework to plan and execute realistic attack simulations. By emulating the TTPs of a known threat actor, they can test the effectiveness of an organization’s security controls and incident response capabilities in a controlled environment.

Key Features and Components

• Common Language: ATT&CK provides a standardized taxonomy, allowing security teams, vendors, and researchers to communicate about threats using a consistent, unambiguous language.
• Real-World Focus: The framework is built on actual observations from cyber incidents and threat intelligence, not hypothetical attack scenarios.
• Threat-Informed Defense: It enables organizations to shift from a reactive, signature-based security model to a proactive, behavior-based defense.
• Open and Free: The entire knowledge base is open-source and freely available to the public.

Use Cases and Applications

• Threat Hunting: Analysts use the ATT&CK matrix as a roadmap to proactively search for signs of malicious behavior that might have bypassed existing security tools.
• Defensive Gap Analysis: Security teams can map their security tools and detection capabilities against the techniques in the matrix to identify weaknesses and prioritize improvements. The ATT&CK Navigator tool is often used for this purpose.
• Security Posture Assessment: The framework provides a baseline for evaluating an organization’s security maturity by measuring its ability to detect and respond to specific adversarial techniques.
• Red Teaming and Adversary Emulation: Offensive security teams use the TTPs documented in the framework to create realistic attack simulations that test a company’s defenses.

Troubleshooting and Considerations

• Prioritization is Key: An organization cannot defend against every single technique. It is crucial to use threat intelligence to prioritize and focus on the TTPs most likely to be used by adversaries targeting a specific industry or environment.
• Don’t “Bingo” Techniques: A single security alert may only cover a small part of a technique. It’s important to develop layered detections that can spot multiple procedures associated with a single technique to avoid a false sense of security.
• Keep It Updated: The ATT&CK framework is continuously updated. Cybersecurity teams should regularly review and integrate new techniques and sub-techniques into their threat modeling and detection strategies.

Key Terms Appendix

• Adversarial Tactics, Techniques, and Procedures (TTPs): A model for describing the behavior of a threat actor. Tactics are the “why,” Techniques are the “how,” and Procedures are the specific implementations.
• Matrix: The visual representation of the ATT&CK framework, where tactics are columns and techniques are rows.
• Threat-Informed Defense: A security strategy that uses a deep understanding of adversary behaviors to build more effective and targeted defenses.
• Adversary Emulation: The practice of simulating the TTPs of a known threat actor to test an organization’s security posture.
• Indicator of Compromise (IOC): Forensic data from a security incident, such as IP addresses, file hashes, or domain names. ATT&CK focuses on the behaviors (TTPs) that generate these indicators.
• Kerberos: An authentication protocol commonly used in Windows networks.
• PowerShell: A command-line shell and scripting language often used by adversaries for execution, discovery, and lateral movement.