MITRE ATT&CK Framework
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
Continue your mission
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
# MITRE ATT&CK Framework
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It documents how threat actors operate across the attack lifecycle: from initial access through execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, and impact.
ATT&CK is not a defensive framework. It is an adversary behavior catalog. It answers the question: "What do attackers actually do once they are inside a network?" The answer is documented across 14 tactics (the adversary's goals) containing over 200 techniques and nearly 600 sub-techniques (the specific methods adversaries use to achieve those goals).
The framework was created by MITRE Corporation in 2013, initially as an internal project to document adversary behavior observed during a Fort Meade research exercise. It was publicly released in 2015 and has since become the de facto standard for threat intelligence analysis, detection engineering, red teaming, and security assessment across the global cybersecurity industry. ATT&CK is free, open, and continuously updated based on published threat intelligence from security vendors, government agencies, and the research community.
ATT&CK organizes adversary behavior in a three-level hierarchy:
Tactics represent the adversary's goal at a given phase of the attack. There are 14 tactics in the Enterprise ATT&CK matrix, each answering "why" the adversary performs an action:
Techniques represent "how" the adversary achieves a tactical goal. Under the Initial Access tactic, techniques include Phishing (T1566), Exploit Public-Facing Application (T1190), Valid Accounts (T1078), and others. Each technique is documented with a description, detection guidance, mitigation recommendations, and real-world examples.
Sub-techniques provide additional specificity. Phishing (T1566) has sub-techniques: Spearphishing Attachment (T1566.001), Spearphishing Link (T1566.002), and Spearphishing via Service (T1566.003). Sub-techniques capture the variations that matter for detection: the detection logic for a spearphishing attachment (look for macro execution from a recently downloaded Office document) differs from the logic for a spearphishing link (look for credential entry on a newly registered domain).
The matrix is the visual representation of ATT&CK: a grid with tactics as columns and techniques as rows. Each cell represents a specific adversary behavior. The matrix provides a single view of the complete adversary playbook and enables defenders to assess their coverage: which cells can we detect, and which are blind spots?
ATT&CK publishes separate matrices for different platforms:
Enterprise. Covers Windows, macOS, Linux, cloud (Azure AD, Office 365, Google Workspace, SaaS, IaaS), network infrastructure, and containers. This is the most widely used matrix and the one most referenced in SOC operations, detection engineering, and security assessments.
Mobile. Covers iOS and Android adversary techniques.
ICS (Industrial Control Systems). Covers techniques targeting operational technology environments: programmable logic controllers, human-machine interfaces, and SCADA systems.
ATT&CK provides a common vocabulary for threat intelligence. When a security vendor publishes a report attributing an attack to APT29 (Russia's SVR), the report maps the observed behavior to ATT&CK techniques: "APT29 used T1566.001 (Spearphishing Attachment) for initial access, T1059.001 (PowerShell) for execution, T1003.001 (LSASS Memory) for credential access, and T1041 (Exfiltration Over C2 Channel) for data theft."
This standardized mapping enables defenders to take immediate action: check whether their detection stack covers T1566.001, T1059.001, T1003.001, and T1041. If it does, the organization has detection coverage for APT29's documented techniques. If gaps exist, the defender knows exactly which detection rules to develop.
Without ATT&CK, threat intelligence would describe attacks in vendor-specific language that requires translation before it becomes actionable. ATT&CK eliminates the translation step.
Detection engineering is the practice of writing, testing, and maintaining detection rules that identify adversary techniques in security telemetry. ATT&CK is the foundation for this practice.
The workflow: select a technique (T1003.001: OS Credential Dumping, LSASS Memory). Review the ATT&CK documentation for that technique: what data sources are required (process monitoring, API monitoring), what detection logic applies (a non-LSASS process accessing LSASS memory), and what real-world examples exist. Write a detection rule in the SIEM that implements this logic. Test the rule against simulated adversary behavior (using tools like Atomic Red Team or Caldera). Tune the rule to reduce false positives. Deploy to production. Repeat for the next technique.
The detection coverage assessment (CDA's TID-R02 mission, 16 hours) maps the organization's current detection rules against the ATT&CK matrix, producing a heat map that shows which techniques are detected (green), partially detected (amber), and not detected (red). This heat map is the most actionable output of any TID assessment because it quantifies the detection gap and prioritizes the detection engineering backlog.
Red teams use ATT&CK to structure their operations. An adversary emulation plan maps a specific threat actor's known TTPs (from published threat intelligence) onto the ATT&CK matrix, then executes those techniques against the target environment. The goal is to test whether the organization's defenses can detect and respond to the specific adversary that is most likely to target them.
MITRE publishes adversary emulation plans for specific threat groups (APT3, APT29, FIN6) through its Center for Threat-Informed Defense. These plans provide step-by-step operational procedures that a red team can execute to simulate the threat actor's behavior with high fidelity.
CDA's TID-D02 (Purple Team Exercise, 40 hours) uses ATT&CK-mapped adversary emulation. The red team executes techniques. The blue team detects and responds. Both teams debrief together, mapping the exercise results onto the ATT&CK matrix: which techniques were detected, which were missed, and what detection improvements are needed.
Before ATT&CK, the cybersecurity industry lacked a standardized vocabulary for adversary behavior. Vendors described attacks in proprietary terminology. Threat intelligence reports used inconsistent naming conventions. Detection rules were written against local observations rather than industry-standard technique definitions. ATT&CK provided the common language that connected threat intelligence producers, detection engineers, red teams, and security leadership around a single behavior taxonomy.
ATT&CK enables organizations to quantify their detection capability. "We detect 47 of 201 Enterprise ATT&CK techniques" is a measurable statement that drives investment decisions. "We have good detection capabilities" is not. The ability to measure detection coverage, track improvement over time, and benchmark against peer organizations transformed detection from an art into an engineering discipline.
ATT&CK enables threat-informed defense: prioritizing security investments based on which adversary techniques are most likely to target the organization. An organization in the financial services sector facing APT38 (North Korea's Lazarus Group) should prioritize detection for the techniques APT38 actually uses, not generic techniques that APT38 does not. ATT&CK provides the data to make this prioritization: each technique is tagged with the threat groups known to use it.
ATT&CK documents observed behavior, not all possible behavior. Techniques that have not been publicly documented are not in ATT&CK. Novel attack methods, zero-day exploitation chains, and classified intelligence are not represented. ATT&CK is the best available catalog of known adversary behavior. It is not a complete catalog of all adversary behavior.
ATT&CK also does not prioritize techniques by likelihood or impact. All techniques are listed equally. The Exploit Prediction Scoring System (EPSS) and threat intelligence context are needed to prioritize which techniques to detect first based on the organization's specific threat profile.
MITRE ATT&CK is the operational taxonomy that CDA's TID (Threat Intelligence and Defense) domain uses for detection engineering, threat hunting, and adversary emulation. The PDM organizes defense by what you protect (six domains). ATT&CK organizes offense by what the adversary does (14 tactics, 200+ techniques). Together, they provide a complete picture: the PDM maps where you defend, ATT&CK maps how you are attacked.
CDA's Predictive Defense Intelligence (PDI) methodology integrates ATT&CK at every operational level:
Detection engineering (TID-H01, 32 hours) uses ATT&CK as the technique catalog. Every detection rule maps to an ATT&CK technique ID. Detection coverage is measured as a percentage of the ATT&CK matrix. Detection engineering backlogs are prioritized by the techniques most likely to target the client's industry and geography, informed by threat intelligence.
Detection coverage assessment (TID-R02, 16 hours) produces the ATT&CK heat map that quantifies where the organization can detect and where it cannot. This is the assessment that transforms "is our detection working?" from a subjective question into a measured answer.
Threat hunting (TID-H03, 24 hours) uses ATT&CK technique hypotheses. "APT29 uses T1550.001 (Application Access Token) for cloud lateral movement. Do we see evidence of this technique in our Azure AD logs?" The hypothesis drives the hunt. The hunt either confirms the threat or improves the detection rules.
Purple team exercises (TID-D02, 40 hours) use ATT&CK-mapped adversary emulation to test detection coverage under realistic conditions. The red team executes mapped techniques. The blue team detects (or misses). The debrief maps results to the ATT&CK matrix, producing an empirically validated detection coverage assessment.
Adversary emulation program (TID-C03, 20 hours) sustains ongoing ATT&CK-based testing in steady state. This is not annual pen testing. It is recurring adversary simulation that continuously validates and improves detection coverage.
The cross-domain utility of ATT&CK is significant. ATT&CK techniques map to PDM domains: Initial Access techniques (T1566 Phishing, T1190 Exploit Public-Facing Application) map to VSD. Credential Access techniques (T1003 OS Credential Dumping, T1110 Brute Force) map to IAT. Defense Evasion techniques (T1562 Impair Defenses, T1070 Indicator Removal) map to SPH. Exfiltration techniques map to DPS. ATT&CK provides the adversary perspective that each PDM domain defends against.
Word count: 2,044
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.