The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Maintained by the MITRE Corporation, ATT&CK catalogs the behavior of cyber adversaries across the attack lifecycle, providing a common language for describing threats. The framework organizes adversary behavior into 14 tactics representing the 'why' of an attack (the adversary's tactical objective) and hundreds of techniques and sub-techniques representing the 'how.' ATT&CK covers Enterprise (Windows, macOS, Linux, cloud, network, containers), Mobile, and ICS (Industrial Control Systems) environments.
The 14 Enterprise ATT&CK tactics in kill-chain order are: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. Each tactic contains multiple techniques. For example, Initial Access includes techniques like Phishing, Exploit Public-Facing Application, and Supply Chain Compromise. Each technique is documented with a description, procedure examples from real threat groups, detection guidance, and mitigation recommendations. MITRE maps techniques to specific threat groups (over 140 documented) and software (over 680 documented), enabling organizations to model threats relevant to their sector. Organizations use ATT&CK for threat intelligence analysis, detection engineering (mapping detection rules to techniques), red team planning, security gap assessment, and security operations center maturity evaluation.
ATT&CK has become the de facto standard for describing adversary behavior in the cybersecurity industry. Security vendors map their products to ATT&CK coverage, SOC teams use it to identify detection gaps, and threat intelligence teams use it to track adversary evolution. Regulatory frameworks including CMMC and NIST CSF reference ATT&CK for threat-informed defense. For CDA, ATT&CK tactics and techniques map directly to theater missions, enabling threat-informed security operations that address real adversary behaviors rather than abstract compliance requirements.