Knowledge Center / MITRE ATT&CK
MITRE · Global

MITRE ATT&CK

A knowledge base of real-world adversary tactics and techniques.

MITRE ATT&CK is a globally accessible, continuously updated knowledge base of adversary tactics and techniques based on real-world observations. It is not a compliance standard — it is a common language for describing attacker behaviour, used to improve detection, threat hunting and security testing.

How ATT&CK is structured

  • Tactics — the adversary’s tactical goal (the "why").
  • Techniques & sub-techniques — how the goal is achieved (the "how").
  • Procedures — specific real-world implementations by threat actors.
  • Matrices — Enterprise, Mobile and ICS.
  • Groups & Software — known threat actors and malware mapped to techniques.
  • Data Sources & Detections — what telemetry reveals each technique.
  • Mitigations — defensive measures that reduce technique effectiveness.

The 14 Enterprise tactics

TacticAdversary goal
ReconnaissanceGather information to plan the operation
Resource DevelopmentEstablish resources (infrastructure, accounts, tools)
Initial AccessGet into the network
ExecutionRun malicious code
PersistenceMaintain a foothold
Privilege EscalationGain higher-level permissions
Defense EvasionAvoid detection
Credential AccessSteal account names and passwords
DiscoveryUnderstand the environment
Lateral MovementMove through the environment
CollectionGather data of interest
Command and ControlCommunicate with compromised systems
ExfiltrationSteal data
ImpactManipulate, interrupt or destroy systems and data

The matrices

  • Enterprise — Windows, macOS, Linux, cloud (IaaS/SaaS/identity), network and containers.
  • Mobile — Android and iOS techniques.
  • ICS — techniques targeting industrial control systems / OT.

Defensive use cases

Use caseHow ATT&CK helps
Detection engineeringBuild and measure detections against specific techniques and data sources
Threat huntingForm hypotheses based on techniques used by relevant threat groups
SOC coverage mappingAssess which techniques you can detect/prevent — and the gaps
Red / purple teamingEmulate real adversary techniques and validate detections
Threat intelligenceDescribe adversaries in a consistent, shareable language
Risk & control gap analysisPrioritise controls against the techniques that threaten you most

How to use ATT&CK (coverage mapping)

  1. Identify the threat groups and techniques most relevant to your sector.
  2. Map current detections and controls to ATT&CK techniques (use the ATT&CK Navigator to visualise).
  3. Identify coverage gaps — techniques you can neither detect nor prevent.
  4. Prioritise gaps by threat relevance and business impact.
  5. Run adversary-emulation / purple-team exercises against real techniques.
  6. Feed results into detection engineering and control improvements; re-measure coverage.
  • ATT&CK Navigator — a web tool to annotate and visualise technique coverage.
  • MITRE D3FEND — a complementary knowledge base of defensive countermeasures mapped to ATT&CK techniques.
  • MITRE Engage — adversary engagement (deception) planning.

Common pitfalls

  • Chasing 100% technique coverage instead of prioritising by real threat relevance.
  • Mapping detections on paper without validating them through testing.
  • Treating ATT&CK as a compliance checklist rather than a behavioural model.
  • Ignoring data-source quality — you cannot detect what you do not log.
How CyberSigma helps
Our red and purple teams emulate real adversary techniques mapped to MITRE ATT&CK, measure your detection coverage, and turn the gaps into a prioritised detection-engineering and control roadmap.

Frequently asked questions

Is MITRE ATT&CK a compliance framework?
No. It is a behavioural knowledge base for defenders and testers, not a certifiable standard. It complements frameworks like NIST CSF by making detection and testing concrete.
What is the difference between ATT&CK and the Cyber Kill Chain?
The Kill Chain is a high-level linear model of an attack; ATT&CK is a far more granular, non-linear catalog of specific techniques observed in the wild.
What is MITRE D3FEND?
D3FEND is a complementary knowledge base of defensive countermeasures, mapping defensive techniques to the offensive techniques in ATT&CK.

Need help with MITRE ATT&CK?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.