MITRE ATT&CK is a globally accessible, continuously updated knowledge base of adversary tactics and techniques based on real-world observations. It is not a compliance standard — it is a common language for describing attacker behaviour, used to improve detection, threat hunting and security testing.
How ATT&CK is structured
- Tactics — the adversary’s tactical goal (the "why").
- Techniques & sub-techniques — how the goal is achieved (the "how").
- Procedures — specific real-world implementations by threat actors.
- Matrices — Enterprise, Mobile and ICS.
- Groups & Software — known threat actors and malware mapped to techniques.
- Data Sources & Detections — what telemetry reveals each technique.
- Mitigations — defensive measures that reduce technique effectiveness.
The 14 Enterprise tactics
| Tactic | Adversary goal |
|---|---|
| Reconnaissance | Gather information to plan the operation |
| Resource Development | Establish resources (infrastructure, accounts, tools) |
| Initial Access | Get into the network |
| Execution | Run malicious code |
| Persistence | Maintain a foothold |
| Privilege Escalation | Gain higher-level permissions |
| Defense Evasion | Avoid detection |
| Credential Access | Steal account names and passwords |
| Discovery | Understand the environment |
| Lateral Movement | Move through the environment |
| Collection | Gather data of interest |
| Command and Control | Communicate with compromised systems |
| Exfiltration | Steal data |
| Impact | Manipulate, interrupt or destroy systems and data |
The matrices
- Enterprise — Windows, macOS, Linux, cloud (IaaS/SaaS/identity), network and containers.
- Mobile — Android and iOS techniques.
- ICS — techniques targeting industrial control systems / OT.
Defensive use cases
| Use case | How ATT&CK helps |
|---|---|
| Detection engineering | Build and measure detections against specific techniques and data sources |
| Threat hunting | Form hypotheses based on techniques used by relevant threat groups |
| SOC coverage mapping | Assess which techniques you can detect/prevent — and the gaps |
| Red / purple teaming | Emulate real adversary techniques and validate detections |
| Threat intelligence | Describe adversaries in a consistent, shareable language |
| Risk & control gap analysis | Prioritise controls against the techniques that threaten you most |
How to use ATT&CK (coverage mapping)
- Identify the threat groups and techniques most relevant to your sector.
- Map current detections and controls to ATT&CK techniques (use the ATT&CK Navigator to visualise).
- Identify coverage gaps — techniques you can neither detect nor prevent.
- Prioritise gaps by threat relevance and business impact.
- Run adversary-emulation / purple-team exercises against real techniques.
- Feed results into detection engineering and control improvements; re-measure coverage.
Related resources
- ATT&CK Navigator — a web tool to annotate and visualise technique coverage.
- MITRE D3FEND — a complementary knowledge base of defensive countermeasures mapped to ATT&CK techniques.
- MITRE Engage — adversary engagement (deception) planning.
Common pitfalls
- Chasing 100% technique coverage instead of prioritising by real threat relevance.
- Mapping detections on paper without validating them through testing.
- Treating ATT&CK as a compliance checklist rather than a behavioural model.
- Ignoring data-source quality — you cannot detect what you do not log.
How CyberSigma helps
Our red and purple teams emulate real adversary techniques mapped to MITRE ATT&CK, measure your detection coverage, and turn the gaps into a prioritised detection-engineering and control roadmap.
Frequently asked questions
Is MITRE ATT&CK a compliance framework?
No. It is a behavioural knowledge base for defenders and testers, not a certifiable standard. It complements frameworks like NIST CSF by making detection and testing concrete.
What is the difference between ATT&CK and the Cyber Kill Chain?
The Kill Chain is a high-level linear model of an attack; ATT&CK is a far more granular, non-linear catalog of specific techniques observed in the wild.
What is MITRE D3FEND?
D3FEND is a complementary knowledge base of defensive countermeasures, mapping defensive techniques to the offensive techniques in ATT&CK.
Official documents
CyberSigma resources
Need help with MITRE ATT&CK?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
