MITRE ATT&CK is a globally recognized, freely available knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations of cyber attacks. Since its public release in 2015, ATT&CK has become the de facto standard language for describing adversary behavior across the cybersecurity industry. For CTI analysts, understanding ATT&CK is not optional — it is foundational to how threats are described, tracked, detected, and communicated across organizations and the broader community.
Learning Objectives
- Explain what MITRE ATT&CK is and how it was developed
- Distinguish between tactics, techniques, sub-techniques, and procedures
- Navigate the Enterprise, Mobile, and ICS matrices
- Use the ATT&CK Navigator for visualization and analysis
- Describe common use cases for ATT&CK in CTI and security operations
- Understand how ATT&CK relates to the Cyber Kill Chain and Diamond Model
History and Origins
MITRE ATT&CK originated in 2013 from a MITRE research project conducted at Fort Meade, Maryland, known as the Fort Meade Experiment (FMX). The project sought to answer a practical question: how can defenders systematically document and categorize the post-compromise behavior of adversaries operating within enterprise networks?
The researchers recognized that while the security industry had robust frameworks for vulnerability classification (CVE/CVSS) and malware naming, there was no common taxonomy for describing what adversaries actually do after gaining initial access to a network. The behaviors observed during the FMX research were cataloged, categorized, and eventually organized into what became ATT&CK — Adversarial Tactics, Techniques, and Common Knowledge.
ATT&CK was first made publicly available in May 2015 with a focus on the Windows enterprise environment. It has since expanded significantly to cover macOS, Linux, cloud environments, mobile platforms (Android and iOS), and industrial control systems (ICS). The knowledge base is maintained by MITRE with contributions from the global cybersecurity community and is updated regularly with new techniques and threat actor profiles.
Structure of ATT&CK
ATT&CK is organized in a hierarchical structure that moves from the abstract (why an adversary does something) to the specific (exactly how a particular group did it in a specific intrusion).
Tactics — The "Why"
Tactic: The adversary's tactical objective — the reason for performing an action. Tactics represent the "why" of an ATT&CK technique.
Tactics are organized as columns in the ATT&CK matrix. The Enterprise matrix contains 14 tactics, representing the phases of an adversary's operation from initial access through impact:
| Tactic | Description |
|---|---|
| Reconnaissance | Gathering information to plan future operations |
| Resource Development | Establishing resources to support operations (infrastructure, accounts, tools) |
| Initial Access | Gaining a foothold in the target environment |
| Execution | Running malicious code |
| Persistence | Maintaining access across restarts or credential changes |
| Privilege Escalation | Gaining higher-level permissions |
| Defense Evasion | Avoiding detection |
| Credential Access | Stealing credentials (usernames, passwords, tokens) |
| Discovery | Learning about the environment |
| Lateral Movement | Moving through the environment to reach objectives |
| Collection | Gathering data of interest to the adversary's goal |
| Command and Control | Communicating with compromised systems |
| Exfiltration | Stealing data from the target environment |
| Impact | Disrupting, destroying, or manipulating systems and data |
Techniques — The "How"
Technique: The means by which an adversary achieves a tactical objective. Techniques describe "how" an adversary performs an action.
Techniques are listed under each tactic and describe specific methods adversaries use. For example, under the Initial Access tactic, techniques include Phishing (T1566), Exploit Public-Facing Application (T1190), and Valid Accounts (T1078), among others.
Each technique in ATT&CK has a unique identifier (e.g., T1059 for Command and Scripting Interpreter) and a detailed page that includes a description, procedure examples from real-world intrusions, detection guidance, and mitigations.
Sub-Techniques — The Specific Variation
Sub-techniques provide a more granular breakdown of techniques. For example, Phishing (T1566) has three sub-techniques:
- T1566.001 — Spearphishing Attachment
- T1566.002 — Spearphishing Link
- T1566.003 — Spearphishing via Service
Sub-techniques were introduced in July 2020 to reduce the growing number of top-level techniques while preserving specificity. They use the format T[technique number].[sub-technique number].
Procedures — The Specific Implementation
Procedure: A specific implementation of a technique or sub-technique by a particular adversary. Procedures describe exactly how a threat group or malware executes a given technique.
Procedures are documented in the "Procedure Examples" section of each technique page. For instance, APT29 has been documented using spearphishing links (T1566.002) containing URLs to malicious ZIP files in operations targeting government organizations. This level of specificity helps analysts connect abstract framework concepts to real-world threat activity.
The Three Matrices
Enterprise Matrix
The Enterprise matrix is the most widely used and covers adversary behavior against enterprise IT environments including Windows, macOS, Linux, cloud platforms (Azure AD, Office 365, Google Workspace, SaaS, IaaS), network infrastructure, and containers. It contains 14 tactics and over 200 techniques as of early 2025.
Mobile Matrix
The Mobile matrix covers adversary behavior targeting Android and iOS mobile devices. It includes tactics and techniques specific to the mobile threat landscape, such as exploiting device admin access, abusing accessibility features, and intercepting communications.
ICS Matrix
The ICS (Industrial Control Systems) matrix covers adversary behavior in operational technology (OT) environments. Developed in collaboration with ICS security experts, it includes tactics and techniques relevant to attacks on SCADA systems, PLCs, and other industrial infrastructure. Notably, the ICS matrix includes the Impact tactic with techniques like Manipulation of Control (T0831) and Loss of Safety (T0880) that are unique to industrial environments.
Navigating ATT&CK
The ATT&CK website (attack.mitre.org) provides several ways to explore the framework:
- Matrix view: The classic spreadsheet-style view with tactics as columns and techniques listed beneath them
- Technique pages: Detailed pages for each technique with descriptions, detection guidance, mitigations, and documented procedure examples
- Group pages: Profiles of threat actor groups with their documented TTPs mapped to ATT&CK techniques
- Software pages: Profiles of malware and tools with their capabilities mapped to techniques
- Data Sources: Documentation of the data sources and data components needed to detect each technique
- Mitigations: Security controls mapped to the techniques they address
ATT&CK Navigator
The ATT&CK Navigator is a web-based tool (available at mitre-attack.github.io/attack-navigator/) that provides an interactive, layerable visualization of the ATT&CK matrix. Key capabilities include:
- Color-coding techniques to represent detection coverage, threat actor TTPs, or assessment results
- Creating layers that can be saved, shared, and overlaid to compare threat actors or identify detection gaps
- Scoring techniques numerically to represent confidence, priority, or coverage levels
- Exporting layers as JSON for programmatic use or as images for reports and briefings
The Navigator is particularly valuable for gap analysis — overlaying your detection coverage against the TTPs of threat actors relevant to your organization to identify where you are and are not prepared.
Common Use Cases
Threat Intelligence
CTI analysts use ATT&CK to standardize how adversary behavior is described and shared. Instead of narrative descriptions like "the threat actor used PowerShell to download a second-stage payload," analysts can reference T1059.001 (Command and Scripting Interpreter: PowerShell) and T1105 (Ingress Tool Transfer), creating precise, machine-readable, and universally understood descriptions.
Detection Engineering
Security operations teams map their detection rules to ATT&CK techniques to measure and visualize detection coverage. This reveals which techniques are well-covered by existing detections and which represent blind spots.
Threat-Informed Defense
Organizations identify the threat groups most likely to target their sector, map those groups' documented TTPs, and prioritize defensive investments based on the techniques that pose the greatest risk. This approach moves security strategy from compliance-driven to threat-driven.
Red Team and Purple Team Operations
Red teams use ATT&CK to plan operations that emulate specific adversary TTPs. Purple team exercises use the framework to structure collaboration between red and blue teams, ensuring that testing covers techniques relevant to real threats.
Assessment and Gap Analysis
Frameworks like MITRE ATT&CK Evaluations use the matrix to systematically test security product capabilities against documented adversary behaviors, providing standardized comparisons.
Relationship to Other Frameworks
Lockheed Martin Cyber Kill Chain
The Cyber Kill Chain (2011) describes seven sequential phases of a cyber intrusion: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. ATT&CK provides significantly more granularity — while the Kill Chain describes the overall flow of an attack, ATT&CK enumerates hundreds of specific techniques within each phase. The two frameworks are complementary: the Kill Chain provides the high-level narrative, and ATT&CK provides the detailed behavioral taxonomy.
Diamond Model of Intrusion Analysis
The Diamond Model (Caltagirone, Pendergast, and Betz, 2013) focuses on the relationships between four core features of an intrusion: adversary, capability, infrastructure, and victim. ATT&CK's techniques map primarily to the "capability" vertex of the Diamond Model. Together, the Diamond Model provides the relational structure for analyzing intrusions, while ATT&CK provides the vocabulary for describing what capabilities were employed.
Key Takeaways
- MITRE ATT&CK is a knowledge base of adversary behaviors based on real-world observations, not a theoretical framework
- The hierarchy is: Tactics (why) > Techniques (how) > Sub-techniques (specific variation) > Procedures (specific implementation by a group)
- The Enterprise matrix (14 tactics, 200+ techniques) is the most widely used; Mobile and ICS matrices cover additional domains
- ATT&CK Navigator enables visual analysis, coverage mapping, and gap identification
- Common use cases span threat intelligence, detection engineering, threat-informed defense, and red/purple teaming
- ATT&CK complements the Cyber Kill Chain (high-level attack flow) and Diamond Model (relational analysis) rather than replacing them
Practical Exercise
ATT&CK Mapping Exercise:
- Visit attack.mitre.org and select a threat group relevant to your sector (e.g., APT28, APT41, FIN7, Lazarus Group)
- Review the group's page and note the documented techniques (aim for at least 10)
- Open ATT&CK Navigator (mitre-attack.github.io/attack-navigator/) and create a new Enterprise layer
- Color-code the techniques used by your selected group (use one color for all their techniques)
- Now think about your organization's detection capabilities — using a different color, highlight techniques where you believe you have detection coverage
- Identify three techniques used by the threat group where you have no detection coverage — these represent your priority gaps
- For each gap, read the Detection section on the technique's page and note what data sources would be needed to build a detection
This exercise demonstrates how ATT&CK translates threat intelligence directly into defensive priorities.
Further Reading
- MITRE ATT&CK website — the primary resource for the framework, including all matrices, technique pages, group profiles, and software entries (https://attack.mitre.org)
- MITRE ATT&CK Design and Philosophy — the official paper explaining ATT&CK's design decisions, scope, and intended use (available at https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf)
- Threat-Informed Defense — MITRE Engenuity's Center for Threat-Informed Defense, which publishes research and tools built on ATT&CK (https://ctid.mitre-engenuity.org)
- ATT&CK Navigator — the interactive visualization tool for working with ATT&CK layers (https://mitre-attack.github.io/attack-navigator/)