MITRE ATT&CK

MITRE ATT&CK is a globally referenced, structured knowledge base that describes adversary tactics, techniques, and procedures across the cyber attack lifecycle for use in cyber defense, threat modeling, and Security Operations (SecOps).

• Curated matrix of adversary tactics and techniques (cyber threat intelligence)
• Coverage for enterprise, mobile, and industrial control systems domains (cybersecurity domains)
• Technique descriptions with procedure examples, mitigations, and detections (security operations)
• Data model, content formats, and APIs for integrating ATT&CK into tools and workflows (security tooling integration)
• Publicly available community-supported knowledge base maintained by MITRE (security knowledge management)

More About MITRE ATT&CK

MITRE ATT&CK is a curated knowledge base and framework that describes how adversaries behave at each stage of a cyber attack, with a focus on real-world observations. It is maintained by MITRE and organized as matrices of tactics and techniques that document what adversaries do once they gain access to an environment, how they move, and how they attempt to achieve their objectives. ATT&CK supports security teams in modeling threats, assessing defenses, and aligning detection and response activities with known adversary behavior.

The core structure of MITRE ATT&CK is a set of tactics (adversary objectives) and techniques (ways adversaries achieve those objectives) organized into matrices for different environments (cyber threat intelligence). The Enterprise matrix covers Windows, macOS, Linux, cloud, and other common enterprise platforms. There are separate matrices for Mobile platforms (mobile security) and Industrial Control Systems (ICS security). Each technique entry includes a description, examples of use by threat groups or malware, possible mitigations, and detection guidance, providing a structured reference for SecOps and threat hunting.

ATT&CK content is distributed in machine-readable formats and supported by a data model and APIs (security tooling integration). This enables security product vendors, internal engineering teams, and researchers to integrate ATT&CK into Security Information and Event Management (SIEM) rules, Endpoint Detection And Response (EDR) products, analytics platforms, and assessment tools. Mapping alerts, logs, and analytics to ATT&CK techniques supports more consistent detection coverage analysis and facilitates communication across security, engineering, and leadership teams using a shared vocabulary.

In enterprise environments, ATT&CK is used for adversary emulation, detection engineering, threat-informed defense, and security assessment (security program management). Red teams design test scenarios by chaining techniques that mimic known threat groups. Blue teams map existing detections to ATT&CK, identify coverage gaps, and prioritize new detections. Incident responders and threat intelligence analysts classify observed activity using ATT&CK techniques, enabling structured reporting and comparison across incidents and organizations.

ATT&CK also defines related constructs such as Groups, Software, and Mitigations (cyber threat intelligence modeling). Groups capture publicly reported threat actors whose behavior has been documented using ATT&CK techniques. Software entries describe malware and tools, including how they implement techniques. Mitigation entries summarize defensive measures mapped back to techniques. These elements, together with the technique catalog, form a reference model that many organizations incorporate into security architectures, control frameworks, and risk assessments.

From a directory and taxonomy perspective, MITRE ATT&CK is categorized as a cybersecurity knowledge framework and threat behavior taxonomy (security framework). It is used as a reference layer for detection analytics, security control design, red teaming, and reporting. Its structured matrices and machine-readable content support interoperability across a wide ecosystem of commercial and open-source tools that reference ATT&CK for rule mapping, dashboards, testing frameworks, and threat intelligence products.