What Is MITRE ATT&CK?
AtomEons Research / Cybersecurity Foundations
The short answer
MITRE ATT&CK is a free, globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) maintained by The MITRE Corporation, built from real-world observations of cyberattacks. It organizes attacker behavior into 14 enterprise tactics (the "why") and over 200 techniques with 400+ sub-techniques (the "how"), giving defenders, threat hunters, and red teams a shared vocabulary for describing how intrusions actually unfold.
The longer answer
MITRE ATT&CK — short for Adversarial Tactics, Techniques, and Common Knowledge — was first published by The MITRE Corporation in 2013 as an internal research project to model post-compromise adversary behavior on Windows enterprise networks. It was publicly released in 2015 and has since become the de facto taxonomy for describing what attackers do once they've gained a foothold.
Unlike older models like the Lockheed Martin Cyber Kill Chain (which is linear and pre-compromise focused), ATT&CK is a matrix, not a chain. Its core structural unit is the tactic-technique pair. Tactics describe the adversary's tactical goal at a given moment — Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, plus the later additions Reconnaissance and Resource Development. Techniques describe how — for example, T1566 (Phishing) under Initial Access, with sub-techniques T1566.001 (Spearphishing Attachment), T1566.002 (Spearphishing Link), and so on.
ATT&CK splits into three platform matrices: Enterprise (Windows, macOS, Linux, cloud platforms like AWS/Azure/GCP/Office 365/Google Workspace, network devices, and containers), Mobile (Android and iOS), and ICS (industrial control systems, released in 2020). Each technique entry contains a description, procedure examples from named threat groups, mitigations mapped to NIST SP 800-53 controls, and detection guidance tied to data sources like process creation logs, network traffic, and authentication events.
The framework is updated roughly twice a year. As of v15 (May 2024), Enterprise ATT&CK contained 14 tactics, 202 techniques, and 435 sub-techniques. MITRE also publishes companion resources: ATT&CK Groups (140+ tracked threat actors like APT28, Lazarus, FIN7), ATT&CK Software (700+ pieces of malware and dual-use tools mapped to techniques), and ATT&CK Navigator (an interactive tool for layering techniques onto the matrix to visualize coverage and detection gaps).
Adoption is unusually broad. NIST cites ATT&CK directly in SP 800-53 Rev. 5 and SP 800-150. CISA maps its Known Exploited Vulnerabilities catalog and threat advisories to ATT&CK technique IDs. Every major EDR vendor (CrowdStrike Falcon, Microsoft Defender, SentinelOne, Palo Alto Cortex XDR) tags detections with technique IDs. Red team tools like Atomic Red Team (Red Canary), Caldera (MITRE's own automated adversary emulation platform), and the commercial breach-and-attack-simulation market (AttackIQ, SafeBreach, Cymulate) are organized around ATT&CK coverage.
MITRE also runs the ATT&CK Evaluations program, where vendors' EDR products are tested against scripted emulations of real threat actors (Carbanak+FIN7, Wizard Spider+Sandworm, Turla, APT29) with public per-technique results. MITRE does not assign winners — it publishes raw telemetry visibility data.
Operationally, ATT&CK serves four overlapping use cases: threat intelligence (describing adversary behavior in a structure that survives the IOC half-life problem), detection engineering (rules tied to techniques, not hashes), red team / purple team exercises (planning emulation scenarios), and gap analysis (Navigator heatmaps to identify which techniques your tooling can see). It is not a maturity model and not a compliance framework — it is a vocabulary.
Key facts
- ATT&CK was first publicly released by The MITRE Corporation in 2015 after starting as an internal Windows-focused research project in 2013 (MITRE Corp., “MITRE ATT&CK: Design and Philosophy,” MP180360R1, March 2020).
- The framework is published under a permissive license allowing commercial reuse with attribution (ATT&CK Terms of Use, attack.mitre.org/resources/terms-of-use/).
- Enterprise ATT&CK v15 contains 14 tactics, 202 techniques, and 435 sub-techniques across Windows, macOS, Linux, Cloud, Network, and Containers (MITRE ATT&CK v15 release notes, May 2024).
- ATT&CK techniques are referenced directly in NIST SP 800-53 Rev. 5 as a complementary control mapping (NIST SP 800-53 Rev. 5, September 2020).
- CISA Joint Cybersecurity Advisories explicitly map observed adversary behavior to ATT&CK technique IDs as standard practice (cisa.gov/news-events/cybersecurity-advisories).
- MITRE Caldera is the open-source adversary emulation platform built directly on ATT&CK (caldera.mitre.org).
- The ATT&CK Evaluations program publicly tests EDR vendors against scripted emulations of named threat actors including APT29, Carbanak+FIN7, and Wizard Spider+Sandworm (MITRE Engenuity, attackevals.mitre-engenuity.org).
- ATT&CK for ICS was released in January 2020 to extend the framework to industrial control system environments.
- Pre-compromise tactics (Reconnaissance and Resource Development) were added to Enterprise ATT&CK in October 2020, replacing the deprecated PRE-ATT&CK matrix (MITRE ATT&CK v8 release notes, October 2020).
- ATT&CK Navigator is the official open-source web tool for visualizing technique coverage as layered matrix heatmaps (github.com/mitre-attack/attack-navigator).