What is MITRE ATT&CK?

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations of cyber intrusions. It is the de facto reference for detection engineering, threat intelligence, red teaming, and incident response.

Who maintains MITRE ATT&CK?

The MITRE Corporation, a U.S. federally funded research and development center, maintains ATT&CK under U.S. government sponsorship. The framework is updated continuously based on community contributions and MITRE research.

What are the three ATT&CK matrices?

Enterprise (Windows, macOS, Linux, cloud, containers, network devices), Mobile (Android, iOS), and ICS (industrial control systems including engineering workstations, PLCs, and HMIs). Each has its own set of tactics and techniques.

What is the difference between ATT&CK techniques and IOCs?

An IOC is a specific observable artifact (file hash, IP, domain) tied to a single campaign. An ATT&CK technique describes adversary behavior at a higher level of abstraction. Techniques are far more durable for detection than IOCs because adversaries change infrastructure faster than they change methods.

How is ATT&CK used in detection engineering?

Detection engineers map their detection content to ATT&CK techniques to measure coverage, identify gaps, and prioritize new detections. ATT&CK Navigator is the standard tool for visualizing coverage. Mature SOC programs target durable behavior detection rather than IOC-based detection alone.

MITRE ATT&CK - Adversary Tactics and Techniques Catalog

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations of cyber intrusions. Developed by The MITRE Corporation and continuously updated, ATT&CK is the de facto reference for detection engineering, threat intelligence, red teaming, and incident response. The framework spans Enterprise, Mobile, and ICS matrices, with hundreds of techniques and thousands of sub-techniques and procedures.

Source: attack.mitre.org, maintained by The MITRE Corporation under U.S. government sponsorship.

ATT&CK Structure

Tactics: the adversary's high-level goals (Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact)
Techniques: the methods adversaries use to achieve tactics (e.g., T1078 Valid Accounts, T1059 Command and Scripting Interpreter)
Sub-techniques: more specific implementations (e.g., T1059.001 PowerShell)
Procedures: observed implementations by specific threat actors or in specific campaigns

ATT&CK Matrices

Enterprise: Windows, macOS, Linux, cloud (AWS, Azure, GCP, SaaS), containers, network devices
Mobile: Android, iOS
ICS: industrial control systems (engineering workstations, PLCs, HMIs)

How ATT&CK Is Used in Incident Response

DFIR teams map observed adversary behavior to ATT&CK techniques during investigation, which improves communication across teams and tooling. Detection engineers measure coverage against ATT&CK to identify gaps. Threat intelligence reports describe campaigns using ATT&CK references. Red and purple teams plan exercises against ATT&CK techniques relevant to the organization's threat profile.

Map incidents to ATT&CK automatically

IR-OS supports ATT&CK technique tagging on incident events for cross-team communication, coverage measurement, and defensible record-keeping.

Start free

MITRE ATT&CK - Adversary Tactics and Techniques Catalog

ATT&CK Structure

ATT&CK Matrices

How ATT&CK Is Used in Incident Response

Related Terms

Map incidents to ATT&CK automatically