eastbaycyber

What is the MITRE ATT&CK framework?

FAQs 5 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Short answer

The MITRE ATT&CK framework is a structured reference for adversary behavior. Security teams use it to understand ATT&CK tactics and techniques, map alerts, guide investigations, support purple teaming, and improve detection coverage across endpoint, identity, network, and cloud environments.

The MITRE ATT&CK framework is a public knowledge base of real-world attacker behavior. It organizes common intrusion activity into tactics and techniques so defenders can map detections, improve threat hunting, assess gaps, and communicate adversary behavior using a shared language. If you are asking what is MITRE ATT&CK, the simplest answer is that it helps security teams focus on what attackers do, not just which malware name they use.

What MITRE ATT&CK is

MITRE ATT&CK is best understood as a threat detection framework and behavioral knowledge base. Instead of focusing only on malware families or threat actor names, it documents the methods attackers use during real intrusions.

That matters because attacker tools change often, but many behaviors repeat.

For defenders, this makes ATT&CK useful for questions like:

  • What behaviors do we currently detect?
  • Where are our visibility gaps?
  • Which attacker techniques matter most in our environment?
  • How do we describe adversary activity consistently across teams?

What the ATT&CK framework contains

At a high level, ATT&CK organizes behavior into:

  • tactics
  • techniques
  • sub-techniques

Tactics

Tactics describe the attacker’s goal at a particular stage of activity.

Examples include goals such as:

  • gaining initial access
  • executing code
  • maintaining persistence
  • escalating privileges
  • evading defenses
  • accessing credentials
  • moving laterally
  • collecting data
  • exfiltrating information
  • disrupting operations

A useful shorthand is that tactics describe the why behind attacker behavior.

Techniques

Techniques describe the method used to achieve a tactic.

For example, an attacker trying to access credentials may use credential dumping. An attacker trying to move laterally may use stolen accounts or remote services.

This is where the framework becomes operationally useful. Techniques help teams ask:

  • do we log this activity?
  • can we detect it reliably?
  • can we block or constrain it?
  • have we tested this behavior in our environment?

Sub-techniques

Sub-techniques provide more detail beneath broader techniques. They help defenders be more precise when mapping alerts, writing detections, and running coverage reviews.

That added detail is especially useful in mature security operations programs where broad labels are not enough.

What the ATT&CK matrix is

The ATT&CK matrix is the visual grid many people recognize. It lays out tactics as columns and the related techniques underneath them.

The matrix is useful because it helps teams:

  • visualize attacker behavior
  • map detections against known tradecraft
  • identify gaps more quickly
  • explain findings to technical and non-technical stakeholders

It is important not to treat the matrix like a fixed attack sequence. It is a reference model, not a guaranteed timeline of how every intrusion unfolds.

How defenders use MITRE ATT&CK

Detection engineering

Detection teams often map alerts and analytic rules to ATT&CK techniques. This helps move security programs beyond vague statements like “we monitor PowerShell.”

A stronger approach is to say:

  • which behaviors are covered
  • which techniques have partial coverage
  • which important behaviors have no reliable detection

If you want to connect ATT&CK to portable detections, see what is sigma and how do i write a detection.

Threat hunting

ATT&CK is widely used in threat hunting because it provides realistic behavioral hypotheses.

For example, a hunter might ask:

  • do we see unusual use of remote administration tools?
  • do we have signs of credential access techniques?
  • are suspicious scripting behaviors showing up on endpoints?

This makes hunting more disciplined than searching logs randomly.

For more on the hunting side, read what is threat hunting.

Incident response

During investigations, incident responders often map observed activity to ATT&CK techniques to better understand:

  • how the attacker got in
  • how they maintained access
  • how they moved through the environment
  • what data they targeted
  • where controls failed

This can make post-incident reporting more useful and easier to compare across cases.

Gap analysis and coverage reviews

One of the most practical uses of ATT&CK is adversary behavior mapping across your environment.

Instead of saying “we have EDR and SIEM,” teams can evaluate:

  • which techniques are covered by telemetry
  • which techniques have strong detections
  • which areas rely only on manual analysis
  • which behaviors have no meaningful visibility

That makes ATT&CK valuable for roadmap planning, maturity reviews, and board-level reporting.

Purple teaming and adversary simulation

Red and purple teams use ATT&CK to simulate specific techniques and validate whether defenses work as expected.

This improves repeatability. Teams can test the same behavior over time and track whether detection and response have improved.

Why MITRE ATT&CK matters

The biggest value of ATT&CK is that it gives defenders a common language.

Without that shared model, one team may describe something as “PowerShell abuse,” another as “script-based execution,” and another as “post-exploitation activity.” ATT&CK helps standardize those discussions.

It also encourages a shift from vendor-centric thinking to behavior-centric defense. That is useful because attackers can swap tools quickly, but their objectives and methods often remain familiar.

What ATT&CK does not do

ATT&CK is powerful, but it is not everything.

It is not:

  • a SIEM
  • an EDR tool
  • a prevention control
  • a certification
  • a complete security strategy by itself

It helps teams organize and analyze attacker behavior, but it does not automatically create detections or eliminate gaps. Quality still depends on your telemetry, engineering, tuning, and response capability.

Common misconceptions

“MITRE ATT&CK is a security product”

No. It is a framework and knowledge base, not a platform you deploy.

“ATT&CK is just a checklist”

Not really. It is better used as a model for behavior mapping, gap analysis, and detection improvement than as a box-checking exercise.

“If we map alerts to ATT&CK, we are done”

No. A mapped alert is not automatically a good alert. Detection quality, field coverage, fidelity, and analyst usability still matter.

“The ATT&CK matrix predicts the exact order of every attack”

No. Attackers do not move through the matrix in a fixed left-to-right sequence. The matrix is a structured reference, not a script.

“Only large SOCs benefit from ATT&CK”

False. Smaller teams can use it too, especially to prioritize telemetry, explain risk, and focus on behaviors that matter most.

Final takeaway

The MITRE ATT&CK framework helps defenders understand attacker behavior in a structured way. If you want a practical answer to what is MITRE ATT&CK, it is a model for describing adversary actions so teams can improve detections, guide threat hunting, strengthen investigations, and identify where their monitoring is strong, weak, or missing.

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.