MITRE ATT&CK and How Teams Use It
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a structured knowledge base that documents how attackers behave across the lifecycle of an intrusion. Security teams use it as a common language to design detections, run threat hunts, emulate adversaries, and communicate defensive coverage.
MITRE ATT&CK is a widely used ATT&CK framework for describing real-world adversary behavior—so security teams can map detections, plan threat hunts, run purple-team tests, and report coverage using a shared language (instead of vendor-specific jargon).
How it works
ATT&CK is organized like a matrix: columns represent tactics (the attacker’s goal at a stage), and rows represent techniques (how that goal is achieved). Many techniques include sub-techniques for more specific variants, and procedures describe how particular threat actors have implemented the technique in the wild.
Core concepts teams rely on
- Tactics: “Why” the attacker is doing something (e.g., Persistence, Credential Access, Lateral Movement).
- Techniques / sub-techniques: “How” they do it (e.g., Phishing, OS Credential Dumping, Remote Services).
- Procedures: Real observed implementations (often tied to named groups/campaigns).
- Platforms: Where a technique applies (Windows, macOS, Linux, containers, network, cloud, etc.).
- Mitigations & detections guidance: Defensive ideas and data sources, helpful for detection engineering and control planning.
ATT&CK isn’t a checklist you “complete.” Most mature teams treat it as: 1. A taxonomy for organizing telemetry and detections 2. A planning framework for validation (purple teaming / adversary emulation) 3. A communications layer for reporting risk and coverage
How teams operationalize ATT&CK (practitioner workflow)
1) Map your environment and data sources
ATT&CK is only useful if you can observe behaviors. Teams start by inventorying what telemetry they actually have—endpoint logs, identity logs, cloud audit logs, network telemetry—and then identify gaps.
Technical Notes: quick data-source sanity check (example)
Below is a practical starting point for common Windows-centric telemetry. Adjust for your environment and policies.
Endpoint:
- Sysmon (process creation, network connections, image loads)
- Windows Security Logs (logons, object access, special privileges)
- EDR telemetry (script execution, memory events, AMSI)
Identity:
- Entra ID/Azure AD sign-in logs, audit logs (or equivalent IdP)
- AD domain controller security logs
Network:
- DNS logs
- Proxy / web gateway logs
- Firewall / NDR (NetFlow, alerts)
Cloud:
- Cloud audit logs (e.g., AWS CloudTrail / GCP Audit Logs)
- SaaS admin audit logs (M365, Google Workspace, etc.)
2) Build detections aligned to techniques
Instead of “detect malware X,” detection engineers often frame rules as “detect behavior consistent with technique Y.” This has two advantages: - It stays useful when the adversary changes tools. - It supports consistent coverage reporting.
Technical Notes: what ATT&CK-aligned detections look like
A common pattern is to tag rules in your SIEM/EDR with the ATT&CK technique IDs and names (e.g., in rule metadata). Example pseudo-metadata:
rule_name: "Suspicious PowerShell with encoded command"
severity: high
attack:
tactic: Execution
technique: "Command and Scripting Interpreter"
sub_technique: "PowerShell"
data_sources:
- process_creation
- powershell_script_block_logging
Then engineers can answer: “How many detections do we have for Execution? Which techniques have no coverage?”
3) Threat hunt using ATT&CK as a hypothesis generator
Hunters use ATT&CK to generate hypotheses like: - “If an adversary is performing Credential Access, what artifacts would we see?” - “If they’re moving laterally via Remote Services, what logons would stand out?”
They translate techniques into queries over their available telemetry and then iterate based on findings.
Technical Notes: example log patterns to hunt (high-level)
These are not universal signatures—use them as starting points tied to ATT&CK-style reasoning.
Possible Credential Access leads:
- Unusual LSASS access events (EDR-specific telemetry)
- Process tree anomalies: office app -> cmd -> powershell
- Sudden spike in failed logons followed by a success (spray pattern)
Possible Lateral Movement leads:
- New remote service creation
- Remote interactive logons from atypical hosts
- Admin share access (\\HOST\ADMIN$) from non-admin workstations
4) Validate controls with purple teaming / adversary emulation
Purple teams use ATT&CK to select techniques relevant to their threat model and test whether: - The activity is prevented, detected, or logged - Alerts route correctly - Playbooks and response actions work
This is often more actionable than generic “penetration test findings,” because outcomes map to specific behaviors.
Technical Notes: simple validation loop (practical)
Pick technique -> simulate safely -> observe telemetry -> tune detection -> document coverage
Documentation typically includes: - What telemetry appeared (or didn’t) - Which rule fired (or failed) - Expected response steps and time-to-triage
5) Communicate coverage and risk in a shared language
ATT&CK is valuable because it helps different stakeholders align: - SOC: “We detect these techniques reliably.” - Engineering: “We need logs/control X to cover technique Y.” - Leadership: “We have gaps in Credential Access and Exfiltration visibility; here’s the plan.”
A common output is an ATT&CK coverage heatmap (internal), showing which techniques are: - Covered by prevention - Covered by detection - Not covered (visibility gaps) - Not applicable (given environment)
How ATT&CK fits into a modern security stack
ATT&CK becomes most useful when you tie technique coverage to the tools and services that generate (and act on) telemetry.
- Endpoint security & EDR: Many ATT&CK techniques are endpoint-observable (process creation, script execution, credential access attempts). If you’re evaluating options, see our endpoint-focused comparison: best antivirus for windows business endpoints 2026
- Managed detection and response (MDR): If your team is lean, MDR providers often report investigations and detections mapped to ATT&CK techniques so you can understand “what happened” in a consistent model. (If you need a refresher on terminology, see what is mdr.)
When you’ll encounter it
You’ll run into MITRE ATT&CK in day-to-day security work whenever behavior-based language matters more than product-specific terms.
Common places it shows up:
-
SOC alert triage and incident response - Analysts label observed behaviors by tactic/technique to structure an investigation timeline. - IR reports often include technique mappings to explain attacker actions clearly.
-
Detection engineering and SIEM/EDR rule management - Rules are tagged with ATT&CK mappings to organize and measure detection coverage. - Backlog grooming often uses ATT&CK gaps (“No visibility for technique X”).
-
Threat intelligence reporting - Intel teams map adversary reporting to ATT&CK techniques to make it actionable (“This actor favors these techniques; prioritize defenses accordingly.”).
-
Purple team exercises and red team plans - Test plans are expressed as a set of techniques to emulate rather than “run tool Z.” - Results are recorded against techniques for repeatability and benchmarking.
-
Vendor evaluations and security program metrics - Security products frequently claim ATT&CK alignment; teams use ATT&CK to ask better questions:
- “Which techniques do you detect by default?”
- “What telemetry do you require?”
- “What’s the false positive tradeoff for these techniques?”
-
Compliance-adjacent reporting (internal) - While ATT&CK isn’t a compliance framework, teams often use it to complement control frameworks by translating controls into attacker-behavior coverage.
Practical recommendations (what to do next)
- Start with your threat model, not the full matrix. Pick techniques that match your likely adversaries and environment (cloud, Windows endpoints, SaaS identity).
- Tag every detection with technique IDs. Even simple mapping makes coverage reporting and backlog grooming dramatically easier.
- Validate regularly. Run technique-focused tests in a controlled way and record whether you saw logs, got alerts, and executed response steps.
- Reduce common credential risk. Many ATT&CK paths depend on credential access; strong password hygiene and MFA help. For small teams, a dedicated business password manager can reduce reuse and improve auditability—see our guide: password manager for small business 2026 (popular option: 1Password via Try 1Password →).
Related terms
A broad term for adversary behavior; ATT&CK is a structured way to document and reference TTPs.
A staged model of an attack lifecycle; ATT&CK is more granular and behavior-focused, and is commonly used alongside kill-chain thinking.
Building and tuning behavioral detections; ATT&CK provides the taxonomy to label and prioritize detection work.
Proactive searching for adversary activity; ATT&CK helps generate hypotheses and scope hunts by technique.
Collaborative red/blue exercises; ATT&CK is commonly used to define scenarios and measure results.
Reproducing known threat actor behaviors; ATT&CK procedures and technique selections often inform emulation plans.
Small, technique-focused tests that map to ATT&CK; used to validate telemetry and detections quickly.
The practice of tagging detections and controls to techniques to measure where you can/can’t see attacker behavior.
A complementary knowledge base focused on defensive techniques; often used with ATT&CK to map “how to defend” against “how attackers act.”