MITRE ATT&CK: Definition, How It Works, and When You'll Encounter It
MITRE ATT&CK is a publicly available framework that catalogs how attackers behave—grouping observed tactics, techniques, and procedures (TTPs) across platforms like Windows, macOS, Linux, cloud, and mobile. It provides a shared vocabulary for defenders to map threats, detections, and security controls to specific attacker behaviors.
MITRE ATT&CK is a widely used security framework (often searched as “Mitre Attack”) that organizes real-world adversary behavior into tactics and techniques. You’ll encounter the ATT&CK framework in SOC detections, incident response write-ups, threat intelligence reporting, and red/purple team testing—especially when you need to map what you see to what an attacker is trying to do.
How it works
MITRE ATT&CK is organized around tactics (the attacker’s objective) and techniques/sub-techniques (the way they achieve it). In practice, teams use ATT&CK to answer four questions:
-
What might an attacker do next?
During an incident, you can map observed activity to ATT&CK tactics/techniques to anticipate likely follow-on actions (e.g., credential access → lateral movement → exfiltration). -
What do we detect today—and what do we miss?
You map SIEM/EDR detections, alert rules, and logs to specific techniques. The result is a “coverage view” that shows gaps (no visibility), weak coverage (telemetry only), or strong coverage (high-fidelity detection and response). -
How do we test our defenses?
Red and purple teams select techniques to emulate based on your environment and threat model. You validate whether controls and detections actually fire, and whether responders can triage quickly. -
How do we communicate consistently?
ATT&CK becomes the language between SOC, IR, threat intel, engineering, and leadership. Instead of “suspicious PowerShell,” you can say “Execution via command shell / PowerShell-like scripting,” and tie it to specific defensive improvements.
Practitioner workflow: applying ATT&CK without overcomplicating it
A reliable approach for most SOC/IT teams:
- Start with your top 5–10 risks (ransomware, BEC, cloud account takeover, insider threat, etc.).
- Select the ATT&CK techniques commonly used in those scenarios.
- Map your telemetry (which logs can prove or disprove the technique).
- Build detections that are behavior-based, not solely indicator-based. (If you’re tracking indicator-based artifacts, see our definition of an IOC here: what is an ioc.)
- Test and tune using controlled simulations (purple teaming) and tabletop exercises.
Technical Notes: quick mapping ideas (SOC/SIEM)
Use ATT&CK as tags/fields in your detection content so you can report coverage and identify gaps.
Example detection metadata (YAML-like):
name: Suspicious scheduled task creation
attack:
tactic: Persistence
technique: Scheduled Task/Job
technique_id: T1053
data_sources:
- Windows Security Event Log
- Microsoft-Windows-TaskScheduler/Operational
severity: high
Example log sources you’ll commonly map: - Windows: Security log (e.g., 4688 process creation), Sysmon (if deployed), PowerShell logs, Task Scheduler logs - Linux: auditd, syslog/journald, auth logs, process accounting - Cloud: AWS CloudTrail, Azure Activity Logs, Entra ID sign-in logs, Google Cloud Audit Logs - Identity: authentication events, conditional access outcomes, MFA prompts/denies
When you’ll encounter it
You’ll run into MITRE ATT&CK in day-to-day security operations—even if your organization doesn’t explicitly “use ATT&CK.”
1) Security operations (SOC) and detection engineering
- Alert enrichment: Many SIEM/EDR tools tag alerts with ATT&CK technique IDs to describe suspected behavior.
- Rule management: Detection content libraries often ship with ATT&CK mappings; teams use them for reporting and gap analysis.
- Coverage reporting: Leadership asks, “Are we covered for ransomware techniques?” ATT&CK provides a structured answer.
Technical Notes: turning ATT&CK into measurable coverage
A practical coverage model is to separate: - Visibility: can you observe the activity? - Detection: do you alert on it with acceptable false positives? - Response: can you contain/remediate quickly (is there an automated or documented playbook)?
You can track this in a simple table:
Technique Visibility Detection Response Notes
T1059 Yes Partial Yes High FP; needs tuning for admins
T1078 Partial No Partial Need identity logs + risky sign-in detection
T1567 No No No Missing egress/proxy logs; add CASB/proxy telemetry
If you’re evaluating providers who claim “we cover ATT&CK,” treat it as a service validation exercise: ask what is detected by default, what requires tuning, and what response actions are included. (Related: what an MDR is and what it typically covers: what is mdr.)
2) Incident response and reporting
During IR, ATT&CK helps you: - Structure timelines (e.g., Initial Access → Execution → Persistence → Privilege Escalation). - Communicate scope: “We observed credential dumping and lateral movement techniques,” which translates better than a list of tools. - Produce actionable lessons learned: map failed controls to techniques and prioritize fixes.
3) Threat intelligence and adversary tracking
Threat intel teams map reports about threat groups and campaigns to ATT&CK techniques to: - Compare adversaries based on behaviors, not just names. - Build detections and hunts aligned to techniques seen in your sector. - Avoid over-reliance on indicators that expire quickly (IPs, hashes).
4) Red teaming, purple teaming, and security validation
Attack simulation plans often reference ATT&CK as the menu of behaviors to emulate. Purple teams use it to: - Choose test cases aligned to your environment (e.g., Windows + M365 + VPN). - Validate telemetry, detections, and response playbooks in a repeatable way. - Document outcomes in a format other teams recognize.
5) Tool evaluations and control mapping
Vendors frequently claim “ATT&CK coverage.” You’ll encounter ATT&CK in: - EDR/SIEM marketing matrices - MDR detection catalogs - Security control assessments
Use ATT&CK here as a question framework: - Which techniques are detected by default vs. require configuration? - What telemetry is required (and what are the prerequisites)? - What is the false-positive profile in real environments? - Is the mapping to ATT&CK precise and evidence-based?
Practical buying note (keep it evidence-based)
If you’re filling endpoint visibility and response gaps, validate claims against ATT&CK technique coverage using your own telemetry and test cases—not just a vendor matrix. For a deeper walkthrough of what to compare in endpoint tools, see: best antivirus for windows business endpoints 2026.
If you want a simple consumer-grade second-opinion scanner on non-managed endpoints (common in very small teams), Malwarebytes is often used for on-demand checks; you can review it here: Get Malwarebytes →. (It’s not a substitute for properly managed EDR in most business environments—use it intentionally.)
Related terms
A shorthand for adversary behavior. ATT&CK focuses heavily on tactics and techniques; procedures are more adversary-specific implementations.
The attacker’s goal at a stage of the intrusion (e.g., Persistence, Privilege Escalation).
The method used to achieve a tactic (e.g., “Scheduled Task/Job”).
The ATT&CK identifier (commonly formatted like T1059). Use these IDs to tag detections and reports consistently.
A test approach that imitates real attacker behaviors (often using ATT&CK techniques as the blueprint).
Building and tuning alert logic and analytics, often mapped to ATT&CK for coverage tracking.
Proactive searching for suspicious behavior; hunts are frequently structured by ATT&CK techniques.
A visualization method/tooling concept used to “color in” techniques based on coverage, relevance, or test results.
Another model for attack phases; ATT&CK is typically more granular and behavior-focused.
Small, controlled tests that simulate a single technique to validate logging/detections (often used in purple team workflows).