eastbaycyber

MITRE ATT&CK: Definition, How It Works, and When You'll Encounter It

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

MITRE ATT&CK is a publicly available framework that catalogs how attackers behave—grouping observed tactics, techniques, and procedures (TTPs) across platforms like Windows, macOS, Linux, cloud, and mobile. It provides a shared vocabulary for defenders to map threats, detections, and security controls to specific attacker behaviors.

MITRE ATT&CK is a widely used security framework (often searched as “Mitre Attack”) that organizes real-world adversary behavior into tactics and techniques. You’ll encounter the ATT&CK framework in SOC detections, incident response write-ups, threat intelligence reporting, and red/purple team testing—especially when you need to map what you see to what an attacker is trying to do.

How it works

MITRE ATT&CK is organized around tactics (the attacker’s objective) and techniques/sub-techniques (the way they achieve it). In practice, teams use ATT&CK to answer four questions:

  1. What might an attacker do next?
    During an incident, you can map observed activity to ATT&CK tactics/techniques to anticipate likely follow-on actions (e.g., credential access → lateral movement → exfiltration).

  2. What do we detect today—and what do we miss?
    You map SIEM/EDR detections, alert rules, and logs to specific techniques. The result is a “coverage view” that shows gaps (no visibility), weak coverage (telemetry only), or strong coverage (high-fidelity detection and response).

  3. How do we test our defenses?
    Red and purple teams select techniques to emulate based on your environment and threat model. You validate whether controls and detections actually fire, and whether responders can triage quickly.

  4. How do we communicate consistently?
    ATT&CK becomes the language between SOC, IR, threat intel, engineering, and leadership. Instead of “suspicious PowerShell,” you can say “Execution via command shell / PowerShell-like scripting,” and tie it to specific defensive improvements.

Practitioner workflow: applying ATT&CK without overcomplicating it

A reliable approach for most SOC/IT teams:

  • Start with your top 5–10 risks (ransomware, BEC, cloud account takeover, insider threat, etc.).
  • Select the ATT&CK techniques commonly used in those scenarios.
  • Map your telemetry (which logs can prove or disprove the technique).
  • Build detections that are behavior-based, not solely indicator-based. (If you’re tracking indicator-based artifacts, see our definition of an IOC here: what is an ioc.)
  • Test and tune using controlled simulations (purple teaming) and tabletop exercises.

Technical Notes: quick mapping ideas (SOC/SIEM)

Use ATT&CK as tags/fields in your detection content so you can report coverage and identify gaps.

Example detection metadata (YAML-like):

name: Suspicious scheduled task creation
attack:
  tactic: Persistence
  technique: Scheduled Task/Job
  technique_id: T1053
data_sources:
  - Windows Security Event Log
  - Microsoft-Windows-TaskScheduler/Operational
severity: high

Example log sources you’ll commonly map: - Windows: Security log (e.g., 4688 process creation), Sysmon (if deployed), PowerShell logs, Task Scheduler logs - Linux: auditd, syslog/journald, auth logs, process accounting - Cloud: AWS CloudTrail, Azure Activity Logs, Entra ID sign-in logs, Google Cloud Audit Logs - Identity: authentication events, conditional access outcomes, MFA prompts/denies

When you’ll encounter it

You’ll run into MITRE ATT&CK in day-to-day security operations—even if your organization doesn’t explicitly “use ATT&CK.”

1) Security operations (SOC) and detection engineering

  • Alert enrichment: Many SIEM/EDR tools tag alerts with ATT&CK technique IDs to describe suspected behavior.
  • Rule management: Detection content libraries often ship with ATT&CK mappings; teams use them for reporting and gap analysis.
  • Coverage reporting: Leadership asks, “Are we covered for ransomware techniques?” ATT&CK provides a structured answer.

Technical Notes: turning ATT&CK into measurable coverage

A practical coverage model is to separate: - Visibility: can you observe the activity? - Detection: do you alert on it with acceptable false positives? - Response: can you contain/remediate quickly (is there an automated or documented playbook)?

You can track this in a simple table:

Technique     Visibility  Detection  Response  Notes
T1059         Yes         Partial    Yes       High FP; needs tuning for admins
T1078         Partial     No         Partial   Need identity logs + risky sign-in detection
T1567         No          No         No        Missing egress/proxy logs; add CASB/proxy telemetry

If you’re evaluating providers who claim “we cover ATT&CK,” treat it as a service validation exercise: ask what is detected by default, what requires tuning, and what response actions are included. (Related: what an MDR is and what it typically covers: what is mdr.)

2) Incident response and reporting

During IR, ATT&CK helps you: - Structure timelines (e.g., Initial Access → Execution → Persistence → Privilege Escalation). - Communicate scope: “We observed credential dumping and lateral movement techniques,” which translates better than a list of tools. - Produce actionable lessons learned: map failed controls to techniques and prioritize fixes.

3) Threat intelligence and adversary tracking

Threat intel teams map reports about threat groups and campaigns to ATT&CK techniques to: - Compare adversaries based on behaviors, not just names. - Build detections and hunts aligned to techniques seen in your sector. - Avoid over-reliance on indicators that expire quickly (IPs, hashes).

4) Red teaming, purple teaming, and security validation

Attack simulation plans often reference ATT&CK as the menu of behaviors to emulate. Purple teams use it to: - Choose test cases aligned to your environment (e.g., Windows + M365 + VPN). - Validate telemetry, detections, and response playbooks in a repeatable way. - Document outcomes in a format other teams recognize.

5) Tool evaluations and control mapping

Vendors frequently claim “ATT&CK coverage.” You’ll encounter ATT&CK in: - EDR/SIEM marketing matrices - MDR detection catalogs - Security control assessments

Use ATT&CK here as a question framework: - Which techniques are detected by default vs. require configuration? - What telemetry is required (and what are the prerequisites)? - What is the false-positive profile in real environments? - Is the mapping to ATT&CK precise and evidence-based?

Practical buying note (keep it evidence-based)

If you’re filling endpoint visibility and response gaps, validate claims against ATT&CK technique coverage using your own telemetry and test cases—not just a vendor matrix. For a deeper walkthrough of what to compare in endpoint tools, see: best antivirus for windows business endpoints 2026.

If you want a simple consumer-grade second-opinion scanner on non-managed endpoints (common in very small teams), Malwarebytes is often used for on-demand checks; you can review it here: Get Malwarebytes →. (It’s not a substitute for properly managed EDR in most business environments—use it intentionally.)

Related terms

TTPs (Tactics, Techniques, and Procedures)

A shorthand for adversary behavior. ATT&CK focuses heavily on tactics and techniques; procedures are more adversary-specific implementations.

Tactic

The attacker’s goal at a stage of the intrusion (e.g., Persistence, Privilege Escalation).

Technique / Sub-technique

The method used to achieve a tactic (e.g., “Scheduled Task/Job”).

Technique ID

The ATT&CK identifier (commonly formatted like T1059). Use these IDs to tag detections and reports consistently.

Adversary emulation

A test approach that imitates real attacker behaviors (often using ATT&CK techniques as the blueprint).

Threat hunting

Proactive searching for suspicious behavior; hunts are frequently structured by ATT&CK techniques.

ATT&CK Navigator

A visualization method/tooling concept used to “color in” techniques based on coverage, relevance, or test results.

Cyber Kill Chain

Another model for attack phases; ATT&CK is typically more granular and behavior-focused.

Atomic testing / technique tests

Small, controlled tests that simulate a single technique to validate logging/detections (often used in purple team workflows).

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.