eastbaycyber

MITRE ATT&CK (MITRE Attack): Definition, How It Works, and When You’ll Encounter It

Glossary 8 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-07-12
Definition

MITRE ATT&CK is a globally used framework that catalogs how attackers behave—organized into tactics (the “why”) and techniques (the “how”). Security teams use it as a shared language to design detections, perform threat hunting, and document intrusions consistently.


title: “MITRE ATT&CK (MITRE Attack): Definition, How It Works, and When You’ll Encounter It” meta_title: “MITRE ATT&CK (MITRE Attack): Definition and How It Works” meta_description: MITRE ATT&CK is a knowledge base of adversary tactics and techniques. Learn how it works and how SOCs use it for detection and hunting. date: 2026-05-16 updated: 2026-05-16 keywords: - MITRE ATT&CK - MITRE Attack framework - tactics techniques and procedures - threat detection engineering - SOC operations - threat hunting - adversary emulation - detection mapping tweet_draft: “MITRE ATT&CK (often searched as “Mitre Attack”) is a shared language for attacker behaviors—tactics, techniques, and sub-techniques. Use it to map detections, guide hunts, and communicate risk with precision. #infosec #SOC #threathunting” linkedin_draft: “MITRE ATT&CK (commonly referred to as “Mitre Attack”) is more than a list of attacker techniques—it’s a practical operating model for SOCs and detection engineering. This page explains what ATT&CK is, how it works, where you’ll encounter it, and related terms teams often confuse with it.”—

MITRE ATT&CK (often searched as “MITRE Attack”) is a practical framework for describing real-world attacker behavior using tactics, techniques, and sub-techniques—and it’s widely used for detection mapping, threat hunting, SOC operations, and adversary emulation. If you build detections, run investigations, or communicate incident scope, MITRE ATT&CK gives you a consistent vocabulary and structure.

How MITRE ATT&CK works

MITRE ATT&CK works by providing a structured model of adversary behavior that you can map to your environment, telemetry, detections, and investigations.

Tactics → Techniques → Sub-techniques (the core structure)

ATT&CK is organized into:

  • Tactics: attacker objectives during an operation (e.g., persistence, privilege escalation).
  • Techniques: methods used to achieve those objectives (e.g., “Scheduled Task/Job” for persistence).
  • Sub-techniques: more specific variants (e.g., different implementations of scheduled execution).

In practice, this gives you a consistent way to say, “We observed X technique,” rather than a vague statement like, “They did something suspicious in PowerShell.”

Matrices for different environments

ATT&CK is published in matrices that reflect where activity occurs, most commonly:

  • Enterprise (Windows, macOS, Linux, cloud/SaaS, identity)
  • Mobile
  • ICS (industrial control systems)

This matters because detection opportunities and attacker tradecraft differ between endpoints, cloud control planes, and OT networks.

A knowledge base grounded in observed behavior

ATT&CK content is informed by public reporting and research on adversary activity. Many techniques include:

  • What the technique is and why it’s used
  • Known examples of use “in the wild”
  • Detection ideas (high-level)
  • Mitigation guidance (high-level)
  • Data sources and artifacts that may help identify it

ATT&CK is not a product and not a sensor. It doesn’t “detect” anything by itself—it tells you what to look for and how to structure that work.

How practitioners actually use it (the “so what”)

Most teams use ATT&CK in four concrete ways:

A. Detection mapping (coverage):
You map SIEM/EDR detections, analytics, and alerts to ATT&CK technique IDs so you can answer: - Which techniques do we detect well? - Where are we blind? - Are we over-invested in one phase (e.g., malware execution) and under-invested elsewhere (e.g., credential access)?

B. Threat hunting:
ATT&CK provides a menu of hypotheses. Example: “If an attacker is in our environment, how might they dump credentials or move laterally?” You then turn that into queries against endpoint, identity, and network telemetry.

C. Incident reporting and communication:
It gives incident responders a consistent vocabulary to explain what happened to stakeholders. “We saw credential dumping (technique) leading to remote service lateral movement” is more actionable than “they got admin and moved around.”

D. Adversary emulation / purple teaming:
Red and blue teams coordinate using ATT&CK techniques as test cases. The goal is to validate controls and detections against specific behaviors rather than generic “pen test findings.”

Practical ways to apply ATT&CK (coverage, hunting, reporting)

Below are lightweight, repeatable patterns used by SOCs and detection engineers.

Tag detections with technique IDs (example schema)

Whether you use SIEM rules, EDR detections, or SOAR playbooks, add technique metadata. Example (generic YAML-style rule metadata):

name: Suspicious PowerShell EncodedCommand
severity: high
tags:
  - attack.execution
  - attack.t1059
  - attack.t1059.001
data_sources:
  - endpoint_process_creation
log_sources:
  - windows_security
  - sysmon

The point: make ATT&CK mapping part of the detection lifecycle. This enables reporting like “Top techniques detected this month” and “High-risk techniques with no detection.”

Hunt using common telemetry pivots (Windows examples)

Common starting points for technique-driven hunting include process creation and authentication logs.

Process creation (Windows Security Event ID 4688) keyword pivot:

index=wineventlog EventCode=4688
(NewProcessName="*\\powershell.exe" OR NewProcessName="*\\pwsh.exe")
(CommandLine="*-enc*" OR CommandLine="*EncodedCommand*")
| stats count by host, user, NewProcessName, CommandLine
| sort -count

Sysmon Process Create (Event ID 1) for suspicious parent-child chains:

index=sysmon EventCode=1
ParentImage="*\\winword.exe"
(Image="*\\powershell.exe" OR Image="*\\cmd.exe" OR Image="*\\wscript.exe")
| stats values(CommandLine) as cmdlines count by Computer, User, ParentImage, Image
| sort -count

These queries aren’t “ATT&CK queries” by themselves—they become ATT&CK-aligned when you tie them to an analytic hypothesis like command execution via scripting.

Log patterns commonly mapped to ATT&CK

Examples of useful artifacts you can map to techniques:

  • Unusual authentication patterns: multiple failures followed by success, logins from atypical geos, token reuse anomalies
  • New persistence mechanisms: new services, scheduled tasks, registry run keys, launch agents
  • Lateral movement indicators: remote service creation, remote WMI, RDP from non-admin workstations
  • Defense evasion: security tooling tampering, log clearing, disabling of audit policies

Use ATT&CK to structure “what to log” conversations: if you can’t observe the artifact, you can’t reliably detect the technique.

When you’ll encounter MITRE ATT&CK

You’ll run into MITRE ATT&CK across day-to-day security operations, vendor tooling, audits, and incident response.

In SOC operations and alert triage

Many SIEM/EDR tools label detections with ATT&CK technique names/IDs. When an alert says it aligns to a technique, it’s telling you the vendor believes the behavior matches that attacker method. Your job is to validate: - Does the evidence support the technique mapping? - What’s the likely goal (tactic) and next steps? - What adjacent techniques should you check for follow-on activity?

In security assessments and executive reporting

ATT&CK is widely used for coverage reporting: heatmaps, gap analyses, and “defendable surface” conversations. You may be asked: - “How do we stack up against ransomware tradecraft?” - “Which stages of an intrusion can we detect quickly?” - “What’s our detection maturity by tactic?”

ATT&CK provides an industry-standard frame for those answers—especially useful for SMBs that need clarity without building a bespoke model.

During threat hunting and purple team exercises

Teams often select a set of ATT&CK techniques relevant to their business (e.g., cloud identity abuse, endpoint credential access), then: - simulate the behavior (red team) - validate logging and detection (blue team) - tune controls and analytics (purple team)

This makes exercises measurable: you can say “we detected technique X within Y minutes” instead of “the exercise went okay.” If you’re formalizing exercises, it can help to define scope, roles, and success criteria using a tabletop format—see our guide on tabletop exercises: /content/glossary-what-is-a-tabletop-exercise/.

In incident response write-ups and threat intel

Post-incident reports frequently map observed activity to techniques. Threat intel reports also use ATT&CK to describe actor behavior patterns. This helps you translate “actor A uses technique set B” into detection and hardening tasks.

Quick next steps to operationalize ATT&CK

If you want to operationalize MITRE ATT&CK quickly:

  1. Tag your top ~20 detections with ATT&CK technique IDs (start with the alerts you triage most).
  2. Build a gap list for high-risk techniques you can’t observe because you’re missing endpoint, identity, or cloud audit logs.
  3. Pick 5 priority techniques to validate via purple team tests, then measure: detectability, time-to-triage, and response actions.
  4. Reduce real-world credential risk for staff (a common precursor to ATT&CK techniques like credential access and initial access) by standardizing password managers and MFA. For personal and small-team use, a password manager like 1Password can help centralize strong passwords and passkeys: Try 1Password →. For safer remote network access on untrusted Wi‑Fi, consider a reputable VPN such as NordVPN or Surfshark: Check NordVPN pricing → or Try Proton VPN →.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Related terms

TTPs (Tactics, Techniques, and Procedures)

A broader term for adversary behavior. ATT&CK is a standardized catalog that helps teams describe and organize TTPs consistently.

MITRE D3FEND

A complementary knowledge base focused on defensive countermeasures. If ATT&CK is “what attackers do,” D3FEND is closer to “what defenders can do about it” in a structured way.

Cyber Kill Chain

A staged model of an intrusion lifecycle. ATT&CK overlaps in purpose but is more granular and technique-focused. If you want the lifecycle view, see: /content/faq-what-is-the-cyber-kill-chain/.

Detection engineering

The discipline of building and maintaining detections (SIEM rules, EDR analytics). ATT&CK is a common organizing backbone for this work.

Threat hunting

Proactive searching for attacker activity. ATT&CK is often used to define hunt hypotheses and prioritize which behaviors to look for.

Adversary emulation

Testing defenses by simulating specific attacker behaviors. ATT&CK provides a library of behaviors to emulate and measure.

Atomic testing / technique tests

Small, repeatable tests that mimic ATT&CK techniques to validate logging and detection in a controlled way (often used in purple teaming).

Last verified: 2026-07-12

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.