What Is MITRE ATT&CK?
MITRE ATT&CK is a structured framework for organizing attacker behavior across the lifecycle of an intrusion. Rather than focusing on malware families alone, it focuses on what adversaries do: how they gain access, execute code, persist, evade defenses, move laterally, and reach objectives.
MITRE ATT&CK is a public knowledge base of adversary tactics, techniques, and procedures based on observed real-world behavior. Security teams use MITRE ATT&CK to describe how attackers operate, map detections and controls, and identify where they have visibility gaps. Instead of focusing only on malware names or threat actor branding, it gives defenders a shared way to talk about attacker behavior across the lifecycle of an intrusion.
How MITRE ATT&CK works
ATT&CK breaks attacker activity into a set of tactics and techniques.
Tactics
Tactics describe the attacker’s high-level objective at a given stage of the operation. Examples include:
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Exfiltration
- Impact
A tactic answers the question: What is the attacker trying to accomplish right now?
Techniques and sub-techniques
Techniques describe how the attacker achieves that objective. Sub-techniques provide a more specific breakdown of the behavior.
For example, under a tactic like Credential Access, ATT&CK may list techniques that explain different ways an attacker steals or obtains credentials. Under Execution, it may describe methods such as command shells, scripting, or scheduled task abuse.
This gives defenders a standardized way to say:
- We detected this behavior
- We do not detect this behavior
- We tested this technique successfully
- We need stronger controls for this part of the attack chain
Mapping detections and controls
One of the most common uses of ATT&CK is mapping internal security data against known attacker behaviors. A SOC might review:
- Which techniques its EDR can detect
- Which techniques its SIEM correlation rules cover
- Which techniques have no alerts at all
- Which techniques have alerts but poor response playbooks
This turns ATT&CK into a gap-analysis tool, not just a reference library.
If you want to understand one of the main platforms used for this kind of detection mapping, see what is a siem.
Supporting purple teaming and threat hunting
ATT&CK is also heavily used in validation exercises. Purple teams often simulate specific techniques to see whether security controls, detections, and analyst workflows actually work in practice.
Threat hunters use it to generate hypotheses. For example, instead of vaguely hunting for “suspicious behavior,” they may hunt for activity associated with a specific ATT&CK technique and look for traces in endpoint, identity, or network telemetry.
For related context on operational security workflows, read what is threat hunting.
Why MITRE ATT&CK matters
The value of ATT&CK is consistency. Security teams often struggle with fragmented language: one tool uses one label, an analyst uses another, and a vendor report uses something else entirely. ATT&CK provides a common model for talking about adversary behavior across tools, teams, and reports.
That matters in several ways:
- Better communication: analysts, engineers, leaders, and vendors can speak the same language
- Coverage measurement: teams can see where they are strong and where they are blind
- More realistic testing: controls can be evaluated against real attacker techniques
- Improved reporting: incident summaries and posture reviews become more precise
It does not tell you whether your environment is secure by itself. It helps you organize and assess defensive coverage more effectively.
Common ways teams use ATT&CK
In practice, ATT&CK is often used for several security functions at the same time.
Detection engineering
Teams map alerts and analytics to ATT&CK techniques so they can track what attacker behavior their controls are supposed to catch.
Threat hunting
Hunters use ATT&CK techniques to build more focused hypotheses instead of searching broadly for undefined suspicious activity.
Purple teaming
Red and blue teams use ATT&CK as a shared reference when selecting behaviors to emulate and validate.
Security reporting
Leaders and practitioners use ATT&CK-based reporting to explain coverage gaps in a clearer way than a simple list of tools or alert counts.
Product evaluation
Security vendors often claim ATT&CK coverage, and defenders use the framework to compare those claims against their own requirements.
When you’ll encounter it
You will usually encounter MITRE ATT&CK in organizations that have a maturing security operations function or are trying to make security testing more structured.
In SOC and detection engineering work
Detection teams often tag rules and alerts to ATT&CK techniques so they can track what behaviors they cover. This is common in SIEM, EDR, and XDR programs.
In threat intelligence reporting
Threat intelligence teams use ATT&CK to describe observed adversary behavior in a standardized way. Instead of only naming a threat group, they can map the techniques that group is known to use.
In purple team and adversary emulation exercises
Red and purple teams frequently use ATT&CK to choose behaviors to emulate and to measure whether the blue team can detect or respond to them.
In control validation and gap assessments
Security leaders may use ATT&CK matrices to understand whether monitoring and response capabilities are concentrated in a few areas while missing others, such as credential access, persistence, or lateral movement.
In product evaluations
Vendors often reference ATT&CK coverage when describing detections or use cases. That can be useful, but security teams still need to validate how well those detections work in their own environment.
What MITRE ATT&CK is not
It helps to be precise about what ATT&CK does not do.
ATT&CK is not:
- A security product
- A compliance framework
- A risk scoring model
- A step-by-step incident response plan
- A guarantee of real detection quality
It is a knowledge framework. Its usefulness depends on how well your team maps, tests, and operationalizes it.
Tools that support ATT&CK-based work
Teams using ATT&CK often also review adjacent tools that strengthen broader operational security. For example, analysts and administrators handling many privileged logins may benefit from a password manager like 1Password to reduce credential reuse and improve account hygiene. On endpoints used for testing, hunting, or admin access, a security tool such as Malwarebytes may add useful protection against commodity malware that can interfere with investigations.
These are not ATT&CK tools themselves, but they can support the environments where ATT&CK-based security work happens.
Bottom line
MITRE ATT&CK is a practical framework for understanding how attackers behave and for measuring how well your security program can detect and respond to that behavior. If you need a shared language for threat hunting, detection engineering, control validation, or incident reporting, ATT&CK is one of the most useful references in modern defensive operations.