ATT&CK is structured by tactics (attacker objectives: Initial Access, Execution, Persistence, etc.), techniques (how each objective is achieved) and sub-techniques (specific variants). The Enterprise matrix covers Windows, Linux, macOS, cloud, containers and identity. There are separate matrices for mobile and ICS.
What MITRE ATT&CK is
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base maintained by the MITRE Corporation that catalogues the real-world tactics, techniques and procedures (TTPs) used by threat actors observed in the wild. Each technique is documented with description, examples of use by known APT groups, detection recommendations and references to public cases. It is the de facto global reference framework for describing, comparing and communicating offensive behavior among defenders.
Why it matters
Before MITRE ATT&CK, every security team described threats with its own vocabulary, making it hard to compare defensive capabilities, exchange intelligence with other organizations or measure real coverage against active offensive campaigns. ATT&CK unifies the language: when a report mentions technique T1078 (Valid Accounts) or T1566 (Phishing), any analyst in any organization in the world understands exactly what's being referred to. For a SOC, the framework allows mapping detection rules against specific techniques and seeing where blind spots are. For red team and threat hunting teams, it serves to plan exercises with measurable coverage. For executives, it's a way to demonstrate defensive maturity to the board or regulator with comparable data.
Key points
Each technique includes 'Detection' fields with advice on what telemetry to look for. Combining ATT&CK with SIEM/EDR/XDR enables coverage mapping: which techniques you detect today, which you don't, and which telemetry is missing.
Initiatives like ATT&CK Navigator, MITRE D3FEND (defense) and MITRE Engage (engagement/deception) complement ATT&CK with visual views and countermeasures. All are free and public.
ATT&CK is the basis for independent evaluations like MITRE Engenuity ATT&CK Evaluations, which test the detection capability of EDR/XDR/MDR products against TTPs from real groups (APT29, Carbanak, Wizard Spider, etc.). It is a required reference when comparing vendors.
Example: mapping SOC coverage against ATT&CK
A SOC team wants to know how well it detects common ransomware techniques. From the Navigator they select the techniques most used by groups like Conti, LockBit and BlackBasta: T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), T1083 (File and Directory Discovery), T1059.001 (PowerShell). For each, they mark in their SIEM whether they have active rules, how many alerts they generated last quarter, and which were false positives. The visual map shows green zones (good coverage) and red zones (blind spots). In Persistence and Defense Evasion they find clear gaps. That visualization goes into the security committee report with a measurable improvement plan — something hard to communicate without a common framework.
Common mistakes
- Using ATT&CK as a checklist without context. Having one rule per technique doesn't guarantee real detection: rule quality, available telemetry and SOC attention are what really count.
- Mapping against all techniques equally. Prioritize by relevance: which TTPs are used by groups targeting your sector, rather than covering all 600+ techniques in the abstract.
- Confusing ATT&CK with the Cyber Kill Chain. Kill Chain (Lockheed Martin) describes macro attack phases. ATT&CK describes specific techniques within each phase. They are complementary; ATT&CK is more granular and more living.
- Ignoring updates. ATT&CK is updated twice a year with new techniques observed in the wild. Coverage measured in 2023 may have significant blind spots in 2026.
Related services
This concept may relate to services such as:
Frequently asked questions
What's the difference between MITRE ATT&CK and the Cyber Kill Chain?
Lockheed Martin's Cyber Kill Chain is a high-level model with seven phases (reconnaissance, weaponization, delivery, exploitation, installation, C2, action). MITRE ATT&CK is much more granular: it describes hundreds of specific techniques used in each phase, with real-world examples and defensive telemetry. They are often used together.
Is MITRE ATT&CK free and publicly accessible?
Yes, ATT&CK is publicly available and free to use, including the Navigator, matrices, techniques with detection guidance and group documentation. MITRE Engenuity ATT&CK Evaluations are specific vendor evaluations and have their own model.
Who benefits from ATT&CK in an organization?
SOC (mapping coverage), threat hunting (prioritizing hypotheses), red team (planning realistic exercises), CISO (communicating maturity with data), technology buyer (comparing vendors with common criteria), and consultancies (standardizing reports).