Cybersecurity 101

What Is the MITRE ATT&CK Framework? A Guide for Defenders

A defender's guide to the MITRE ATT&CK framework — what it is, how tactics, techniques, and matrices are structured, and how to use it for detection and threat intel.

Nicholas Robert

Nicholas Robert

6 min read
Share
Editorial science-poster illustration of MITRE ATT&CK symbols — a matrix grid, a chess piece, a labeled index card, a magnifying lens, a masked silhouette, and a shield.

Defenders have always needed a shared way to talk about how attackers behave. Before MITRE ATT&CK, that vocabulary was fragmented across vendors, agencies, and research teams — making it hard to compare detections, exchange intelligence, or evaluate coverage. ATT&CK gave the security community a common language built on direct observation of real attacks.

The framework is now embedded in nearly every serious defensive tool, intelligence report, and red-team exercise. Understanding it has become a baseline skill for anyone working in cybersecurity — not because every defender needs to memorize every technique, but because the framework shapes how the field thinks about attacker behavior.

This guide explains what MITRE ATT&CK is, how it is structured, the matrices it covers, how defenders actually use it, and where its limits lie. Use the links throughout for deeper context on related topics.

What Is MITRE ATT&CK?

MITRE ATT&CK — short for Adversarial Tactics, Techniques, and Common Knowledge — is a freely available knowledge base of adversary behavior, curated by the not-for-profit MITRE Corporation. Each entry in the knowledge base describes a specific technique an attacker has been observed using, with citations to real incidents, the platforms it applies to, detection guidance, and mitigations.

The framework is descriptive, not prescriptive. It catalogs what attackers do, observed in the wild, rather than dictating what defenders should do. That grounding in real intrusions is what makes it so widely trusted.

The Structure: Tactics, Techniques, Sub-Techniques, Procedures

ATT&CK organizes adversary behavior into a hierarchy. Understanding the four layers is the key to using the framework.

Tactics describe the why — the adversary's goal at a particular point in an operation. Examples include Initial Access, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, and Exfiltration. The Enterprise matrix has fourteen tactics that span the full lifecycle of an intrusion.

Techniques describe the how — the general method an adversary uses to achieve a tactic. "Phishing," for example, is a technique within the Initial Access tactic. Each technique is identified by a unique ID such as T1566.

Sub-techniques are more specific variants of a technique. "Spearphishing Attachment" is a sub-technique of "Phishing." Sub-techniques use a decimal ID, such as T1566.001.

Procedures are concrete examples of how a specific adversary or piece of malware has actually implemented a technique. Procedures live in the group and software pages of the knowledge base.

Editorial hierarchy diagram of the four levels of MITRE ATT&CK — Tactic, Technique, Sub-Technique, and Procedure.
The four levels of MITRE ATT&CK — Tactic, Technique, Sub-Technique, and Procedure.

The ATT&CK Matrices

ATT&CK is organized into several matrices, each covering a different technology domain.

Enterprise ATT&CK is the largest and most widely used. It covers Windows, macOS, Linux, cloud environments (AWS, Azure, GCP, SaaS), network infrastructure, and containers. The Enterprise matrix is the one most people mean when they say "ATT&CK."

Mobile ATT&CK covers techniques used against Android and iOS devices, including tactics specific to mobile such as network effects and SMS-based access.

ICS ATT&CK covers techniques used against industrial control systems — the operational technology that runs power grids, water treatment plants, manufacturing lines, and similar infrastructure.

How Defenders Use ATT&CK

ATT&CK is most useful when it is operationalized. The common defensive use cases include:

Detection coverage mapping. Map each existing detection rule to the technique it identifies, then visualize coverage across the matrix to see which tactics and techniques are well covered and which are blind spots.

Threat-informed defense. Identify the techniques most commonly used by the threat actors that target your industry, and prioritize building detections for those techniques first. Not all techniques are equally likely or equally damaging.

Red team and purple team exercises. Use the framework to plan and document offensive operations, then map findings back into defensive improvements with a common vocabulary.

Threat intelligence reporting. Describe adversary behavior in intelligence reports using ATT&CK technique IDs, so consumers can immediately compare it against other reporting and against their own detections.

Incident response. Tag observed adversary behavior during an incident with ATT&CK techniques, which makes post-incident analysis cleaner and lets the organization compare across incidents.

Editorial illustration of a stylized MITRE ATT&CK coverage matrix, with most cells covered in ochre and a few highlighted in coral-red as detection gaps.
Illustration of a stylized MITRE ATT&CK coverage matrix, with most cells covered in ochre and a few highlighted in coral-red as detection gaps.

ATT&CK vs the Cyber Kill Chain

ATT&CK is frequently compared to the older Cyber Kill Chain model. Both describe attacker behavior, but they do so at different levels of resolution.

The Cyber Kill Chain divides an intrusion into seven sequential stages — Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives. It is a clean, high-level mental model of attack flow.

ATT&CK is far more granular. Instead of seven stages, it catalogs hundreds of specific techniques, with citations to real attacks. The two are complementary rather than competing — the Kill Chain is useful for high-level conversation, ATT&CK for detailed analysis.

Practical Examples

Consider a typical intrusion. An attacker sends a phishing email with a malicious attachment — that maps to Initial Access via Spearphishing Attachment (T1566.001). The user opens the attachment, which triggers a macro — that is Execution via User Execution (T1204). The macro drops a payload that writes itself to a registry run key — Persistence via Registry Run Keys (T1547.001). The payload then begins beaconing out to a command-and-control server — Command and Control via Application Layer Protocol (T1071).

Each step has a technique ID. Each technique has detection guidance and mitigations. A defender can take that mapping, compare it to their detection coverage, and identify exactly where this attack would have been caught — or missed.

Limitations

ATT&CK is powerful but not complete. Two limitations are worth keeping in mind.

The first is that ATT&CK only catalogs observed behavior. Novel techniques that have not yet been seen and reported are not in the matrix. Defenders who treat ATT&CK as the complete universe of attacker behavior will miss what is genuinely new.

The second is that covering a technique is not the same as detecting every implementation of it. A detection for one variant of credential dumping does not stop every variant. Coverage maps based on ATT&CK can give a false sense of security if the underlying detections are shallow.

Conclusion

MITRE ATT&CK has become the de facto common language for describing attacker behavior. Used well, it sharpens detection engineering, threat intelligence, red-team exercises, and incident response. Used poorly, it produces colorful matrix screenshots that exaggerate how well an organization is actually defended.

The framework is most valuable when it is treated as a working tool rather than a dashboard — when detection coverage maps drive engineering work, when threat intelligence reports translate into specific detections, and when incidents feed back into the next round of coverage planning.

Frequently Asked Questions (FAQ)

What does MITRE ATT&CK stand for?

Adversarial Tactics, Techniques, and Common Knowledge. It is a freely available knowledge base of adversary behavior maintained by the MITRE Corporation.

What is the difference between a tactic and a technique in ATT&CK?

A tactic describes an adversary's goal at a point in an operation (the why) — for example, Initial Access or Persistence. A technique describes the general method the adversary uses to achieve that goal (the how) — for example, Phishing or Valid Accounts.

How is ATT&CK different from the Cyber Kill Chain?

The Cyber Kill Chain divides an intrusion into seven high-level stages. ATT&CK is far more granular, cataloging hundreds of specific techniques observed in real attacks. The two are complementary.

Is MITRE ATT&CK free to use?

Yes. ATT&CK is published and maintained as a freely available public resource by MITRE.

How do defenders use ATT&CK in practice?

Common uses include mapping detection coverage across techniques, prioritizing detections based on the TTPs of likely adversaries, planning red-team exercises, documenting incidents, and structuring threat intelligence reporting.

What are the limits of ATT&CK?

It only catalogs observed behavior, so novel techniques are not in the matrix until they have been seen and reported. And technique coverage is not the same as deep detection — one detection rule does not necessarily catch every implementation of a technique.

Read more