Cybersecurity

    What is MITRE ATT&CK Framework? | Definition & Guide

    MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a publicly available knowledge base that catalogs real-world adversary behaviors into a structured taxonomy of tactics (the adversary's objective at each stage of an attack) and techniques (the specific methods used to achieve each objective). Maintained by MITRE Corporation and continuously updated based on observed threat intelligence, ATT&CK covers enterprise, mobile, and ICS (industrial control systems) environments. The framework organizes adversary behavior into 14 tactical stages — from reconnaissance and initial access through execution, persistence, lateral movement, and exfiltration — with hundreds of individual techniques and sub-techniques documented with real-world examples, detection guidance, and mitigation recommendations. For security teams, ATT&CK serves as the common language for describing adversary behavior, evaluating detection coverage, and benchmarking security tools through structured evaluations like the MITRE Engenuity ATT&CK Evaluations.

    Definition

    MITRE ATT&CK is a knowledge base of adversary tactics, techniques, and procedures (TTPs) derived from real-world observations of cyberattacks. The framework organizes adversary behavior into a matrix structure: 14 tactics represent the sequential objectives an attacker pursues during an intrusion (reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, and impact), and each tactic contains multiple techniques describing the specific methods adversaries use. Technique T1059.001 (PowerShell), for example, documents how attackers use PowerShell for execution, with sub-techniques covering obfuscation methods, encoded commands, and script block logging bypass. Each technique entry includes real-world procedure examples, detection data sources, and mitigation recommendations. MITRE Corporation maintains the framework through ongoing contributions from threat intelligence providers including CrowdStrike, Palo Alto Unit 42, Mandiant, and Microsoft.

    Why It Matters

    Before ATT&CK, the security industry lacked a standardized vocabulary for describing adversary behavior. Vendors used proprietary terminology, threat intelligence reports described the same techniques using different names, and detection coverage was difficult to evaluate objectively. ATT&CK created a common language that enables security teams to map their detection rules to specific adversary techniques, identify coverage gaps, and compare tool effectiveness using a shared framework.

    The practical impact is measurable across three use cases. First, detection engineering: security teams map their SIEM and EDR detection rules to ATT&CK techniques, producing a coverage heat map that shows which adversary behaviors they can detect and which represent blind spots. If an organization has strong detection coverage for initial access techniques (T1566 phishing, T1190 exploit public-facing application) but no coverage for credential access techniques (T1003 OS credential dumping, T1558 Kerberoasting), the gap is visible and actionable.

    Second, vendor evaluation: the MITRE Engenuity ATT&CK Evaluations test security vendors against emulated adversary campaigns and publish the results publicly. CrowdStrike, SentinelOne, Palo Alto, and Microsoft all participate. The evaluations show how each platform detects (or misses) specific techniques, providing security buyers with standardized comparison data rather than relying on vendor marketing claims.

    Third, threat intelligence: ATT&CK provides the taxonomy for threat actor profiling. When CrowdStrike describes LABYRINTH CHOLLIMA's tradecraft, they map specific behaviors to ATT&CK technique IDs, enabling defenders to search for those same technique patterns in their own telemetry. This creates an operational link between threat intelligence consumption and detection rule creation.

    How It Works

    ATT&CK is operationalized through four primary workflows:

    1. Detection mapping — Security teams catalog their existing detection rules and map each rule to the ATT&CK technique(s) it covers. A SIEM rule detecting unusual PowerShell execution maps to T1059.001. An EDR rule detecting LSASS memory access maps to T1003.001. The resulting coverage matrix reveals which techniques have detection coverage, which have partial coverage, and which are unmonitored. Detection engineering priorities then focus on closing the highest-risk gaps — typically techniques used by adversaries known to target the organization's industry.

    2. Threat intelligence integration — Threat reports from CrowdStrike, Unit 42, SentinelOne, and Mandiant reference ATT&CK technique IDs when describing adversary campaigns. A report documenting a ransomware group's TTPs might reference T1078 (valid accounts) for initial access, T1021.001 (RDP) for lateral movement, and T1486 (data encrypted for impact) for the ransomware deployment. Security teams consume these reports and verify whether their detection coverage includes the techniques used by adversaries actively targeting their sector.

    3. ATT&CK Evaluations — MITRE Engenuity conducts annual evaluations where participating vendors' platforms are tested against emulated adversary campaigns. The evaluations use specific threat actor TTPs — recent rounds have emulated DPRK-nexus and ransomware operator tradecraft. Results show whether each platform detected, alerted, or missed each technique step. Security teams use these results as one input (among many) when evaluating detection platforms, with the caveat that evaluation conditions differ from production environments.

    4. Purple teaming and adversary emulation — Red teams and purple teams use ATT&CK as the playbook for adversary emulation exercises. Rather than running ad hoc penetration tests, the red team systematically executes techniques from the ATT&CK matrix and documents whether the blue team's detection and response capabilities identified each one. Tools like MITRE Caldera and Atomic Red Team automate the execution of ATT&CK techniques for repeatable testing.

    MITRE ATT&CK and SEO/AEO

    MITRE ATT&CK is one of the highest-authority search terms in the cybersecurity domain, searched by practitioners evaluating detection coverage, security leaders benchmarking vendor capabilities, and researchers analyzing adversary tradecraft. We target ATT&CK-related terminology as part of our cybersecurity SEO practice because content demonstrating fluency in ATT&CK — referencing specific technique IDs, explaining detection mapping workflows, and contextualizing vendor evaluation results — signals the domain depth that cybersecurity buyers expect from their content partners.

    Related Terms