What is the MITRE ATT&CK Framework?
The MITRE ATT&CK Framework is a globally used knowledge base of adversary behaviors. In simple terms, ATT&CK catalogs who attackers are and what they do at each stage of an attack.
MITRE describes ATT&CK as "a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations." It's essentially the encyclopedia of TTPs drawn from public cyber attacks.
The ATT&CK Matrix
ATT&CK organizes tactics and techniques into matrices. The Enterprise Matrix (for corporate IT) includes columns for tactics like Reconnaissance, Initial Access, Execution, Persistence, etc. Under each tactic are specific techniques (with sub-techniques) that attackers use.
| Tactic | Description | Example Technique |
|---|---|---|
| Reconnaissance | Gathering info to plan an attack | Active Scanning |
| Initial Access | Gaining initial foothold | Spearphishing Attachment |
| Execution | Running malicious code | PowerShell Execution |
| Persistence | Maintaining access | Registry Run Keys |
| Privilege Escalation | Gaining higher permissions | Credential Dumping |
| Defense Evasion | Hiding activities | Obfuscated Files |
| Credential Access | Stealing credentials | Brute Force |
| Discovery | Exploring the environment | Network Discovery |
| Lateral Movement | Moving through network | Windows Admin Shares |
| Collection | Gathering sensitive data | Screen Capture |
| Command & Control | Communicating with C2 | DNS Tunneling |
| Exfiltration | Removing data | Encrypted Transfer |
| Impact | Disrupting operations | Data Destruction |
Why It Matters Today
ATT&CK is the common language for threat intelligence. It helps you measure coverage: you can check which ATT&CK techniques your security controls can detect, and where you have gaps. In 2026, ATT&CK's community contributions (over 200 contributors) mean it stays current with cloud-native attacks and IoT exploits.
Practical Uses
Detection Engineering
Use ATT&CK to design SIEM/SOAR rules that cover critical techniques. For example, log patterns for "Privilege Escalation: SeDebugPrivilege" can map to ATT&CK.
Reporting
Classify incidents by ATT&CK tactics when briefing management. Saying "we detected an Execution and Persistence technique" is clearer than raw technical details.
Threat Modeling
When evaluating new software or architecture, ask "which ATT&CK techniques apply here, and do we have defenses?"
Pitfalls to Avoid
- Treating ATT&CK as a rigid checklist. It's a living document – not all tactics apply to every organization
- Incomplete mappings: if you only search for exact technique names, you might miss variations
- Always combine ATT&CK usage with actual context
Next Steps
In our TTPs article we discuss how tactics, techniques, and procedures relate to ATT&CK. Also see Indicators of Compromise – knowing ATT&CK helps you tag indicators correctly.