What is MITRE ATT&CK?
MITRE ATT&CK is an open knowledge base of adversary tactics, techniques, and procedures (TTPs) observed in real-world attacks, organised across 14 tactical categories (initial access, execution, persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement, collection, command-and-control, exfiltration, impact, etc.). Security teams use it to measure detection coverage, structure red-team objectives, and standardise threat intelligence reporting. It is the de facto common language for offensive security worldwide.
ATT&CK's value is its specificity. Rather than say 'an attacker phished a user,' ATT&CK lets you say 'the attacker used T1566.002 (Spearphishing Link), then T1059.001 (PowerShell), then T1003.001 (LSASS Memory dump) for credential access, then T1021.001 (Remote Services: RDP) for lateral movement.' Every technique has an ID, a description, real-world adversary references, and detection guidance.
Three matrices cover different domains: Enterprise (Windows, Linux, macOS, cloud, network, containers), Mobile (Android, iOS), and ICS (industrial control systems). Most defensive work happens in the Enterprise matrix, which currently lists 14 tactics, ~200 techniques, and ~400 sub-techniques.
Practical applications: SOCs use ATT&CK Navigator to visualise their detection coverage (green = we detect, red = we don't). Red teams plan engagements by selecting specific techniques to exercise. Threat intel teams tag IOCs with the techniques the actor was using. Procurement teams ask vendors to map their detections to ATT&CK techniques to compare apples-to-apples.
Key points
- Open framework maintained by MITRE Corporation (free, version-controlled).
- Three matrices: Enterprise, Mobile, ICS.
- 14 tactic categories, ~200 techniques, ~400 sub-techniques (Enterprise).
- Each technique has detection guidance, mitigation references, and real-world adversary citations.
- ATT&CK Navigator: free visualisation tool for coverage analysis.