What Is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a globally-accessible, free, open-source knowledge base of adversary tactics and techniques based on real-world cyber attack observations. The framework provides a structured, community-driven approach to documenting and understanding how cyber adversaries operate across the full attack lifecycle. MITRE ATT&CK serves as foundation for threat modeling, detection engineering, threat hunting, and security assessment across the cybersecurity industry. As of October 2025, the framework contains 14 tactics, 216 techniques, 475 sub-techniques, 172 documented threat actor groups, and 784 cataloged pieces of malware and tools.

How is MITRE ATT&CK structured?

The framework organizes attack knowledge into hierarchical components spanning tactics, techniques, actors, and tools.

Tactics represent overarching goals attackers pursue at specific phases of an attack. The 14 tactics in Enterprise matrix are: Reconnaissance to gather information before attack, Resource Development to establish infrastructure and resources, Initial Access to gain foothold in target environment, Execution to run malicious code, Persistence to maintain presence in environment, Privilege Escalation to obtain higher system privileges, Defense Evasion to avoid or bypass security controls, Credential Access to steal or compromise credentials, Discovery to gather information about target environment, Lateral Movement to move deeper into network, Collection to gather data before exfiltration, Command and Control to maintain C2 infrastructure, Exfiltration to extract stolen data, and Impact to disrupt or destroy target systems.

Techniques provide specific methods attackers use to accomplish tactical objectives. As of October 2025, 216 techniques are documented. Each technique includes description of technique, platforms affected including Windows, macOS, Linux, Cloud, and ICS, procedures used by known threat actors demonstrating real-world usage, detection methods for identifying technique execution, mitigation strategies for preventing or limiting technique, and data sources for detection specifying what logs or telemetry to collect.

Sub-techniques represent variations and specific implementations of techniques. The framework includes 475 sub-techniques as of October 2025 with different characteristics, tools, or impacts. Examples include Phishing technique subdivided into Malicious Link, Malicious Attachment, and other variations, and Command and Scripting Interpreter technique broken into PowerShell, Bash, Python, and other platform-specific implementations.

Threat actor groups number 172 documented entities, each with associated techniques and tactics they employ, infrastructure and tools they use, documented campaigns and activities, and attribution details when available.

Malware and tools total 784 cataloged items including malware families, legitimate tools used maliciously, associated techniques each employs, and attribution to threat actors who use them.

Campaigns comprise 52 documented notable attack campaigns with associated threat actors, techniques employed during campaign, timeline and targets, and impact and scale assessment.

Frameworks and domains address different environments. Enterprise Matrix focuses on traditional enterprise IT and cloud environments including Windows, macOS, Linux, cloud platforms like AWS, Azure, and Google Cloud, identity providers and SaaS applications, network devices, and containers. ICS/OT Matrix specializes in industrial control systems and operational technology with device control techniques, physical system impacts, and critical infrastructure-specific tactics. Mobile Matrix covers mobile device attacks on iOS and Android with mobile-specific tactics and techniques. Cloud Matrix addresses cloud-specific tactics and techniques across Infrastructure-as-a-Service, Platform-as-a-Service, and Software-as-a-Service.

How does MITRE ATT&CK differ from other security frameworks?

The relationship between frameworks: MITRE ATT&CK is more comprehensive than Cyber Kill Chain, accounting for modern attack complexity including lateral movement, persistence, and recovery phases that Kill Chain doesn't emphasize. The frameworks can be mapped to each other—Kill Chain phases correspond to specific ATT&CK tactics.

MITRE ATT&CK versus CVSS (Common Vulnerability Scoring System) addresses different security aspects. CVSS focuses on individual vulnerability severity, providing scores for exploitability and impact. MITRE ATT&CK focuses on adversary behaviors and attack methods across entire attack lifecycle. They're complementary: CVSS identifies what needs patching based on vulnerability severity; ATT&CK provides context for how vulnerabilities fit into attack chains.

MITRE ATT&CK versus CIS Controls represents descriptive versus prescriptive approaches. CIS Controls prescribe specific security practices for implementation such as inventory management and access control. MITRE ATT&CK describes attacker behaviors without prescribing specific controls. Integration approach: organizations map CIS Controls to MITRE ATT&CK to show what controls prevent or detect specific techniques.

Why does MITRE ATT&CK matter?

MITRE ATT&CK transformed cybersecurity by providing common language and comprehensive threat knowledge.

Framework scale and adoption demonstrates industry acceptance. As of October 2025, content includes 14 tactics covering all attack phases, 216 techniques with comprehensive documentation, 475 sub-techniques providing specific implementation details, 172 threat actor groups documented with their TTPs, 784 malware and tools cataloged, 52 notable campaigns documented, 691 detection strategies provided, 1,739 detection analytics available, and 106 data components for detection. This comprehensive coverage makes ATT&CK applicable across all industries and environments.

Universal standard adoption spans government and commercial sectors. Adopted by US government including CISA, NSA, and military, integrated into critical infrastructure protection programs, and serving as de facto standard for threat intelligence across all sectors. SOCs, red teams, and incident responders globally use ATT&CK for consistent threat analysis and communication.

Tool integration embeds ATT&CK throughout security operations. SIEM platforms integrate ATT&CK data for correlation rules aligned to techniques. EDR platforms use ATT&CK for detection and threat hunting capabilities. UEBA systems leverage ATT&CK for behavioral analysis baselines. XDR platforms incorporate ATT&CK for cross-domain detection coordination. Threat intelligence platforms normalize data to ATT&CK for consistent analysis.

Security program integration enables multiple use cases. Gap analysis identifies which techniques organizations can currently detect or prevent versus gaps in coverage. Threat modeling simulates attacks based on relevant threat actors and their documented techniques. Red team exercises leverage ATT&CK for adversary emulation ensuring exercises reflect real attacker behavior. Security metrics track coverage against techniques used by relevant threats, measuring improvement over time.

Framework maturation continues through regular updates. Continuous updates reflect emerging techniques observed in real attacks. Enhanced visualization tools and interactive features improve usability. Improved cross-domain consistency across Enterprise, ICS, and Mobile matrices. Better integration with external security tools and platforms through APIs and data formats.

Emerging techniques documented in 2025 include Paste and Run attacks using ClickFix and FakeCAPTCHA (T1204.004), data exfiltration via trusted cloud services, AI-assisted attacks, and cloud-native attack techniques. This reflects ATT&CK's commitment to documenting current threat landscape.

What are the limitations of MITRE ATT&CK?

Despite comprehensive coverage and industry adoption, ATT&CK faces practical constraints.

Framework limitations affect usability. Breadth creates complexity—216 techniques and 475 sub-techniques can overwhelm security teams unfamiliar with framework. Classification challenges mean determining which technique applies to specific attack activity requires expertise and judgment. Update lag occurs because new attack methods may emerge faster than MITRE can document and publish them. Incomplete documentation exists for some threat actor procedures and techniques lacking detailed public information.

Application challenges complicate implementation. Interpretation variation means different teams may map same activity to different techniques based on their understanding. Context requirements create dependency—technique application depends heavily on organizational environment and available visibility. False positives occur because many legitimate activities match technique descriptions, requiring careful tuning. Resource intensive implementation demands skilled analysts who understand framework and organizational environment.

Coverage gaps reflect inherent limitations. Unknown unknowns cannot be documented—attack methods not yet observed aren't in framework. Emerging threats including zero-day exploits and novel attack methods take time to be added after discovery. Attacker innovation means sophisticated attackers develop techniques specifically to evade known patterns in ATT&CK. Nation-state capabilities may not be fully documented publicly due to classification or limited visibility.

Organizational challenges slow adoption. Training required means security teams need investment in education to effectively use framework. Tool integration gaps exist because not all security tools deeply integrate with ATT&CK despite industry movement. Measurement difficulty makes determining technique coverage complex—knowing what percentage of relevant techniques you detect isn't straightforward. Threat applicability varies—not all 216 techniques apply to every organization based on industry, technology stack, and threat landscape.

How should organizations implement MITRE ATT&CK?

Effective ATT&CK implementation requires training, threat modeling, detection engineering, and continuous improvement.

Framework adoption and training

Train security team on framework structure including tactics, techniques, and sub-techniques. Develop organizational documentation mapping internal processes and terminology to ATT&CK. Create shared vocabulary using MITRE ATT&CK terminology across security team, IT, and business units. Establish ATT&CK as standard for threat intelligence and incident response communication.

Threat modeling and risk assessment

Identify relevant threat actors targeting your industry, geography, and organizational profile. Map organizational risks to MITRE ATT&CK tactics and techniques used by those threat actors. Prioritize techniques based on threat relevance—likelihood that threat actors would use them against you—and exploitability in your environment. Assess current detection and prevention capabilities against priority techniques to identify gaps.

Detection engineering

Map existing detection capabilities to MITRE ATT&CK techniques to understand current coverage. Create detection rules aligned to high-priority techniques using MITRE ATT&CK detection recommendations as foundation. Document which techniques are detected, prevented, or uncovered in your environment. Prioritize closing gaps in detection of techniques commonly used by threat actors targeting you.

Threat hunting program

Develop threat hunting hypotheses based on relevant threat actors and their documented techniques. Search for indicators of specific techniques in organizational data using SIEM, EDR, and other telemetry. Use detection recommendations in MITRE ATT&CK as hunt guidance for what data sources and patterns to examine. Create permanent detections from successful hunts to avoid needing to re-hunt same patterns.

Gap analysis and prioritization

Evaluate which techniques organization can currently detect or prevent through controls and monitoring. Identify gaps where techniques could succeed without detection based on current capabilities. Prioritize gaps by threat relevance—techniques used by threat actors targeting you—and business impact—techniques affecting critical assets and data. Track remediation progress over time to measure security program improvement.

Map existing security controls to techniques they prevent or detect. Identify control redundancy where multiple controls address same technique and gaps where no controls address technique. Develop new controls for uncovered high-priority techniques. Document control effectiveness against techniques to understand defense confidence.

Regularly reassess gap status as threat landscape and organizational environment change. Adjust priorities as new threat actors emerge or existing actors change tactics. Update threat modeling based on current threat intelligence about actors targeting your sector. Track progress on remediation activities and communicate to leadership.

Tools and resources

Use ATT&CK Navigator, the web-based tool for visualizing and annotating ATT&CK matrices. Create custom layers for specific threat actors showing their technique usage. Visualize detection and prevention coverage across all techniques. Share assessments with stakeholders using exportable visualizations.

Leverage MITRE resources including ATT&CK data available in JSON, CSV, and STIX formats. Use detection analytics and data components for building detection rules. Reference threat actor group profiles for threat modeling. Review evaluation results showing security tool effectiveness against specific techniques.

Integrate through multiple options including importing ATT&CK data into SIEM and SOAR platforms, using threat intelligence platforms with ATT&CK integration, leveraging security vendor tools with built-in ATT&CK support, and building custom integrations via APIs and data formats.