Glossary/MITRE ATT&CK

What Is the MITRE ATT&CK Framework? Tactics & Techniques

13 min read·Updated June 2026

What Is the MITRE ATT&CK Framework? Tactics & Techniques

An alert fires: a process just read the memory of lsass.exe. On its own, that is a line in a log. Look it up in MITRE ATT&CK and it has a name, an ID, and a paper trail: T1003.001, OS Credential Dumping: LSASS Memory, sitting under the Credential Access tactic. The entry lists the threat groups known to use it, the tools that perform it, how to detect it, and how to mitigate it. One cryptic alert becomes a known adversary behavior with a shared name every defender recognizes. That shared language is what MITRE ATT&CK provides.

MITRE ATT&CK is a free, openly available knowledge base of real-world adversary tactics and techniques, maintained by the MITRE Corporation. It catalogs how attackers actually operate, observed in real incidents, and organizes that behavior into a structured matrix that defenders use to map detections, hunt threats, run red team exercises, and find the gaps in their coverage.

This guide explains what ATT&CK is, how it is structured (tactics, techniques, sub-techniques, procedures), the matrices and the 15 Enterprise tactics, the objects beyond techniques, how it compares to the Cyber Kill Chain, how blue teams actually use it, and where it falls down if you treat it wrong. It is written for blue teamers: SOC analysts, threat hunters, and detection engineers who use the framework as a daily reference.

What is MITRE ATT&CK?

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. MITRE, a US non-profit that runs federally funded research centers, began the project as internal research in 2013 and released it publicly in 2015. It is free, open, and used worldwide.

The core idea is simple and was new at the time: instead of cataloging malware or vulnerabilities, catalog behavior. ATT&CK documents what adversaries do, the actions they take to break in, stay in, and reach their goal, based on activity observed in real attacks. Each behavior gets a name, an ID, a description, real-world examples, and guidance on detection and mitigation.

One distinction matters more than any other: ATT&CK is descriptive, not prescriptive. It tells you what attackers do and what defenders have observed, not what product to buy or what your strategy should be. It is a reference, a common vocabulary that lets a threat intel report, a detection rule, and a red team finding all point to the same technique by the same name. That shared vocabulary is most of its value. Today it underpins much of how the security industry discusses attacks: vendors map their products to it, threat intelligence reports cite its technique IDs, analysts describe intrusions in its terms, and broader standards reference it directly. Learning ATT&CK is close to learning the field's shared dialect.

How ATT&CK is structured

ATT&CK is a hierarchy. Four levels run from the attacker's goal down to the specific way they pulled it off.

  • Tactic, the why. The adversary's goal: the reason for an action. "Credential Access" is a tactic: the attacker wants valid credentials. Tactics carry IDs like TA0006.
  • Technique, the how. The general method used to achieve the goal. "OS Credential Dumping" (T1003) is a technique under Credential Access.
  • Sub-technique, the finer how. A more specific version of a technique. "LSASS Memory" (T1003.001) is a sub-technique: dumping credentials specifically from the LSASS process.
  • Procedure, the exact implementation. How a specific adversary or tool actually did it in the wild, for example, using Mimikatz to read LSASS. Procedures are the real-world examples attached to each technique.

The opening alert maps cleanly onto this: the goal was Credential Access (tactic), the method was OS Credential Dumping (technique), the specific action was reading LSASS memory (sub-technique T1003.001), and Mimikatz would be the procedure. The same structure works for any behavior. Phishing is T1566 under Initial Access. PowerShell abuse is T1059.001 under Execution. Kerberoasting is T1558.003 under Credential Access.

The ATT&CK matrices and domains

ATT&CK is split into three matrices, one per technology domain, because attacks against a Windows server and attacks against a programmable logic controller do not share the same techniques.

  • Enterprise. Traditional IT: Windows, macOS, Linux, cloud (IaaS, SaaS, identity), network devices, and containers. The most used matrix by far.
  • Mobile. Threats against iOS and Android.
  • ICS. Industrial control systems and operational technology in critical infrastructure.

Within a matrix, the layout is a grid. Tactics are the column headers, arranged roughly in attack order from left to right. Each column holds the techniques that achieve that tactic. A defender reads it left to right as the rough flow of an intrusion, and top to bottom within a column as the menu of ways to accomplish a given goal.

The 15 Enterprise tactics

The Enterprise matrix is built on 15 tactics, the columns of the grid. As of the v19 release in April 2026, those tactics span 222 techniques and 475 sub-techniques beneath them. The tactics, in rough attack order:

  1. Reconnaissance. Gathering information to plan the attack.
  2. Resource Development. Setting up infrastructure and tooling.
  3. Initial Access. Getting the first foothold (phishing, exploiting a public app).
  4. Execution. Running malicious code on a system.
  5. Persistence. Keeping access across reboots and credential changes.
  6. Privilege Escalation. Gaining higher permissions.
  7. Stealth. Hiding actions so they look like normal behavior (obfuscation, masquerading, removing indicators).
  8. Defense Impairment. Breaking security mechanisms and tooling so defenders cannot see or trust what is happening.
  9. Credential Access. Stealing account names and passwords.
  10. Discovery. Learning the environment from inside.
  11. Lateral Movement. Moving from one system to others.
  12. Collection. Gathering the data of interest.
  13. Command and Control. Communicating with compromised systems.
  14. Exfiltration. Stealing the data out.
  15. Impact. Manipulating, disrupting, or destroying (for example, ransomware encryption).

No single intrusion uses every tactic, and they do not run in a strict sequence. An attacker loops, skips, and repeats. The order is a reading aid, not a script.

Beyond techniques: groups, software, and mitigations

What makes ATT&CK a knowledge base and not just a list of techniques is everything cross-referenced against those techniques.

  • Groups. Tracked threat actors, each with an ID, for example APT29 (G0016). Each group's page lists the techniques and software it has been observed using.
  • Software. Malware and tools, like Mimikatz (S0002), mapped to the techniques they perform.
  • Mitigations. Defensive measures that counter a technique, so you can move from "this technique exists" to "here is how to blunt it."
  • Data sources and detections. What telemetry reveals a technique, for example process creation logs for command-line abuse, so detection engineers know what to collect.
  • Campaigns. Sets of intrusion activity grouped over time.

This cross-referencing is the power. From one technique you can pivot to which groups use it, what malware implements it, how to detect it, and how to mitigate it. From one group you can pull every technique it favors and pre-build detections before it ever targets you.

MITRE also runs ATT&CK Evaluations through its Engenuity arm. These are independent tests that emulate a specific named threat group, executing its real techniques against commercial security products, then publish how each product detected or missed the activity, mapped to the same technique IDs. For a buyer, they are a rare vendor-neutral data point on what a tool actually catches. The caveat is that an evaluation measures detection in a controlled lab against one adversary, not performance in your environment against the threats you actually face.

MITRE ATT&CK vs. the Cyber Kill Chain

ATT&CK is often compared to Lockheed Martin's Cyber Kill Chain, the older model of an intrusion. They are not rivals; they operate at different levels.

  MITRE ATT&CK Cyber Kill Chain
Shape Matrix of tactics and techniques Linear, 7 sequential stages
Granularity Hundreds of specific techniques Seven high-level phases
Question How, at a tactical level Why and when, at a strategic level
Best for Detection, hunting, emulation Explaining the attack lifecycle

The Cyber Kill Chain describes an attack as seven ordered stages, from reconnaissance to actions on objectives. It is a clean way to explain the lifecycle, but it is linear, and real intrusions are not: attackers loop back, move laterally, and run multiple stages at once. ATT&CK is a matrix precisely because it does not force that linearity, and it goes far deeper, naming the specific techniques inside each phase. The Kill Chain gives you the strategic shape of an attack; ATT&CK gives you the tactical detail to detect it. Many teams use the Kill Chain to brief leadership and ATT&CK to do the work.

How to use MITRE ATT&CK

The framework earns its keep across several blue team jobs. These are the ones that matter day to day.

Detection coverage mapping. Map your existing detection rules and analytics to MITRE ATT&CK techniques, then color the matrix by what you cover. The blank cells are your blind spots, the techniques an attacker could use without tripping anything. In practice: export your SIEM rules, tag each with the technique it detects, and load the result into the Navigator. A team often finds it has a dozen rules for Execution and nothing for Exfiltration, which reorders the detection backlog on the spot.

Threat intelligence. Describe adversaries by the techniques they use in a shared vocabulary. When a report says T1558.003, every defender immediately knows what behavior that is.

Threat hunting. Pick a technique, form a hypothesis, and search for it in telemetry.

Red and purple teaming. Emulate real adversaries using known techniques and validate detection.

Gap assessment. Identify what you cannot currently see and prioritize detection engineering.

The ATT&CK Navigator and getting started

The ATT&CK Navigator is MITRE's visualization tool for turning the matrix into a heatmap. You mark techniques as covered, partially covered, or missing, and immediately see where detection strength and blind spots sit.

The key mistake is trying to memorize ATT&CK. It only becomes useful when anchored to real activity. Take an alert, map it to a technique, follow its references (groups, mitigations, detections), and repeat. Over time the structure becomes intuitive because it is tied to actual investigations, not theory.

Limitations and common mistakes

Chasing full coverage. Not every technique matters in every environment. Coverage should reflect your threat model, not completeness.

Equating coverage with effectiveness. A detection mapped to a technique does not mean it works well.

Treating ATT&CK as prescriptive. It describes behavior; it does not define your security strategy.

Building maps without action. A colored matrix that does not change detections or hunting priorities has no operational value.