MITRE ATT&CK Framework Reference
The MITRE ATT&CK framework is a globally referenced knowledge base of adversary tactics, techniques, and procedures (TTPs) derived from real-world threat intelligence and maintained by MITRE Corporation as a public resource. This reference describes the framework's structural components, classification logic, operational applications, known limitations, and relationship to regulatory expectations within US cybersecurity practice. Professionals in threat detection, red team operations, security operations centers (SOCs), and compliance functions use ATT&CK as a shared vocabulary for describing and measuring adversary behavior.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
- References
Definition and scope
MITRE ATT&CK — Adversarial Tactics, Techniques, and Common Knowledge — is a structured knowledge base cataloging the behaviors that adversaries exhibit across the phases of a cyberattack lifecycle. Published and maintained by MITRE Corporation, a federally funded research and development center (FFRDC), the framework is freely available under an open license and does not require institutional subscription.
ATT&CK distinguishes itself from vulnerability databases such as the NIST National Vulnerability Database (NVD) by focusing on post-exploitation behavior rather than software weaknesses. Where CVE records document exploitable flaws in code, ATT&CK documents what attackers do after they have achieved a foothold — how they move laterally, escalate privileges, exfiltrate data, and maintain persistence.
The framework spans three primary matrices as of the most recent published version on the ATT&CK website:
- Enterprise — covers adversary behavior targeting Windows, macOS, Linux, cloud platforms (AWS, Azure, GCP, Office 365), network infrastructure, and containers
- Mobile — covers iOS and Android platforms, addressing mobile-specific techniques such as device access abuse and network interception
- ICS — covers Industrial Control Systems environments, maintained in coordination with sector-specific intelligence from sources including CISA ICS-CERT advisories
The framework's scope is bounded by documented, real-world adversary behavior. Theoretical attack paths with no observed precedent are excluded from the knowledge base. MITRE updates ATT&CK on a periodic release cycle, with each version assigned a version number (e.g., ATT&CK v14 published in October 2023) and a changelog describing additions, deprecations, and modifications.
Regulatory bodies including the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) reference ATT&CK in published advisories, joint cybersecurity advisories (JCAs), and threat actor profiles, giving the framework implicit standing in federal security guidance even without a formal statutory mandate.
Core mechanics or structure
ATT&CK is organized as a hierarchical taxonomy with four primary levels of abstraction: Tactics, Techniques, Sub-techniques, and Procedures.
Tactics represent the adversary's immediate objective — the "why" of an action. The Enterprise matrix contains 14 tactics, including Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. Each tactic represents a phase in the adversary's operational goal structure, not a linear sequence.
Techniques describe the general method used to achieve a tactic. The Enterprise matrix contains more than 190 techniques. Each technique is assigned a unique identifier in the format T[four-digit number] (e.g., T1059 — Command and Scripting Interpreter).
Sub-techniques provide greater granularity beneath techniques, addressing platform-specific or method-specific variants. T1059 contains sub-techniques for PowerShell (T1059.001), Windows Command Shell (T1059.003), Python (T1059.006), and others. Sub-techniques are identified by a decimal extension on the parent technique's ID.
Procedures are the lowest level — concrete, documented instances of a named threat actor or malware family using a specific technique. Procedures link technique entries to threat intelligence reports, enabling analysts to map observed indicators to specific adversary groups tracked in the ATT&CK Groups catalog.
The framework also maintains a Software catalog provider malware and tools associated with documented threat actors, each cross-referenced to the techniques they implement. The Groups catalog tracks approximately 140 named threat actor clusters (as documented on attack.mitre.org/groups), each with associated techniques, software, and source intelligence.
ATT&CK Navigator, a companion visualization tool maintained by MITRE, allows practitioners to layer technique coverage, threat actor profiles, and detection gaps onto the matrix grid for gap analysis and red team planning.
Causal relationships or drivers
ATT&CK's growth as an industry reference reflects structural pressures within the cybersecurity profession rather than regulatory mandate.
The primary driver is the inadequacy of indicator-based detection at scale. Signature-based defenses — hash values, IP blocklists, domain blacklists — degrade rapidly as adversaries rotate infrastructure. Behavioral detection, organized around tactics and techniques, is more durable because changing behavior requires greater operational cost for the adversary than changing infrastructure. This principle, described by David Bianco's "Pyramid of Pain" model (publicly referenced in threat intelligence literature), positions techniques and tactics as the highest-value detection targets.
A secondary driver is the need for a shared vocabulary across organizational boundaries. Before ATT&CK's widespread adoption, threat intelligence reports used inconsistent terminology to describe identical behaviors. The framework's standardized technique identifiers allow red teams, blue teams, threat intelligence vendors, and government agencies to communicate with precision. CISA joint advisories routinely map adversary activity to ATT&CK technique IDs, a practice that anchors cross-sector threat information sharing under frameworks such as the Traffic Light Protocol (TLP).
A third driver is the expansion of regulatory frameworks that expect behavioral threat modeling. The NIST Cybersecurity Framework (CSF), NIST SP 800-53, and sector-specific requirements such as HIPAA Security Rule (45 CFR Part 164) do not mandate ATT&CK by name, but their requirements for continuous monitoring, threat analysis, and risk assessment create operational demand for structured behavioral frameworks that ATT&CK satisfies.
Classification boundaries
ATT&CK is not a control framework, a compliance checklist, or a vulnerability management standard. Understanding what it classifies — and what falls outside its scope — is essential for correct application.
Within scope:
- Post-access adversary behaviors with documented real-world precedent
- Techniques observable in network telemetry, endpoint logs, and cloud audit trails
- Procedures tied to named threat groups or malware families with published intelligence sourcing
Outside scope:
- Pre-exploitation vulnerability enumeration (addressed by CVE/NVD)
- Security control requirements (addressed by NIST SP 800-53, ISO/IEC 27001)
- Compliance mapping (partially addressed by ATT&CK for ICS and sector-specific overlays, but not the framework's primary function)
- Real-time threat intelligence feeds (addressed by platforms consuming STIX/TAXII formats)
ATT&CK also does not classify physical security threats, social engineering at the pre-digital stage, or supply chain integrity failures unless those vectors manifest as documented digital techniques within the matrix.
The MITRE D3FEND framework, a companion knowledge graph published by MITRE with NSA funding, maps defensive countermeasures to ATT&CK techniques, filling the control-mapping gap that ATT&CK itself does not address. D3FEND assigns technique identifiers in the format D3-[alphanumeric] and is maintained separately from ATT&CK.
Tradeoffs and tensions
Coverage versus precision: The breadth of the Enterprise matrix — spanning cloud, on-premises, containers, and network devices — creates coverage across diverse environments but reduces the specificity of any individual technique entry. A technique applicable to five platforms may have detection guidance that is actionable only in two. Practitioners must evaluate technique applicability against their specific stack rather than treating matrix entries as universally executable.
Completeness versus recency: ATT&CK's commitment to documented, verified behavior means emerging techniques may lag observed adversary activity by one or more release cycles. The framework reflects historical threat intelligence rather than live adversary innovation. CISA's Known Exploited Vulnerabilities (KEV) Catalog addresses exploitation recency but not behavioral TTPs.
Operationalization burden: Mapping ATT&CK to a SIEM or EDR platform requires sustained analyst effort. A 2023 analysis by the MITRE ATT&CK team noted that the Enterprise matrix contained more than 400 (sub-)techniques — operationalizing detection for even a fraction requires significant detection engineering resources that smaller organizations may not maintain.
Measurement ambiguity: Using ATT&CK coverage percentages as a security maturity metric is contested. High technique coverage in a detection catalog does not equate to effective detection if the underlying logic generates excessive false positives. The framework enables measurement but does not define thresholds for acceptable coverage, leaving that determination to organizational risk tolerance and frameworks such as the NIST CSF Measurement Guide.
Common misconceptions
Misconception: ATT&CK is a security framework like NIST CSF or ISO 27001.
Correction: ATT&CK is a knowledge base of adversary behavior, not a prescriptive control or governance framework. It does not specify what security controls an organization must implement. NIST SP 800-53 and ISO/IEC 27001 fulfill that function. ATT&CK informs threat modeling within those frameworks but does not replace them.
Misconception: Full ATT&CK matrix coverage is a security goal.
Correction: The matrix documents more than 400 techniques and sub-techniques across the Enterprise matrix. Pursuing exhaustive detection coverage is not a stated objective of the framework. MITRE's own published guidance emphasizes prioritization based on threat actor relevance to an organization's sector and asset profile.
Misconception: ATT&CK replaces threat intelligence.
Correction: ATT&CK is a taxonomy, not an intelligence feed. It organizes threat behavior categories but does not provide real-time indicators of compromise, actor attribution determinations, or campaign tracking. Intelligence platforms using STIX 2.1 format (standardized by OASIS) and TAXII protocols complement ATT&CK by populating its structure with current threat data.
Misconception: The ICS matrix is a subset of the Enterprise matrix.
Correction: The ICS matrix is a distinct knowledge base with its own tactic structure, technique identifiers, and asset categories reflecting operational technology (OT) environments. Techniques present in the ICS matrix are not duplicates of Enterprise entries — they describe behaviors specific to field devices, engineering workstations, and SCADA systems not represented in the Enterprise matrix.
Checklist or steps (non-advisory)
The following sequence describes the standard operational workflow for applying ATT&CK within a threat-informed defense program, as documented by MITRE's Center for Threat-Informed Defense (CTID):
-
Define the threat profile — Identify threat actor groups relevant to the organization's sector using the ATT&CK Groups catalog and sector-specific CISA advisories. Filter the matrix to techniques associated with those groups.
-
Inventory existing detections — Map current SIEM rules, EDR alerts, and IDS signatures to ATT&CK technique IDs. Use ATT&CK Navigator to visualize coverage against the filtered threat profile.
-
Identify detection gaps — Compare the filtered threat actor technique set against the current detection inventory. Gaps represent techniques used by relevant adversaries for which no detection logic exists.
-
Prioritize gap remediation — Rank gaps by technique prevalence (frequency of use across tracked threat groups) and asset exposure. MITRE CTID's published Top ATT&CK Techniques methodology provides a ranked list based on documented prevalence and detection difficulty.
-
Develop or tune detections — Write or import detection logic for priority techniques. Reference ATT&CK data sources verified within each technique entry (e.g., Windows Event Log IDs, network flow telemetry, API call logs) to identify required data inputs.
-
Validate with adversary emulation — Execute technique-level tests using adversary emulation tools such as MITRE CALDERA or published atomic tests from the Atomic Red Team library (maintained by Red Canary, publicly available). Confirm alert fidelity and tune false-positive thresholds.
-
Document and track coverage — Maintain versioned Navigator layers reflecting current detection state. Reassess coverage with each ATT&CK version release and after significant changes to the environment or threat landscape.
-
Integrate into threat intelligence cycle — Feed new threat intelligence (ISAC reports, CISA advisories, vendor threat reports) back into step 1, repeating the cycle on a defined cadence.
Reference table or matrix
| ATT&CK Component | Identifier Format | Example | Primary Use |
|---|---|---|---|
| Tactic | Descriptive label | TA0001 — Initial Access | Describe adversary objective phase |
| Technique | T[XXXX] | T1190 — Exploit Public-Facing Application | Describe general attack method |
| Sub-technique | T[XXXX].[XXX] | T1059.001 — PowerShell | Describe platform/method-specific variant |
| Group | G[XXXX] | G0016 — APT29 | Track named threat actor clusters |
| Software | S[XXXX] | S0154 — Cobalt Strike | Track tools and malware associated with actors |
| Mitigation | M[XXXX] | M1038 — Execution Prevention | Reference recommended countermeasure categories |
| Data Source | DS[XXXX] | DS0017 — Command | Identify telemetry required for detection |
| Matrix | Primary Environment | Distinct Tactics | Technique Count (approx.) |
|---|---|---|---|
| Enterprise | IT systems, cloud, network | 14 | 190+ techniques, 400+ with sub-techniques |
| Mobile | iOS, Android | 14 | 70+ techniques |
| ICS | OT, SCADA, field devices | 12 | 80+ techniques |
| Regulatory/Guidance Reference | ATT&CK Relevance | Source |
|---|---|---|
| NIST SP 800-53 Rev 5 | ATT&CK informs threat modeling for control selection | csrc.nist.gov |
| CISA Joint Cybersecurity Advisories | ATT&CK technique IDs cited in actor profiles | cisa.gov |
| NIST CSF 2.0 | ATT&CK supports Detect and Respond function operationalization | nist.gov/cyberframework |
| HIPAA Security Rule (45 CFR 164) | ATT&CK informs technical safeguard threat analysis | ecfr.gov |
| NSA/CISA Advisory AA22-110A | Direct ATT&CK technique mapping published | cisa.gov |
The infosec-providers section of this provider network cross