MITRE ATT&CK Framework Reference
The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a globally referenced knowledge base of adversary behavior, maintained by MITRE Corporation and used by cybersecurity professionals across government, defense, and commercial sectors. This page covers the framework's structure, classification logic, operational mechanics, known limitations, and relationship to regulatory and compliance environments. It serves as a reference for security practitioners, analysts, and researchers working with threat-informed defense programs, detection engineering, and cybersecurity risk management.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
MITRE ATT&CK is a structured, publicly available knowledge base that catalogs the tactics, techniques, and sub-techniques used by real-world threat actors following initial access to a target environment. Published and maintained by MITRE Corporation, a federally funded research and development center (FFRDC), the framework was first released publicly in 2015 and has since expanded into one of the most widely adopted behavioral threat references in the cybersecurity industry.
The framework's scope is explicitly post-compromise: it does not model vulnerability exploitation in isolation, but rather the behaviors attackers exhibit once operating within an environment. As of ATT&CK version 14, the Enterprise matrix contains 14 tactics, over 200 techniques, and more than 400 sub-techniques documented across Windows, macOS, Linux, cloud platforms, containers, and network infrastructure (MITRE ATT&CK Enterprise Matrix, v14).
ATT&CK exists in three primary domain matrices: Enterprise (covering endpoint, network, cloud, and SaaS environments), Mobile (covering Android and iOS adversary behavior), and ICS (covering industrial control systems — relevant to OT/ICS security programs). Each matrix is independently maintained and versioned, with structured mappings to known threat actor groups and software tools.
The Cybersecurity and Infrastructure Security Agency (CISA) formally references ATT&CK in its advisories, threat assessments, and detection guidance. The NIST National Cybersecurity Center of Excellence (NCCoE) has published practice guides that use ATT&CK mappings to validate detection coverage against specific threat scenarios.
Core mechanics or structure
ATT&CK organizes adversary behavior into a hierarchical taxonomy with four primary layers: Tactics, Techniques, Sub-techniques, and Procedures.
Tactics represent the adversary's tactical objective — the "why" of a given action. The 14 Enterprise tactics span the full post-compromise lifecycle: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.
Techniques represent the "how" — a specific method used to accomplish a tactic. For example, within the Credential Access tactic, technique T1003 (OS Credential Dumping) describes the extraction of credentials from operating system memory or files.
Sub-techniques add specificity beneath techniques. T1003 contains sub-techniques including T1003.001 (LSASS Memory), T1003.002 (Security Account Manager), and T1003.003 (NTDS), each describing a distinct mechanism tied to specific tooling and detection logic.
Procedures are the real-world, actor-specific implementations of a technique as observed in documented intrusions. A procedure entry identifies which threat actor group or software tool used a technique and in what documented context.
Each technique entry contains structured metadata: detection recommendations, mitigation references, associated threat actor groups, related software tools, and references to original source reporting. This structure enables security teams to cross-reference ATT&CK entries with threat intelligence feeds and map observed behaviors to known adversary profiles.
The ATT&CK Navigator, an open-source tool provided by MITRE, allows organizations to visualize and annotate the matrix — coloring cells to indicate detection coverage, detection gaps, or prioritization decisions within a security operations center (SOC).
Causal relationships or drivers
ATT&CK emerged from a specific analytical need: the inability of existing security frameworks to describe adversary behavior at a level of fidelity sufficient for detection engineering. The Lockheed Martin Cyber Kill Chain, published in 2011, provided a high-level phase model but lacked the granularity needed to write specific detection rules or identify technique-level coverage gaps.
MITRE developed ATT&CK internally from analysis of the Advanced Persistent Threat (APT) group landscape, initially focused on Windows enterprise environments. The framework's adoption accelerated after its public release in 2015 because it addressed a direct operational gap: security teams needed a shared vocabulary to describe, compare, and detect adversary behaviors across heterogeneous environments.
Four structural drivers sustain ATT&CK's role in the security sector:
- Detection gap analysis — By mapping a defensive tool set against the full technique matrix, teams can identify which techniques lack detection coverage and prioritize engineering effort accordingly.
- Red team and purple team planning — Penetration testing and red team/blue team exercises use ATT&CK to scope adversary simulation and align offensive and defensive teams on a shared behavioral language.
- Regulatory and compliance alignment — Frameworks including NIST SP 800-53, CMMC, and the NIST Cybersecurity Framework reference threat-informed defense practices that ATT&CK operationalizes. CISA's Binding Operational Directives and Known Exploited Vulnerabilities catalog are increasingly cross-referenced with ATT&CK technique IDs.
- Threat intelligence operationalization — ATT&CK provides a normalized taxonomy that allows analysts to compare threat actor TTPs (Tactics, Techniques, and Procedures) across different intelligence reports using consistent identifiers rather than vendor-specific naming conventions.
Classification boundaries
ATT&CK technique classification follows documented, empirically observed adversary behavior — entries are not theoretical. MITRE's inclusion criteria require that a technique be observed in real intrusions and documented in credible threat reporting before it enters the knowledge base. This evidence requirement distinguishes ATT&CK from speculative threat models.
Key classification distinctions:
- Technique vs. Vulnerability: ATT&CK catalogues behaviors, not vulnerabilities. A CVE describes a software flaw; an ATT&CK technique describes what an attacker does after exploiting it. These are distinct classification systems tracked separately by NIST's National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) program.
- Enterprise vs. ICS: The ICS matrix covers operational technology environments with distinct tactics — Inhibit Response Function, Impair Process Control, and Impact — that have no direct equivalent in Enterprise. ICS techniques reflect physical process disruption, not just IT-layer compromise.
- Group vs. Software: ATT&CK maintains separate catalogs for threat actor groups (e.g., APT29, Lazarus Group, Sandworm Team) and software (e.g., Cobalt Strike, Mimikatz, Empire). A group entry documents which techniques a threat actor cluster has been observed using; a software entry documents what techniques a specific tool enables. These are linked but not conflated.
- Sub-technique vs. Technique: Not all techniques have sub-techniques. Where sub-techniques exist, defenders are expected to prioritize at the sub-technique level for detection rule specificity.
Tradeoffs and tensions
ATT&CK's breadth is both its primary strength and a source of operational friction.
Coverage completeness vs. prioritization burden: The Enterprise matrix contains more than 400 sub-techniques across 14 tactics. No organization has comprehensive detection coverage across the full matrix. Security teams must make triage decisions — but ATT&CK itself provides no built-in prioritization weighting. External resources such as the MITRE ATT&CK Evaluations program and the Center for Threat-Informed Defense's ATT&CK mappings assist with prioritization, but the framework itself remains intentionally neutral.
Framework currency vs. operational stability: MITRE releases major ATT&CK versions multiple times per year. Technique IDs are deprecated, split, or merged between versions. Detection rules and compliance mappings built against one version may require revision after an update cycle, creating maintenance overhead in SIEM platforms and detection libraries.
Empirical grounding vs. emerging technique lag: Because ATT&CK requires documented real-world observation for inclusion, novel techniques used in unreported intrusions may not appear in the framework for months or years after initial deployment by adversaries. This creates a structural lag between adversary capability and framework coverage.
Vendor normalization vs. analyst interpretation: Different EDR, SIEM, and threat intelligence vendors map their telemetry to ATT&CK at varying levels of granularity and accuracy. A "T1055 – Process Injection" alert from one platform may represent a different detection fidelity than the same label from another, creating comparison challenges in multi-vendor environments.
Common misconceptions
Misconception: ATT&CK is a compliance framework.
ATT&CK is a behavioral knowledge base, not a compliance standard. No regulatory body mandates ATT&CK adoption as a standalone requirement. Frameworks such as NIST SP 800-53 and CMMC reference threat-informed defense practices, and ATT&CK is commonly used to operationalize those practices — but it carries no standalone regulatory authority.
Misconception: Full ATT&CK coverage is achievable or required.
MITRE itself does not recommend attempting full technique coverage. The Center for Threat-Informed Defense, a MITRE-affiliated research organization, has published top-ATT&CK-technique lists to help organizations prioritize the highest-frequency techniques observed across threat actor groups — acknowledging that comprehensive coverage is not operationally realistic.
Misconception: ATT&CK replaces the Cyber Kill Chain.
The Lockheed Martin Cyber Kill Chain and ATT&CK are complementary, not substitutes. The Kill Chain describes attack phases at a campaign level; ATT&CK describes specific behaviors at the technique level within those phases. Organizations using both frameworks map Kill Chain phases to ATT&CK tactic categories to maintain both strategic and tactical visibility.
Misconception: ATT&CK technique IDs are stable across versions.
Technique IDs are persistent in format but their content, scope, and sub-technique structure change across major releases. T1086 (PowerShell) was renumbered to T1059.001 when the sub-technique model was introduced in ATT&CK v7. Detection rules referencing deprecated IDs require validation after each major version release.
Misconception: ATT&CK covers initial exploitation.
The Enterprise matrix's Reconnaissance and Resource Development tactics cover pre-compromise planning activities, but ATT&CK does not catalog vulnerability-specific exploitation mechanics. Those belong to vulnerability management and CVE classification systems.
Checklist or steps (non-advisory)
The following sequence describes the standard operational workflow for implementing ATT&CK-based detection coverage assessment within an enterprise security program. Steps are presented in practitioner sequence, not as a directive.
- Identify applicable ATT&CK domain matrix — Determine whether the environment scope maps to Enterprise, ICS, or Mobile, noting that hybrid OT/IT environments may require both Enterprise and ICS matrices.
- Establish threat profile baseline — Identify the threat actor groups relevant to the organization's sector using ATT&CK's Groups catalog and associated CISA Advisories or sector-specific ISACs.
- Extract priority technique list — From each relevant threat actor group entry, compile the set of techniques and sub-techniques documented as used by that group.
- Map current detection controls — Inventory existing SIEM rules, EDR alert logic, and network monitoring capabilities against the priority technique list using ATT&CK Navigator or equivalent tooling.
- Identify coverage gaps — Document techniques in the priority list with no corresponding detection logic or with low-confidence detections.
- Prioritize gap remediation — Rank gaps by technique frequency, actor association, and available telemetry sources. Reference MITRE ATT&CK Evaluations results for detection benchmark comparisons.
- Develop or tune detection rules — Author detection logic at the sub-technique level where possible, using data source specifications listed in each ATT&CK technique entry.
- Validate detection against adversary emulation — Test detection rules using adversary emulation tools or structured red team/blue team exercises that execute techniques from the priority list.
- Document coverage state and version — Record the ATT&CK version used for the assessment, coverage percentages by tactic, and outstanding gaps for remediation tracking.
- Schedule reassessment cadence — Align coverage review cycles with MITRE's major ATT&CK release schedule to capture technique additions, deprecations, and sub-technique restructuring.
Reference table or matrix
The following table summarizes the 14 Enterprise ATT&CK tactics, their adversary objective, and the number of techniques documented as of ATT&CK version 14 (MITRE ATT&CK Enterprise Matrix, v14).
| Tactic ID | Tactic Name | Adversary Objective | Technique Count (v14) |
|---|---|---|---|
| TA0043 | Reconnaissance | Gather information to plan future operations | 10 |
| TA0042 | Resource Development | Establish resources to support operations | 8 |
| TA0001 | Initial Access | Gain a foothold in the target environment | 10 |
| TA0002 | Execution | Run adversary-controlled code | 14 |
| TA0003 | Persistence | Maintain access across restarts or credential changes | 20 |
| TA0004 | Privilege Escalation | Gain higher-level permissions | 14 |
| TA0005 | Defense Evasion | Avoid detection and security controls | 43 |
| TA0006 | Credential Access | Steal account names and passwords | 17 |
| TA0007 | Discovery | Map the environment and enumerate targets | 32 |
| TA0008 | Lateral Movement | Move through the environment | 9 |
| TA0009 | Collection | Gather data of interest to adversary goals | 17 |
| TA0011 | Command and Control | Communicate with compromised systems | 17 |
| TA0010 | Exfiltration | Steal data from the environment | 9 |
| TA0040 | Impact | Disrupt, destroy, or manipulate data and systems | 14 |
ATT&CK Domain Matrix Comparison
| Matrix | Primary Environment | Unique Tactics Not Shared with Enterprise | Primary Regulatory Context |
|---|---|---|---|
| Enterprise | Windows, macOS, Linux, Cloud, SaaS, Network | None (Enterprise is the reference base) | NIST SP 800-53, CMMC, FedRAMP |
| ICS | Industrial Control Systems, OT | Inhibit Response Function, Impair Process Control | NERC CIP, IEC 62443, CISA ICS-CERT |
| Mobile | Android, iOS | Network Effects, Remote Service Effects | NIST SP 800-124, DoD Mobile Classified Program |
References
- MITRE ATT&CK Knowledge Base — Primary source for all tactic, technique, sub-technique, group, and software entries
- MITRE ATT&CK Enterprise Matrix, Version 14 — Tactic and technique counts cited in the reference table
- MITRE Corporation — ATT&CK Design and Philosophy — Framework design rationale and inclusion criteria
- Center for Threat-Informed Defense — ATT&CK-based research on technique prioritization and adversary emulation
- [CISA — ATT&