Glossary

MITRE ATT&CK Framework

A globally accessible, curated knowledge base of adversary tactics and techniques based on real-world observations, used as a common language for describing and categorizing cyber threats.

Last updated

What Is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive framework that catalogs the tactics, techniques, and procedures (TTPs) used by real-world adversaries. It provides a common language for describing attacker behavior and is used worldwide by defenders, vendors, and researchers.

ATT&CK Matrix Structure

The framework is organized into:

  • Tactics: The adversary's objective (the "why") — 14 tactics from Initial Access to Impact
  • Techniques: How the objective is achieved (the "what") — ~200 techniques
  • Sub-techniques: Specific variations of techniques — ~400 sub-techniques
  • Procedures: Specific implementations by threat groups

The 14 Tactics

| # | Tactic | Objective | |---|---|---| | 1 | Reconnaissance | Gather information about the target | | 2 | Resource Development | Establish resources for the attack | | 3 | Initial Access | Get into the network | | 4 | Execution | Run malicious code | | 5 | Persistence | Maintain access | | 6 | Privilege Escalation | Gain higher permissions | | 7 | Defense Evasion | Avoid detection | | 8 | Credential Access | Steal credentials | | 9 | Discovery | Learn about the environment | | 10 | Lateral Movement | Move through the network | | 11 | Collection | Gather target data | | 12 | Command and Control | Communicate with compromised systems | | 13 | Exfiltration | Steal data | | 14 | Impact | Disrupt, destroy, or manipulate |

How Organizations Use ATT&CK

  • Detection engineering: Map detection rules to specific techniques to identify coverage gaps
  • Threat intelligence: Describe adversary behavior using a common taxonomy
  • Red teaming: Plan exercises that emulate specific threat group TTPs
  • Vendor evaluation: Compare security products based on ATT&CK technique coverage (e.g., MITRE Engenuity evaluations)
  • SOC maturity: Measure detection coverage across the ATT&CK matrix
  • Incident response: Classify observed attacker behavior during investigations

ATT&CK Matrices

MITRE maintains separate matrices for different environments:

  • Enterprise: Windows, macOS, Linux, Cloud, Network, Containers
  • Mobile: Android, iOS
  • ICS: Industrial Control Systems

Related Resources

Categories

Enterprise SIEM Platforms

Compare the best enterprise SIEM alternatives to Splunk in 2026. IBM QRadar, LogRhythm, Exabeam — threat detection, UEBA, SOAR, and pricing compared.

Enterprise EDR Platforms

Compare enterprise EDR alternatives to CrowdStrike Falcon. Evaluate SentinelOne, Carbon Black, and Cortex XDR for advanced threat detection, investigation, and response at scale.

XDR Platforms

Compare XDR alternatives to CrowdStrike Falcon. Evaluate Microsoft Defender, Trend Micro Vision One, and Cortex XDR for unified detection across endpoint, network, email, and cloud.

Products

CrowdStrike

Cloud-native endpoint protection platform with AI-powered threat detection

SentinelOne

AI-powered autonomous endpoint protection with one-click remediation

Microsoft Defender for Endpoint

Enterprise endpoint protection deeply integrated with Microsoft 365 security stack

Splunk

Enterprise SIEM and security analytics platform for threat detection and incident response

Microsoft Sentinel

Cloud-native Azure SIEM with AI-powered detection and automated response

Sources & References

  1. NIST Cybersecurity Framework (CSF) 2.0[Government Standard]
  2. NIST Computer Security Resource Center[Government Standard]
  3. MITRE ATT&CK Framework[Industry Framework]
  4. OWASP Foundation[Industry Framework]
  5. CISA Cybersecurity Best Practices[Government Standard]
  6. SANS Institute Reading Room[Industry Research]
  7. Cloud Security Alliance (CSA)[Industry Framework]
  8. CIS Critical Security Controls[Industry Framework]
  9. Gartner Magic Quadrant for SIEM 2024[Analyst Report]
  10. Forrester Wave: Security Analytics Platforms, Q4 2024[Analyst Report]
  11. IDC MarketScape: Worldwide SIEM 2024[Analyst Report]
  12. MITRE ATT&CK Evaluations[Industry Evaluation]
  13. SANS Institute: Best Practices for SIEM Deployment[Industry Research]
  14. Gartner Peer Insights: SIEM[Peer Reviews]
  15. Gartner Magic Quadrant for Endpoint Protection Platforms 2024[Analyst Report]
  16. Forrester Wave: Endpoint Security, Q4 2024[Analyst Report]
  17. IDC MarketScape: Worldwide Modern Endpoint Security 2024[Analyst Report]
  18. MITRE ATT&CK Evaluations: Enterprise[Industry Evaluation]
  19. AV-TEST Institute: Endpoint Protection Tests[Independent Testing]
  20. SE Labs: Endpoint Protection Reports[Independent Testing]
  21. Gartner Peer Insights: Endpoint Protection Platforms[Peer Reviews]