What is MITRE ATT&CK? Definition & Explanation
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. Maintained by the non-profit MITRE Corporation, it serves as the de facto common language for describing how attackers operate across all stages of an intrusion.
In-Depth Explanation
ATT&CK organizes adversary behavior into 14 tactics (the "why" — Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, plus pre-engagement Reconnaissance and Resource Development) and hundreds of techniques (the "how" — e.g., T1566 Phishing, T1059.001 PowerShell, T1003 OS Credential Dumping). Sub-techniques add granularity. The framework spans Enterprise (Windows, macOS, Linux, cloud, containers, mobile), ICS (industrial control systems), and Mobile platforms. ATT&CK is used universally across the industry: detection engineering (MITRE ATT&CK Navigator visualizes coverage), threat intelligence reporting (every Mandiant/CrowdStrike/Microsoft report maps activity to ATT&CK techniques), red-team planning (ATT&CK-aligned scenarios), purple-team exercises, SOC maturity assessment, and product evaluations (the annual MITRE ATT&CK Evaluations test EDR vendors against simulated APT campaigns). Companion frameworks include D3FEND (defensive countermeasures) and MITRE Engage (deception strategy).
Why It Matters for Security
ATT&CK provides the common vocabulary that lets defenders, vendors, threat intel analysts, and red teams all speak the same language. It enables data-driven gap analysis (which techniques does my detection cover?), threat-informed defense (which techniques do my actual adversaries use?), and meaningful product evaluation (MITRE ATT&CK Evaluations are the most rigorous public EDR/XDR benchmarks). Every modern SOC organizes detection coverage and red-team scenarios around ATT&CK.
Related Tools
- Group-IB Threat Intel
Threat intelligence with dark web monitoring, attack attribution and AI-powered fraud detection.
- CloudSEK
AI-powered digital risk monitoring tracking brand impersonation, data leaks, and attack surface exposure across surface, deep, and dark web.
- CrowdStrike Falcon X
AI-driven threat analysis integrated into Falcon platform with automated IOC scoring and adversary attribution.
Frequently Asked Questions
What does MITRE ATT&CK mean in cybersecurity?
MITRE ATT&CK in cybersecurity is a globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on observations of real-world attacks — providing the de facto common language used across detection engineering, threat intelligence, red teaming, and security product evaluations.
Why is MITRE ATT&CK important?
MITRE ATT&CK matters because it gives defenders, vendors, threat hunters, and red teams a shared vocabulary for describing attacker behavior. It enables data-driven gap analysis, threat-informed defense, and meaningful product comparison through the annual MITRE ATT&CK Evaluations of EDR/XDR vendors.