What Is MITRE ATT&CK and How to Use It: Tactics, Techniques and Applying It to Defense

Quick answer: MITRE ATT&CK is a free, open knowledge base that systematically lists the tactics and techniques used by real world cyber adversaries observed in the wild. The name is short for Adversarial Tactics, Techniques and Common Knowledge. The idea is simple but powerful: it collects, in a matrix, the steps attackers follow when breaking into a target (tactics) and exactly how they carry out those steps (techniques), so defenders can see attacks not as an abstract threat but as concrete, recognizable behaviors. ATT&CK is not a security product or a standard, it is a common language. A red team planning an attack, a blue team building a defense, threat intelligence describing an adversary and a SOC analyzing an incident all use the same framework. This common language lets an organization see the gaps in its defense, measure which attack techniques it can detect and which it misses, and prioritize its defense according to real threats. This is called threat informed defense.

MITRE ATT&CK is one of the most frequently cited frameworks in cyber security, for a good reason: it translates the attack into a language the defender can understand. At DSET we use ATT&CK as a core reference in our penetration testing, red teaming and threat intelligence work. We covered AI red teaming in AI red teaming methodology and the difference between red and purple teams in red team, vulnerability assessment and purple team difference. This article addresses the common backbone of that work, MITRE ATT&CK.

What exactly is MITRE ATT&CK

ATT&CK is a continuously updated knowledge base developed by the nonprofit organization MITRE. Its most important feature is that it is observation based, not theoretical: it documents behaviors seen in real attacks. So every technique in ATT&CK is there because it was observed being used by a real adversary at least once.

This knowledge base is visualized as a matrix. The columns of the matrix show tactics (the attacker's goals), and the cells under each column show the techniques used to reach that goal. When an organization looks at this matrix, it sees all the paths an attacker could follow on a single map.

Structure: tactics, techniques, sub-techniques and procedures

ATT&CK's power is in its layered structure. Understanding these layers is the key to using the framework correctly.

  • Tactic. The attacker's goal at a stage, that is why they do something. For example gaining initial access, establishing persistence or exfiltrating data are tactics. A tactic represents a stage of the attack.
  • Technique. How the attacker reaches that goal. For example phishing is a technique for the initial access tactic. There can be many techniques under one tactic.
  • Sub-technique. A more specific form of a technique. For example under the phishing technique, sending a malicious attachment or sending a malicious link are sub-techniques.
  • Procedure. Exactly how a specific adversary or malware implements that technique, that is its concrete real world example.

This structure lets the defender see both the big picture (tactics) and the fine detail (procedures) in the same framework.

The tactics in the enterprise matrix

ATT&CK's Enterprise matrix consists of a set of tactics that cover the typical lifecycle of an attack from start to finish. The order usually works like this.

Tactic The attacker's goal
Reconnaissance Gather information about the target
Resource Development Prepare the attack infrastructure
Initial Access Get into the network for the first time
Execution Run malicious code
Persistence Make access continuous
Privilege Escalation Gain higher privilege
Defense Evasion Avoid being detected
Credential Access Steal passwords and credentials
Discovery Map the internal network
Lateral Movement Spread to other systems
Collection Gather valuable data
Command and Control Remotely manage the compromised system
Exfiltration Take the data out
Impact Cause damage, encrypt, disrupt

When an organization assesses which detection and prevention controls it has against each of these tactics, it sees clearly where its defense is strong and where it is blind.

Why it is so valuable: common language and gap analysis

ATT&CK's real value is that it makes the different parts of security teams speak the same language. A threat intelligence analyst describing an adversary, a SOC analyst classifying an alert and a red team member planning an attack all use the same technique identifiers. This common language removes ambiguity in communication.

The second big value is gap analysis. When an organization maps its own detection and defense capabilities onto the ATT&CK matrix, it visually sees which techniques it is prepared for and which it completely misses. This lets it prioritize security investment not by feeling but according to a real coverage map. Blind spots are closed before an attacker finds them. We covered the general of external attack surface and visibility in external attack surface and OSINT.

How to use it: threat informed defense

There are a few concrete ways to use ATT&CK in practice.

  • Detection coverage mapping. Mark on the matrix which ATT&CK techniques your current security tools (SIEM, EDR) can detect. So you see which techniques are in a blind spot.
  • Red and purple teaming. You plan a red team exercise with specific ATT&CK techniques, the blue team tries to detect them, and the results are measured on the matrix. This is testing the defense against real threats. We covered the red team process in red team and purple team difference.
  • Threat intelligence mapping. You mark on ATT&CK the techniques used by known adversary groups targeting your sector, and prioritize your defense according to these concrete threats.
  • Incident response. When an incident occurs, labeling the techniques the attacker used with ATT&CK standardizes understanding and reporting the scope of the incident. We covered the incident response process in cyber incident response, IR playbook, NIST 800-61.

The common name for these approaches is threat informed defense: building the defense not on assumptions but on real adversary behaviors.

The difference between ATT&CK and the Cyber Kill Chain

ATT&CK is often confused with an older model, the Cyber Kill Chain. Both describe the stages of an attack, but at different levels. The Kill Chain divides an attack into seven high level, linear stages and offers a general overview. ATT&CK is far more detailed: it lists hundreds of concrete techniques the attacker can use at each stage and does not impose a linear order, because real attacks rarely proceed in a straight line. In practice the Kill Chain is used to explain the big picture and ATT&CK for real defense and detection work. The two do not conflict, they describe the same phenomenon at different resolutions.

Related frameworks: D3FEND and ATLAS

MITRE has also developed complementary frameworks around ATT&CK. D3FEND is ATT&CK's counterpart on the defense side: it systematically lists which defensive measures can be taken against attack techniques. ATLAS is the version of ATT&CK adapted for attacks on AI systems, that is it covers tactics and techniques targeting machine learning models. We covered attacks on AI systems and ATLAS in AI data poisoning and model security. Together these frameworks offer a common language for both a traditional and an AI focused security program.

How an organization applies ATT&CK

For an organization that wants to adopt ATT&CK, a practical roadmap is as follows. First, determine which techniques the threats targeting your sector and size use, investing in the whole matrix at once is not realistic. Then, map your current detection and prevention controls against these techniques and see the most critical gaps. Next, prioritize the detection rules and measures that will close the highest risk gaps. Finally, actually test your defense against these techniques with a red team or a penetration test and feed the results back into the matrix. This cycle is not one time but a continuous maturing process.

Adversary groups and software

ATT&CK documents not only techniques but also the real adversary groups and malware that use these techniques. For every known adversary group, which techniques that group has used in the past is recorded in ATT&CK. This gives an organization a very practical power: you can look at the techniques of a group known to target your sector and prioritize your defense precisely against that group.

This mapping turns threat intelligence into concrete defense. When you read in the news that an adversary group has attacked a sector, you open that group's ATT&CK profile, see which techniques it uses, and then check your own detection capabilities against those techniques. So an abstract threat news item turns into a concrete defense roadmap. We covered the general of threat intelligence and external visibility in external attack surface and OSINT.

ATT&CK Navigator and detection engineering

There are open tools that make using ATT&CK easier in practice. The most common of these is the ATT&CK Navigator, a free tool that opens the matrix as a visual layer and lets you mark on it. An organization sees its defensive coverage at a glance by marking the techniques it can detect green and its blind spots red on the Navigator. The same visual is also the clearest way to explain the security posture to management.

This is the foundation of the discipline called detection engineering. A detection engineer takes ATT&CK techniques one by one and assesses whether they can write a detection rule for each on the SIEM or EDR. The goal is to expand the matrix's coverage over time, that is to make more and more techniques detectable. At DSET our KAOS engine also labels the relevant ATT&CK technique for every attack it finds, so findings are reported not as abstract but as recognizable behaviors.

Common mistakes

ATT&CK is a powerful framework but its value drops when used incorrectly. The most common mistakes are these. First, trying to close the whole matrix at once: the matrix contains hundreds of techniques and investing in all of them at once is neither realistic nor efficient, you should first focus on the techniques that target you most. Second, treating ATT&CK like a compliance checkbox: the goal is not how many techniques you mark on the matrix but measuring and improving your defense against real threats. Third, mapping once and leaving it: attacker techniques and your environment constantly change, the ATT&CK mapping should be a living document. When these mistakes are avoided, ATT&CK truly transforms an organization's defense.

Frequently Asked Questions

Is MITRE ATT&CK a standard or a tool? Neither. ATT&CK is an open and free knowledge base that documents real adversary behaviors. It imposes no obligation, it offers a common language and reference framework.

Can a small company use ATT&CK? Yes. You do not need to apply the whole matrix. A small organization can start by focusing on the few techniques that target it most and prioritizing its defense according to those techniques.

Are ATT&CK and OWASP the same thing? No. OWASP focuses more on web and application security vulnerabilities, while ATT&CK covers the tactics and techniques an attacker uses end to end. They are complementary, looking at security from different angles.

How do I connect ATT&CK to defense? You find your blind spots by mapping your current detection capabilities onto the matrix, test those spots with red and purple team exercises, and close them by prioritizing the highest risk gaps.

Sources

To map your organization's defense to the MITRE ATT&CK framework, test the gaps with a red team and prioritize them, contact DSET.