MITRE ATT&CK Framework Reference
The MITRE ATT&CK framework is a globally accessible, curated knowledge base of adversary tactics, techniques, and procedures (TTPs) derived from real-world cyber intrusion observations. Maintained by MITRE Corporation under federally funded research, it serves as a structured reference for threat intelligence analysts, red and blue teams, security operations centers, and tool vendors seeking a common language for describing attacker behavior. This page covers the framework's scope, internal architecture, classification logic, operational tradeoffs, and how it integrates with federal regulatory and standards frameworks including those published by NIST and CISA.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Checklist or Steps
- Reference Table or Matrix
- References
Definition and Scope
MITRE ATT&CK — Adversarial Tactics, Techniques, and Common Knowledge — is a living, versioned knowledge base that catalogues how threat actors operate after gaining initial access to a target environment. The framework is produced by MITRE Corporation, a federally funded research and development center (FFRDC), and is publicly available at no cost through the ATT&CK website.
The knowledge base is organized into three primary matrices: Enterprise (covering Windows, macOS, Linux, cloud, containers, and network infrastructure), Mobile (Android and iOS), and ICS (Industrial Control Systems). As of ATT&CK v14, the Enterprise matrix contains 14 tactic categories and more than 600 techniques and sub-techniques (MITRE ATT&CK v14 release notes).
The framework's explicit scope is post-compromise adversary behavior — what attackers do once they have established a foothold. It does not model vulnerability exploitation at the code level (that is addressed by CVE and NVD), nor does it specify defensive countermeasures in prescriptive form. Its function is descriptive and taxonomic: a structured vocabulary for characterizing observed attacker actions against a consistent reference model.
CISA formally incorporates ATT&CK terminology in its Joint Cyber Defense Collaborative (JCDC) advisories, and NIST SP 800-53 Rev. 5 references ATT&CK as a supplemental resource for threat modeling exercises. The framework's adoption across federal, critical infrastructure, and commercial security programs makes it a de facto standard for TTP-level threat communication in the United States, even absent a statutory mandate requiring its use.
For a broader view of how threat frameworks interact with national security obligations, the Digital Security Listings index maps service providers and tooling categories that align with ATT&CK-based detection and response workflows.
Core Mechanics or Structure
The ATT&CK framework is structured around a three-level hierarchy: Tactics → Techniques → Sub-Techniques.
Tactics represent the adversary's immediate objective — the "why" behind an action. The 14 Enterprise tactics, in campaign-lifecycle order, are: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.
Techniques represent the "how" — specific methods used to accomplish a tactic. Each technique is assigned a unique identifier in the format TXXXX (e.g., T1059 for Command and Scripting Interpreter). As of v14, the Enterprise matrix lists more than 200 parent techniques.
Sub-techniques break techniques into more granular variants, identified as TXXXX.YYY (e.g., T1059.001 for PowerShell under the scripting interpreter technique). Sub-techniques were introduced in ATT&CK v7 to resolve over-broad technique definitions that had been conflating meaningfully distinct attacker behaviors.
Each technique entry contains structured metadata fields:
- Tactic mapping (one technique may map to multiple tactics)
- Procedure examples (specific observed uses by named threat actor groups)
- Mitigations (cross-referenced to ATT&CK's mitigation catalog, labeled MXXXX)
- Detections (data sources and analytic approaches)
- Group and software references (linking named APT groups and malware families)
ATT&CK also maintains a Groups catalog (named threat actors, labeled GXXXX) and a Software catalog (malware and tooling, labeled SXXXX), which connect observed TTPs to specific tracked adversaries. For example, the group APT29 (also known as Cozy Bear) is documented with more than 30 technique associations in the Enterprise matrix, enabling defenders to build detection hypotheses based on known behavioral patterns.
The MITRE ATT&CK Navigator, a free browser-based tool, allows analysts to visualize technique coverage across a matrix, annotate heatmaps for detection gaps, and export coverage layers for reporting.
Causal Relationships or Drivers
ATT&CK emerged from MITRE's internal Threat Intelligence Platform work around 2013, initially applied to the MITRE internal network as an emulation target for red team exercises. The central problem it addressed was the absence of a shared, structured vocabulary for describing attacker behavior — analysts at different organizations used inconsistent terminology for identical actions, degrading the quality of threat intelligence sharing.
Three structural forces drove the framework's expansion into its current form:
1. Intelligence sharing fragmentation. Prior to a common TTP taxonomy, threat reports described attacker behavior in narrative prose with no cross-reference capability. ATT&CK introduced stable identifiers that allow an indicator in one ISAC report to be compared directly against a technique observed in a government advisory.
2. Defensive coverage measurement demand. Security operations teams needed a way to quantify what proportion of known adversary techniques their detection stack could identify. ATT&CK's matrix format made coverage visualization tractable — a capability that neither CVSS scoring nor firewall rule counts could provide.
3. Federal alignment with threat-informed defense. CISA's Cybersecurity Performance Goals (CPGs), published in 2022, explicitly reference ATT&CK-mapped behaviors as a basis for prioritizing defensive investments across critical infrastructure sectors. NIST's SP 800-53 Rev. 5 control mappings to ATT&CK techniques, published jointly by MITRE and NIST, further embedded the framework into federal risk management processes.
The ICS matrix, added to address operational technology environments, was driven by incidents including the 2015 and 2016 Ukraine power grid attacks, which exposed a gap in applying enterprise-focused TTP models to SCADA and industrial control system environments.
Classification Boundaries
Understanding what ATT&CK classifies — and what it explicitly excludes — prevents misapplication in both operational and compliance contexts.
Within ATT&CK scope:
- Adversary behaviors occurring post-initial-access through mission completion
- Network-resident activity by external threat actors
- Insider threat behaviors that mirror external attacker TTPs
- Malware behavior mapped to technique execution
Outside ATT&CK scope:
- Vulnerability details and CVSS scoring (covered by NVD and CVE)
- Defensive tool specifications or prescriptive security architecture
- Incident response procedures and playbook structure (addressed by frameworks such as NIST SP 800-61)
- Compliance control requirements (addressed by NIST SP 800-53, ISO/IEC 27001, and sector-specific mandates)
- Criminal or legal classification of attacker activity (that function belongs to statutes such as the Computer Fraud and Abuse Act, 18 U.S.C. § 1030)
ATT&CK is also explicitly not a threat feed. It does not report real-time indicators of compromise (IOCs) such as IP addresses, file hashes, or domain names. That function belongs to platforms like STIX/TAXII-formatted threat intelligence feeds and ISAC data-sharing mechanisms.
The boundary between ATT&CK Enterprise and ATT&CK ICS is operationally significant. ICS-specific tactics — such as Inhibit Response Function and Impair Process Control — have no direct equivalent in the Enterprise matrix, reflecting the distinct safety-critical consequences of attacks on operational technology environments. Organizations operating both IT and OT environments must maintain separate ATT&CK coverage assessments for each domain.
For professionals researching how ATT&CK-aligned service providers are structured across the industry, the Digital Security Authority directory purpose and scope page describes the classification logic used to organize this reference network.
Tradeoffs and Tensions
Coverage completeness versus operational noise. ATT&CK's comprehensiveness — 600-plus techniques — can paralyze detection engineering teams attempting to achieve full matrix coverage. The framework itself does not assign risk-weighted priority scores by default, requiring organizations to layer in threat intelligence (e.g., which techniques are used by adversaries targeting their specific sector) to build rational prioritization. The MITRE ATT&CK for ICS Security Maturity Model and Center for Threat-Informed Defense resources partially address this, but the baseline matrix remains flat.
Descriptive accuracy versus defensive utility. ATT&CK documents what adversaries do, not what defenders should build. Analysts who treat ATT&CK technique coverage as a compliance checklist — "we detect T1059.001, therefore PowerShell abuse is mitigated" — conflate detection existence with detection effectiveness. A detection rule that fires on one sub-technique variant may miss 14 others within the same parent technique.
Attribution tension. The Groups catalog links TTPs to named threat actors. Attribution in threat intelligence is probabilistic and contested; the same technique cluster may be shared by multiple unrelated groups. Overreliance on group-to-technique mappings for defensive prioritization can create false confidence or misallocated detection resources.
Version fragmentation. MITRE releases new ATT&CK versions on an approximately biannual cycle. Technique IDs are occasionally deprecated, renamed, or split into sub-techniques across versions. Security tools, detection rules, and compliance mappings that reference specific technique IDs must be version-pinned or actively maintained — a non-trivial operational burden for large detection libraries.
ICS-IT integration gaps. The Enterprise and ICS matrices remain structurally separate documents with inconsistent tactic naming conventions. Organizations with converged IT/OT environments report friction mapping cross-domain attack chains that traverse both matrices.
Common Misconceptions
Misconception: ATT&CK is a compliance framework.
ATT&CK carries no regulatory mandate. No US statute or federal rule requires organizations to demonstrate ATT&CK coverage. Its use is referenced in CISA CPGs and NIST guidance as a resource, not a requirement. Equating ATT&CK coverage scores with regulatory compliance conflates a descriptive taxonomy with a prescriptive control standard.
Misconception: ATT&CK covers all known attack techniques.
ATT&CK represents observed and documented techniques — those that have been identified in real incidents and published in credible threat intelligence reporting. Novel zero-day techniques, unpublished nation-state capabilities, and emerging attack vectors targeting newly deployed technologies are, by design, absent until documented. The framework is retrospective, not exhaustive.
Misconception: Detecting a technique means it is mitigated.
Detection and prevention are distinct control objectives. ATT&CK's detection guidance describes data sources and analytic approaches to identify technique execution; it does not guarantee prevention. A SOC that detects T1003 (OS Credential Dumping) after the fact has not mitigated the credential theft — it has observed it. Prevention requires separate controls mapped to ATT&CK's mitigation catalog.
Misconception: Full matrix coverage is achievable or desirable.
A 100% ATT&CK coverage target is not operationally realistic for any organization. The framework documents adversary behaviors across all platforms, all sectors, and all threat actor profiles. An industrial manufacturer's relevant threat surface intersects a fraction of the full Enterprise matrix. Threat-informed scoping — selecting techniques relevant to the organization's threat profile — is the operationally sound approach endorsed by CISA's CPG documentation.
Misconception: ATT&CK replaces threat intelligence.
ATT&CK structures and categorizes threat intelligence; it does not generate it. Enriching ATT&CK technique mappings with current threat actor activity, sector-specific campaigns, and IOC feeds requires separate intelligence sources such as ISAC feeds, CISA advisories, and commercial threat intelligence platforms.
The how to use this digital security resource page provides additional context on how ATT&CK-related service categories are organized within this reference directory.
Checklist or Steps
The following sequence describes the standard operational phases for implementing an ATT&CK-based detection coverage assessment within a security operations program. This is a process reference, not a prescriptive methodology.
Phase 1: Scope Definition
- Identify the applicable ATT&CK matrix or matrices (Enterprise, Mobile, ICS) based on the organization's technology stack
- Determine the relevant platform sub-matrices within Enterprise (Windows, Linux, macOS, Cloud, Containers, Network)
- Select an ATT&CK version and document it as the baseline for the assessment cycle
Phase 2: Threat Profile Construction
- Identify threat actor groups relevant to the organization's sector using the ATT&CK Groups catalog
- Extract the technique sets associated with those groups
- Cross-reference with CISA Known Exploited Vulnerabilities (KEV catalog) for technique-to-vulnerability linkage
Phase 3: Current-State Detection Inventory
- Enumerate existing detection rules and analytics across SIEM, EDR, NDR, and cloud-native tooling
- Map each existing detection to the corresponding ATT&CK technique or sub-technique ID
- Document platform coverage (which operating systems and environments each detection applies to)
Phase 4: Gap Analysis
- Compare the threat-profile technique set against current detection inventory
- Identify techniques present in the threat profile with no existing detection coverage
- Identify detections mapped to low-priority techniques not present in the relevant threat profile
Phase 5: Prioritized Coverage Development
- Rank uncovered high-priority techniques by estimated detection difficulty and operational impact
- Develop or source detection content (SIGMA rules, vendor-specific analytics) for priority gaps
- Validate new detections through adversary emulation or tabletop exercises using MITRE CALDERA or comparable emulation platforms
Phase 6: Documentation and Iteration
- Export the coverage map using ATT&CK Navigator layers for reporting and stakeholder communication
- Establish a review cadence aligned with ATT&CK version release cycles (approximately biannual)
- Update threat profiles as CISA and ISAC advisories introduce newly observed techniques
Reference Table or Matrix
ATT&CK Matrix Comparison: Enterprise vs. Mobile vs. ICS
| Attribute | Enterprise | Mobile | ICS |
|---|---|---|---|
| Primary environment | IT networks, cloud, endpoints | Android, iOS devices | Industrial control systems, SCADA, OT |
| Tactic count (v14) | 14 | 14 | 12 |
| Technique count (approx.) | 600+ techniques/sub-techniques | 100+ techniques/sub-techniques | 80+ techniques |
| Sub-technique support | Yes | Yes | Limited |
| Key unique tactics | Exfiltration, Lateral Movement | Network-Based Effects, Device Access | Inhibit Response Function, Impair Process Control |
| Relevant sector | All IT-dependent organizations | Enterprise mobility, BYOD environments | Energy, manufacturing, water, transportation |
| CISA CPG alignment | Direct | Partial | Direct (OT-specific CPGs) |
| NIST SP 800-53 mapping available | Yes (CTID mapping) | Partial | In development |
ATT&CK Identifier Types
| Identifier Format | Type | Example | Description |
|---|---|---|---|
TXXXX |
Technique | T1 |