MITRE ATT&CK: A Complete Guide

A few years ago, many security teams focused primarily on alerts, signatures, and known malware. If a tool blocked a file or flagged an IP address, that was often considered sufficient. However, attackers do not operate in isolated indicators; they follow patterns. They move through environments with clear objectives, adapting their methods as they go.

This has pushed organizations to think differently. Instead of asking, “Is this file malicious?”, they are now asking, “What is the attacker trying to achieve?” MITRE ATT&CK grew out of that need. It provides defenders with a robust framework to study intrusion behavior and respond based on how attacks actually develop.

What is MITRE ATT&CK?

Developed by the MITRE Corporation, ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base used across the cybersecurity industry, especially security operations centers (SOCs). It documents how adversaries act during real-world attacks, allowing you to study behavior observed in active production environments.

ATT&CK illustrates how adversaries interact with systems throughout an intrusion lifecycle. Rather than centering on malware names, it explains the tactics, techniques and procedures (TTPs) attackers pursue and the specific methods used to achieve them. The model organizes this information into well-defined concepts:

ATT&CK is divided into technology domains, representing the type of environment an adversary is targeting:

• Enterprise: Covers corporate networks, servers, endpoints, and cloud infrastructure.
• Mobile: Focuses on smartphones and mobile operating systems.
• ICS: Addresses industrial control systems used in manufacturing, energy, and critical infrastructure.

Who developed and maintains MITRE ATT&CK?

MITRE began building ATT&CK in 2013 as part of an internal research project, FMX, to improve post-compromise detection using endpoint telemetry and behavioral analytics. Much of the early research targeted Windows enterprise networks where advanced persistent threats were active.

As research progressed, the team identified significant gaps in existing detection approaches:

• Indicator-based methods (IP addresses, file hashes, registry keys) only captured a single point in time.
• Traditional lifecycle models (e.g., Cyber Kill Chain, Diamond Model of Intrusion Analysis) were often too high-level to map directly to defensive analytics.
• Lack of a shared taxonomy made consistent behavioral tracking difficult.

MITRE released ATT&CK publicly in May 2015 and continues to maintain and expand it across enterprise, mobile, and industrial control system environments.

How to use MITRE ATT&CK

Organizations use ATT&CK in several practical ways, depending on their role and maturity.

Detection and analytics

Using ATT&CK for detection means building analytics around documented adversary techniques. You are not looking for random anomalies. You are detecting specific behaviors that attackers use to achieve objectives inside a system.

Telemetry and querying

Detection engineering begins with centralized, searchable telemetry. To identify techniques like process execution, credential access, or lateral movement, you must ensure relevant logs are ingested into your SIEM. Once your data is centralized, translate ATT&CK techniques into actionable queries.

Many teams accelerate this process by leveraging existing, ATT&CK-aligned analytics from repositories like a Cyber Analytics Repository (CAR), running the logic against their environment to tune out false positives.

Custom engineering and testing

For more advanced coverage, move into custom detection engineering. Select a specific technique and execute it in a controlled environment, using tools like Atomic Red Team, to identify the exact artifacts it produces. These artifacts then serve as the foundation for your detection logic.

Finally, validate your work by testing detections against realistic attack scenarios. If a red team bypasses your logic, use those findings to refine your analytics, repeating the cycle until your detections remain effective against variations in attacker behavior.

Threat intelligence

Threat intelligence is the practice of studying adversaries to understand how they operate, what they target, and how they gain access.

ATT&CK gives you a way to organize that knowledge so it can directly support defensive decisions.

Focus on relevant threats

Identify threat groups targeting your industry. Study their attributed techniques and how those behaviors manifest in your environment.

If a group uses a specific registry run key to stay persistent, do not stop at that exact key name. The key itself can change in the next intrusion.

Look at what the attacker is trying to achieve. In this case, they want their code to execute automatically after a reboot. There are several ways to make that happen in Windows. An attacker could create a different run key, they could add a shortcut to the Startup folder, or they could register a scheduled task.

When you concentrate on the objective, “automatic execution at startup”, you can design monitoring that detects unexpected startup entries in general and that approach is far more durable.

Map intelligence to ATT&CK

Mapping intelligence builds discipline and deepens technical understanding. By translating incident reports or research into ATT&CK tactics and techniques, you move beyond isolated indicators to classify activity based on adversary objectives and methods. This practice creates a valuable, long-term dataset of behavior specific to your environment.

Use recurring techniques to set priorities

Mapping multiple reports, cases, and feeds reveals recurring patterns, as many adversaries rely on common techniques like credential dumping, PowerShell abuse, or remote service creation.

These repetitions highlight the techniques most prevalent in actual intrusions. By visualizing these on the ATT&CK Navigator and comparing them against your current coverage, you can identify critical gaps. When a frequently reported technique lacks corresponding detection, it highlights a specific area where your monitoring visibility requires improvement.

Adversary emulation and Red Teaming

ATT&CK provides a common language for red teams to emulate specific threats and plan operations. Rather than running generic penetration tests, you design exercises that mirror actual adversary behavior, allowing you to measure defensive performance against the threats that matter most to your organization.

Start small and test individual techniques

You do not need a large red team to begin. Start by testing a single technique, such as network share discovery, using tools like Atomic Red Team. Execute a controlled test to mimic the behavior and verify whether your monitoring captures it. If no alert triggers, investigate the cause—whether it stems from incomplete logging or overly narrow detection logic—to gain measurable improvements in visibility.

Check red team activity with real threats

For established red teams, ATT&CK helps ground exercises in reality. By mapping your commands, scripts, and tools to specific techniques, you can compare them against those used by adversaries targeting your industry. This process prevents reliance on familiar toolkits and ensures engagements accurately reflect real-world adversary behavior.

(Read more about red teams vs. blue teams and even purple teams)

Build threat-based emulation plans

At an advanced stage, design full emulation plans based on threat intelligence. Extract techniques from reports on specific threat groups and organize them into an operational flow for step-by-step execution. Post-exercise reviews of detected and missed activity guide defensive improvements, creating a continuous cycle that tests your environment against realistic adversary behavior.

Assessment and engineering

Use ATT&CK to assess your organization’s capabilities, evaluate current defensive performance, and determine necessary technical improvements.

Measure one technique

Avoid starting with a full matrix heatmap. Begin with a single technique and determine if your environment can detect it. Review your existing alerts and analytics to see if they map to that technique. If they do not, verify that you are collecting the right data.

Many gaps stem from missing logs rather than flawed detection logic, so enabling the necessary logging can provide an immediate improvement in visibility.

Expand coverage

Once you understand this process, widen your scope to evaluate multiple techniques across different tactics. Move beyond binary yes-or-no assessments to gauge detection confidence, noting that some techniques may only be visible under specific conditions.

Simultaneously, evaluate your security tools to determine where they operate, what data they monitor, and whether they rely on static indicators or behavioral metrics. Mapping these tools to ATT&CK reveals where coverage overlaps and where critical blind spots persist.

Turn findings into engineering decisions

Assessment is the foundation for improvement. After identifying high-priority gaps, take action by enabling logging, building new analytics, updating configurations, or deploying new security controls.

Ultimately, ATT&CK serves as a reference point for your defensive capabilities, helping you track what you can detect, what you can prevent, and where you should prioritize future investment.

SHAPE \* MERGEFORMAT

How to use the MITRE ATT&CK matrix

The ATT&CK matrix serves as a visual map of adversary behavior, organizing real-world attack patterns into a framework that allows defenders to systematically understand and improve their security posture.

To use the matrix effectively, you must understand its three core components: tactics, techniques, and sub-techniques.

Tactics: what the attacker is trying to achieve

A tactic represents the attacker’s objective during a specific phase of an intrusion. For example, under Defense Evasion, the objective is to avoid detection, while under Credential Access, the goal is to obtain usernames, passwords, or authentication tokens.

Techniques: how the objective is carried out

Techniques describe the methods an attacker uses to achieve a tactic. If the tactic is the goal, the technique is the execution method. For instance, within the Reconnaissance phase, the objective is to gather information, which can be accomplished through techniques such as active scanning or vulnerability scanning.

Sub-techniques: variations of a method

Some techniques are broad and require breakdown into specific variations. Phishing, for example, can manifest as spear phishing via attachments, links, or services. While the objective remains constant, sub-techniques allow defenders to understand and address these delivery variations in greater detail.

Putting the matrix to work

At its core, the matrix shows tactics across the top and techniques beneath each tactic.

For example, in the Enterprise matrix, tactics such as Reconnaissance, Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Lateral Movement, and Impact are displayed as columns with methods attackers commonly use to accomplish that goal.

You can use the ATT&CK matrix to:

• Map real-world incidents to known techniques
• Evaluate whether you can detect specific behaviors
• Identify gaps in logging or monitoring
• Compare threat groups based on shared techniques
• Plan red team exercises to match adversary behavior

The ATT&CK matrix is platform-specific, providing dedicated frameworks for Enterprise, Mobile, and ICS environments. Enterprise users can further filter by platform, such as Windows, macOS, Linux, Cloud, Containers, or Network Devices, to focus on techniques relevant to their specific technology stack.

Ultimately, the matrix serves as a dynamic model that helps organizations analyze adversary behavior, measure defensive coverage, and prioritize security improvements.

How to use MITRE ATT&CK groups, software, and campaigns

Groups, Software, and Campaigns add real-world context to the ATT&CK matrix, revealing which adversaries use specific techniques, the tools they rely on, and how those behaviors manifest in actual intrusions.

Using ATT&CK Groups

Groups represent clusters of activity—often called threat actors or intrusion sets—tracked by the security community. Because vendors use different naming conventions, a single Group may have multiple aliases. Each Group page provides:

• Attributed techniques and software.
• Linked campaigns.
• Public reporting references.

By focusing on adversaries relevant to your industry, you can prioritize your monitoring and make your detection strategy more realistic.

Using ATT&CK Software

Software entries describe the tools used during intrusions, ranging from malware and open-source utilities to commercial tools and built-in system utilities like Mimikatz or PsExec. Each page details the techniques a tool performs, the Groups that use it, and relevant reporting. This helps in two ways:

• Predictive hunting: If you detect a specific tool, you can identify the associated techniques to watch for next.
• Targeted monitoring: If a threat group frequently uses specific software, you can build detection logic tailored to that tool’s unique patterns.

Using ATT&CK Campaigns

Campaigns focus on defined operations within a specific time period that share objectives and targets. Unlike groups, which represent ongoing clusters of activity, Campaigns allow you to study incidents end-to-end. Each entry provides:

• Techniques used during the operation.
• Software deployed.
• Attributed groups.
• Public reporting references.

By examining how an intrusion unfolded and which defensive gaps were exploited, you can gain valuable insights for tabletop exercises, red team planning, and incident response training.

Is MITRE ATT&CK free to use?

MITRE ATT&CK is an open-source, cost-free resource available to anyone without licensing or usage restrictions. It has become a foundational reference point for the global security community, widely utilized by SOC analysts, threat hunters, detection engineers, security architects, red teams, product vendors, and researchers to standardize their approach to defensive operations.

FAQs about MITRE ATT&CK