What Is MITRE ATT&CK Framework?

Structuring Adversary Behavior by Tactic

Each MITRE ATT&CK matrix organizes adversary behavior into a visual structure based on tactics and techniques. Tactics are the columns, which represent an attacker’s objective at each phase of an intrusion. Techniques are the cells beneath them, specific actions used to achieve the objective. Some techniques also include subtechniques, which offer more granular detail on variations of a given behavior.

The matrices are dynamic, updated regularly by MITRE ATT&CK  to reflect newly observed adversary tradecraft across platforms and industries. Each matrix is tailored to a domain: Enterprise, Mobile, Cloud, Containers, or ICS.

Enterprise Matrix

The Enterprise matrix covers behaviors across Windows, macOS, Linux, Azure AD, SaaS, and other platforms. It spans 14 core tactics, from Initial Access to Impact. Each tactic contains multiple techniques. For example, Execution includes T1059: Command and Scripting Interpreter, a commonly used method for running malicious code on endpoints.

Enterprise is the most widely adopted matrix, forming the foundation for detection engineering, threat modeling, and red/blue team exercises across security programs.

Cloud Matrix

The Cloud matrix extends ATT&CK to cloud-native environments. It includes tactics tailored to identity federation, API abuse, and tenant manipulation. Techniques like T1078.004: Valid Accounts – Cloud Accounts and T1562.008: Impair Defenses – Disable or Modify Cloud Logging reflect how attackers exploit SaaS misconfigurations and cloud control plane weaknesses.

Many organizations integrate the Cloud matrix into detection rules for platforms like AWS CloudTrail, Azure Monitor, and Google Cloud Audit Logs.

Mobile Matrix

The Mobile matrix focuses on iOS and Android-specific attack vectors. Tactics here include Initial Access, Collection, and Exfiltration, adapted to reflect mobile OS design. Techniques include mobile-specific behaviors such as T1406: Credential Access via Keylogging and T1450: Application Layer Protocol.

Mobile threats remain under-monitored in many organizations, making this matrix critical for visibility into employee-owned and BYOD environments.

ICS Matrix

Designed for industrial control systems (ICS), the ICS matrix includes tactics like Inhibit Response Function, Manipulation of Control, and Impair Process Control. These reflect the physical outcomes attackers pursue in environments such as energy, manufacturing, and water treatment.

The ICS matrix draws from unique adversary behavior, including techniques observed in campaigns like Triton and Industroyer, where attackers sought to disrupt or destroy physical processes.

Table 1: MITRE ATT&CK tactic coverage by matrix

How Matrices Drive Threat-Informed Defense

Matrices serve as structured maps of known behavior. They inform detection coverage audits, highlight control gaps, and enable SOCs to prioritize alerts by adversary intent. Security teams use matrices to build detection logic, design simulation exercises, and communicate threats in a standardized language aligned with adversary behavior.

ATT&CK doesn’t replace detection tools. On the contrary, it sharpens them by giving every alert a tactical context. It’s context that turns data into decisions and logs into insight.

MITRE ATT&CK Tactics and Their Role in Security Intelligence

In the MITRE ATT&CK framework, tactics represent the why behind adversary actions — their tactical goals within the kill chain. Each tactic defines a discrete phase of an attack, such as gaining initial access, escalating privileges, or exfiltrating data. There are 14 tactics in the Enterprise matrix, beginning with Reconnaissance and ending with Impact.

Tactics provide structure to raw telemetry. When mapped to adversary behavior, they contextualize what a detected action is trying to achieve. That allows defenders to assess not only what occurred, but where they’re in the adversary lifecycle and what comes next.

From Raw Signals to Tactical Awareness

Security operations teams often drown in alerts that lack hierarchy or intent. By aligning detections to ATT&CK tactics, analysts can group telemetry into functional stages of an intrusion.

For example, failed login attempts from an unusual source may map to Initial Access, while the creation of a new admin account aligns with Privilege Escalation. If followed by a file transfer to an external domain, that may indicate Exfiltration. Each mapping tells a story — and each story points to how close the attacker is to achieving their goal.

Tactic-based detection doesn't just enrich alerts. It strengthens response prioritization. An alert mapped to Command and Control deserves more scrutiny than one stuck in Reconnaissance. Context allows teams to focus where adversary progress is most dangerous.

Operational Benefits Across the Security Stack

• Threat hunting becomes more structured when tactics guide hypotheses. Hunters can focus on verifying if specific objectives have been attempted, like lateral movement across departments.
• Detection engineering becomes more resilient when mapped to tactics instead of signatures. If a new tool is used for data staging, but it behaves similarly to known techniques, the tactic-based detection still applies.
• Red teaming becomes more impactful when emulated activity aligns with known tactics used by real threat actors, allowing defenders to evaluate detection and response per objective, not per tool.
• Threat intelligence becomes more actionable when indicators are enriched with tactic tags. Knowing a hash belongs to a tool used during Persistence changes how it's triaged and blocked.

Tactics turn data into decisions. They give every behavior a role and every signal a purpose.

Building Intelligence Around the Adversary's Objectives

Tactical awareness transforms security from event-driven to adversary-driven. Instead of reacting to symptoms, teams operate with insight into attacker intent. Insider knowledge informs everything from SIEM rule tuning to tabletop exercises and executive reporting.

When organizations track their detection coverage by tactic, they understand their exposure by adversary objective. That’s how ATT&CK becomes a strategic lens for threat-informed defense.

MITRE ATT&CK Techniques

In the MITRE ATT&CK framework, techniques describe how adversaries achieve tactical objectives. Each technique represents a specific method used to carry out a phase of the attack. Techniques are nested under the tactics they serve. For example, under the Execution tactic, Command and Scripting Interpreter (T1059) represents an adversary’s use of scripting environments to run payloads on a system.

Every technique is documented with examples, detection guidance, and potential mitigations. Many techniques also include sub-techniques, which provide more granular insight into variations on the method. Sub-techniques help organizations tune defenses precisely and build detections that account for diverse implementations of the same adversarial intent.

Operationalizing Technique-Level Intelligence

Techniques are the building blocks of behavior-based detection. By mapping alerts or observed activity to techniques, defenders can shift from indicator-driven analysis to adversary-informed investigation.

A single technique may manifest in many ways. Valid Accounts (T1078), used under multiple tactics like Initial Access or Persistence, can appear as a successful login from an unusual geography, a token refresh from a known user agent, or a new session for a service account. Mapping all these back to the same technique enables broader detection coverage without relying on static IOCs.

Technique Prioritization Based on Threat Landscape

Not all techniques carry equal weight. Prioritization depends on factors like industry threat profile, existing visibility gaps, and adversary alignment.

Organizations often use:

• Historical incident data to map which techniques were used in past compromises
• Threat intelligence reports that attribute techniques to known threat actors
• Control coverage assessments that highlight where detection or prevention is weak
• MITRE’s own D3FEND and CAPEC models to connect techniques to countermeasures and exploit patterns

Mapping internal telemetry against high-priority techniques gives teams a focused, threat-informed view of their exposure.

Linking Techniques to Real Threat Actor Behavior

Each technique page in ATT&CK includes references to groups that have used the method, such as APT29’s use of Spearphishing Attachment (T1566.001) or FIN7’s use of Scheduled Task/Job (T1053). This connection between tactics, techniques, and actors allows defenders to build threat models based on real campaigns rather than hypothetical attack chains.

When organizations map incidents to techniques and correlate them with actor profiles, they gain the ability to predict what actions are likely next in an attack and to prioritize defenses accordingly.

ATT&CK techniques turn logs into narratives. They enable defenders to understand not just that something happened, but why it happened, how it was done, and what’s likely to follow. That behavioral clarity is what makes the framework operationally valuable at every layer of the security stack.

MITRE ATT&CK Use Cases

Detection Engineering

ATT&CK enables security teams to design detections around behavior, not tools. By mapping detections to specific techniques — such as PowerShell (T1059.001) or Credential Dumping (T1003) — analysts can write rules that detect adversarial activity regardless of the toolset. This approach future-proofs detection logic, allowing SOCs to catch unknown variants of known behaviors.

Techniques also guide coverage assessments. Teams can identify which techniques are already detected and which lack visibility, helping them prioritize sensor deployment, log enrichment, or new detection rules based on tactical risk.

Threat Hunting

Hunting teams use ATT&CK to focus hypotheses. Instead of relying on broad anomaly detection, hunters align their queries to high-priority techniques observed in relevant campaigns. A team may explore variations of Lateral Tool Transfer (T1570) or Remote System Discovery (T1018) to find activity suggesting an adversary is moving laterally.

Because each technique includes example procedures, data sources, and detection recommendations, ATT&CK provides a starting point for crafting hunts with operational focus.

Threat Intelligence Mapping

ATT&CK creates a shared language for expressing adversary behavior. Cyber threat intelligence teams enrich reports by tagging tactics and techniques used by threat groups. Instead of vague references to “malicious PowerShell,” intelligence products specify T1059.001, tying observed behavior directly to ATT&CK’s standardized taxonomy.

This structure allows faster triage. When a new report mentions a technique your organization already detects, you can validate coverage immediately. When it surfaces a gap, you can respond with targeted action.

Red Teaming and Purple Teaming

ATT&CK helps red teams emulate adversaries more accurately. Rather than relying on generic scripts, they build campaigns aligned to known actors using the same techniques, mapped across tactics. A red team simulating APT29, for example, might execute Spearphishing Attachment (T1566.001) for access and Scheduled Task/Job (T1053) for persistence.

Purple teams use the same mapping to validate controls. They track detection efficacy by technique and identify which alerts were blocked, missed, or misclassified. ATT&CK becomes the blueprint for adversary simulation and response validation.

Security Gap Assessment

Organizations use ATT&CK to conduct defensive coverage audits. By mapping existing detections and telemetry to ATT&CK techniques, they can visualize which behaviors are detected, which are monitored passively, and which are blind spots. These assessments often drive decisions around logging scope, EDR coverage, SIEM correlation, and budget allocation.

Tools like MITRE ATT&CK Navigator allow organizations to visualize these gaps and overlay them with threat actor profiles, helping prioritize based on both capability and likelihood.

Executive Reporting and Risk Communication

Because ATT&CK abstracts behaviors into tactics and techniques, it offers a language that connects technical detail to executive-level risk. Security leaders can report on how their organization detects Credential Access or Exfiltration rather than listing raw event counts.

This alignment helps CISOs communicate detection maturity, justify investment, and benchmark capability over time. ATT&CK provides the structure to translate detection engineering into operational and strategic insight — without losing technical fidelity.

When ATT&CK is embedded across detection, response, intelligence, and reporting, it becomes more than a framework. It becomes the shared operating system for threat-informed defense.

Using the MITRE ATT&CK Framework During a Live Attack

Behavior Over Time: Mapping an Intrusion to ATT&CK

The real value of the MITRE ATT&CK framework emerges during an active intrusion. Security teams don’t just observe events—they interpret adversary behavior in sequence, mapping each move to a tactic and technique. That mapping turns fragmented telemetry into a structured timeline of intent, progress, and exposure.

The example below walks through a simplified but realistic attack scenario, showing how ATT&CK techniques surface across the intrusion lifecycle. Each step illustrates how defenders use the framework to identify, contextualize, and counter specific adversary actions.

ATT&CK in Action: Step-by-Step Intrusion Mapping

Initial Access

A phishing email arrives with a malicious Excel file containing embedded macros.
Mapped to: T1566.001: Spearphishing Attachment

Execution

Once opened, the file executes an obfuscated PowerShell payload.
Mapped to: T1059.001: PowerShell

Persistence

The payload establishes long-term access by registering a scheduled task.
Mapped to: T1053.005: Scheduled Task

Privilege Escalation

The attacker impersonates a local admin token to bypass user restrictions.
Mapped to: T1134.001: Token Impersonation/Theft

Defense Evasion

Windows event logs are cleared, and tamper protection on the EDR agent is disabled.
Mapped to: T1070.001: Clear Windows Event Logs
Mapped to: T1562.001: Disable or Modify Tools

Credential Access

Memory scraping tools target the LSASS process to harvest credentials.
Mapped to: T1003.001: LSASS Memory

Lateral Movement

The attacker uses RDP and stolen credentials to move to a finance department workstation.
Mapped to: T1021.001: Remote Desktop Protocol

Collection

Documents tagged “invoice,” “ACH,” and “wire” are aggregated and zipped.
Mapped to: T1560.001: Archive Collected Data: Local Archiving

Exfiltration

Files are transferred over an HTTPS session to attacker-controlled infrastructure.
Mapped to: T1048.002: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Impact

Ransomware is deployed as a final-stage distraction and coercion mechanism.
Mapped to: T1486: Data Encrypted for Impact

Team-Specific Engagement Across the Framework

While the attack unfolds, different teams engage with ATT&CK through different lenses:

• SOC analysts triage alerts by tactic, accelerating escalation when alerts transition from Execution to Lateral Movement.
• Detection engineers correlate behaviors across users and hosts, improving coverage of linked techniques like Credential Dumping and Remote System Discovery.
• Threat hunters develop hypotheses based on common technique chains seen in similar actor profiles.
• Incident responders reconstruct the intrusion path by mapping observed telemetry to tactics and sub-techniques.
• Executives receive incident briefings anchored in standardized, adversary-centric language, reducing guesswork and elevating clarity.

ATT&CK is not just a postmortem taxonomy. It’s a live system for understanding where an adversary is in their campaign, how they’re operating, and where your defenses must adapt next. It moves teams from event collection to adversary alignment—and in a live incident, that shift is the difference between chasing alerts and stopping attacks.

Using the MITRE ATT&CK Framework During a Live Attack

Behavior Over Time: Mapping an Intrusion to ATT&CK

The real value of the MITRE ATT&CK framework emerges during an active intrusion. Security teams don’t just observe events—they interpret adversary behavior in sequence, mapping each move to a tactic and technique. That mapping turns fragmented telemetry into a structured timeline of intent, progress, and exposure.

The example below walks through a simplified but realistic attack scenario, showing how ATT&CK techniques surface across the intrusion lifecycle. Each step illustrates how defenders use the framework to identify, contextualize, and counter specific adversary actions.

ATT&CK in Action: Step-by-Step Intrusion Mapping

Initial Access

A phishing email arrives with a malicious Excel file containing embedded macros.
Mapped to: T1566.001: Spearphishing Attachment

Execution

Once opened, the file executes an obfuscated PowerShell payload.
Mapped to: T1059.001: PowerShell

Persistence

The payload establishes long-term access by registering a scheduled task.
Mapped to: T1053.005: Scheduled Task

Privilege Escalation

The attacker impersonates a local admin token to bypass user restrictions.
Mapped to: T1134.001: Token Impersonation/Theft

Defense Evasion

Windows event logs are cleared, and tamper protection on the EDR agent is disabled.
Mapped to: T1070.001: Clear Windows Event Logs
Mapped to: T1562.001: Disable or Modify Tools

Credential Access

Memory scraping tools target the LSASS process to harvest credentials.
Mapped to: T1003.001: LSASS Memory

Lateral Movement

The attacker uses RDP and stolen credentials to move to a finance department workstation.
Mapped to: T1021.001: Remote Desktop Protocol

Collection

Documents tagged “invoice,” “ACH,” and “wire” are aggregated and zipped.
Mapped to: T1560.001: Archive Collected Data: Local Archiving

Exfiltration

Files are transferred over an HTTPS session to attacker-controlled infrastructure.
Mapped to: T1048.002: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Impact

Ransomware is deployed as a final-stage distraction and coercion mechanism.
Mapped to: T1486: Data Encrypted for Impact

Team-Specific Engagement Across the Framework

While the attack unfolds, different teams engage with ATT&CK through different lenses:

• SOC analysts triage alerts by tactic, accelerating escalation when alerts transition from Execution to Lateral Movement.
• Detection engineers correlate behaviors across users and hosts, improving coverage of linked techniques like Credential Dumping and Remote System Discovery.
• Threat hunters develop hypotheses based on common technique chains seen in similar actor profiles.
• Incident responders reconstruct the intrusion path by mapping observed telemetry to tactics and sub-techniques.
• Executives receive incident briefings anchored in standardized, adversary-centric language, reducing guesswork and elevating clarity.

ATT&CK is not just a postmortem taxonomy. It’s a live system for understanding where an adversary is in their campaign, how they’re operating, and where your defenses must adapt next. It moves teams from event collection to adversary alignment—and in a live incident, that shift is the difference between chasing alerts and stopping attacks.

Comparing MITRE ATT&CK and the Cyber Kill Chain

The Cyber Kill Chain and MITRE ATT&CK both model adversary behavior, but they serve different functions and reflect different levels of operational granularity. The Kill Chain, developed by Lockheed Martin, offers a high-level view of attacker progression from initial reconnaissance to execution of objectives. MITRE ATT&CK operates at a much deeper layer, mapping the specific techniques adversaries use within and across those stages.

The Cyber Kill Chain’s seven stages — Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives — are linear. It’s a useful narrative structure, especially for early-stage incident response and high-level education. ATT&CK, in contrast, is not linear. It’s tactic-driven, mapping techniques across overlapping or repeating objectives like Persistence, Credential Access, or Exfiltration. That flexibility better reflects real-world intrusion complexity.

Granularity and Operational Value

Where the Kill Chain describes what phase an attacker is in, ATT&CK describes how that activity is being executed. For example, Kill Chain might identify the Installation phase. ATT&CK would detail whether the adversary used T1053: Scheduled Task or T1547.001: Registry Run Keys to persist.

ATT&CK also tracks sub-techniques, allowing defenders to tune detections for very specific procedures within a broader tactic. This level of detail enables more precise detection logic, more effective threat hunting, and more accurate simulation during red and purple team operations.

Kill Chain is more static. It doesn’t adapt as easily to multicloud, hybrid, or identity-centric attacks, where lateral movement and privilege escalation don’t follow predictable paths. ATT&CK’s matrix structure, by contrast, accommodates dynamic attacker behavior across systems and platforms.

Use Case Alignment

The Kill Chain is ideal for communicating high-level attack flow in executive briefings or early-stage planning. It helps organizations establish a general understanding of adversary progression and supports the design of layered defenses that block attacks at each stage.

ATT&CK is tactical and technical. It’s used by SOC teams, threat hunters, and detection engineers to build and evaluate defenses around specific behaviors. It supports control validation, logging strategy, threat modeling, and response prioritization.

Many mature organizations use both. They use Kill Chain to explain and frame, and ATT&CK to operationalize and act. Together, they offer strategic alignment and technical precision — but when precision matters, ATT&CK carries the weight.

Advancing Organizational Maturity with ATT&CK

Most security programs encounter the MITRE ATT&CK framework early — often during detection tuning or threat intelligence tagging. But true value emerges when ATT&CK moves from reference to backbone. Mature organizations treat it as more than a matrix of adversary behavior. They use it to align detection strategy, measure defensive performance, and drive coordinated response across teams.

ATT&CK adoption often begins with coverage analysis and detection engineering. From there, it progresses to threat-informed defense, simulation planning, and metrics-driven decision-making. Organizations that mature their use of ATT&CK develop a continuous feedback loop between adversary behavior, control visibility, and operational readiness.

Tailoring ATT&CK to the Environment

No two environments have the same threat surface. ATT&CK offers flexibility across platforms — Windows, Linux, macOS, cloud, SaaS, containers, mobile, and ICS — but operationalizing that coverage requires mapping it to your architecture and telemetry.

Identity infrastructure, for example, is rich with ATT&CK-relevant techniques but often under-monitored. Techniques like T1078.004: Valid Accounts – Cloud Accounts or T1556.006: Modify Authentication Process – Cloud IAM demand cloud-native detection coverage that traditional tools miss.

Organizations using SaaS platforms like Microsoft 365 or Google Workspace often overlook tactics such as Persistence and Collection, assuming those environments are inherently secure. ATT&CK exposes gaps by anchoring detection efforts in adversary behaviors rather than vendor guarantees.

Visibility across the matrix should be platform-aware. A mature program understands which tactics are relevant to each domain and prioritizes accordingly.

Scaling ATT&CK Use Across Teams

Security teams gain the most from ATT&CK when it becomes a shared operating model across functions. That means:

• Detection engineers using technique IDs to standardize and version-control rules
• Threat intel analysts tagging actor behavior to ATT&CK to support prioritization
• Incident responders tracing intrusions across tactics to reconstruct kill chains
• Red teams building scenarios aligned to real adversary tradecraft
• Blue teams measuring response times against high-risk techniques

The convergence builds institutional memory. ATT&CK creates a common vocabulary that connects detection logic with strategic threat models and live operational decisions.

Benchmarking and Metrics for ATT&CK Adoption

Mature organizations don’t just use ATT&CK — they measure with it. Coverage heat maps become part of board reporting. Simulation outcomes are tied to specific techniques. Detection logic is tested not just for alert generation but for adversary interruption at each tactical stage.

Key maturity indicators include:

• Percent of high-priority techniques mapped to active detections
• Detection-to-response time per tactic
• Frequency of ATT&CK-aligned red and purple team exercises
• Breadth of ATT&CK technique references in IR case retrospectives

By tying operational metrics to adversary behavior, organizations can calibrate investment, reduce alert noise, and focus on the techniques that actually matter in their threat landscape.

Toward a Behavioral Framework for Securing AI

As adversaries adopt artificial intelligence and target machine learning systems, the need for a structured, behavioral understanding of AI-specific threats becomes urgent. MITRE’s Sensible Regulatory Framework for AI Security represents a forward-looking counterpart to the ATT&CK Framework, grounded in the same philosophy: that effective defense begins with clearly defined, observable threat behaviors.

While ATT&CK maps how human adversaries act post-compromise, the AI framework anticipates how threat actors may exploit the unique properties of learning systems—through model evasion, data poisoning, prompt manipulation, or misuse of autonomous functions. Both frameworks aim to give defenders a shared vocabulary and a strategic lens. In time, as AI becomes more deeply integrated into enterprise infrastructure and attacker playbooks, the principles underpinning ATT&CK will likely shape how organizations detect, mitigate, and govern AI threats at scale.

MITRE ATT&CK Framework FAQs