The MITRE ATT&CK Framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. MITRE ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) is a globally recognized cybersecurity framework that helps security teams understand, detect, and respond to cyber threats by categorizing how attackers actually behave once they’ve compromised a system.
Mitre Corp., a not-for-profit security research organization, created and continues to curate the ATT&CK Framework and cyber threat intelligence knowledge base. The framework provides security teams with a common language to understand how bad actors operate, making it easier to build defenses that actually work against real threats.
Why the MITRE ATT&CK Framework matters in cybersecurity
The MITRE ATT&CK Framework has become essential because traditional security approaches often focus on known malware signatures or indicators of compromise, but attackers constantly change their tools while using similar behavioral patterns. According to various industry reports, between 60% and 86% of breaches involve stolen or compromised credentials. Here’s why MITRE ATT&CK has become so important:
Behavior-based detection is critical: Behavior-based models like MITRE ATT&CK are critical because they catch threats by understanding how attackers move and act inside networks, regardless of specific malware or tools.
Legacy solutions have gaps: Traditional security solutions often focus on known indicators of compromise rather than understanding attacker behavior patterns.
Real-world foundation: Unlike theoretical frameworks, ATT&CK is built from actual attack observations, making it immediately practical for security teams.
Industry standardization: MITRE ATT&CK provides a common language for security professionals to communicate about threats across organizations and industries.
Looking to enhance your cloud security posture? Check out Expel’s MITRE ATT&CK in AWS Mind Map Kit to quickly identify the paths an attacker might take in your AWS environment—all mapped to ATT&CK tactics.
How the MITRE ATT&CK Framework works
The MITRE ATT&CK Framework is a knowledge base of adversary tactics and techniques, derived from real-world observations, used to map, detect, and mitigate post-compromise behavior across enterprise, cloud, mobile, and industrial control system environments. The framework operates as a matrix that makes it easier for security teams to visualize the attack lifecycle and identify gaps in their defenses.
At its core, the framework works by:
- Categorizing adversary behavior into tactical objectives (the “why” of an attack)
- Documenting specific techniques used to achieve those objectives (the “how”)
- Providing context through real-world examples of threat actors known to use each technique
- Suggesting detection and mitigation strategies for each technique
Organizations typically use the framework as a common language to discuss security incidents, plan defensive strategies, test their security controls, and develop threat intelligence.
Core components of the MITRE ATT&CK Framework
Tactics
In the MITRE ATT&CK Framework, tactics represent the why behind adversary actions — their tactical goals within the kill chain. Each tactic defines a discrete phase of an attack, such as gaining initial access, escalating privileges, or exfiltrating data. Tactics serve as the high-level categories that organize the framework, with techniques nested underneath each tactic. There are 14 tactics in the Enterprise matrix, beginning with Reconnaissance and ending with Impact.
Techniques
In the MITRE ATT&CK Framework, techniques describe how adversaries achieve tactical objectives. Each technique is nested under one or more tactics and represents a specific method used to carry out a phase of the attack. Currently there are 202 techniques and 435 subtechniques in the ATT&CK enterprise framework. Many techniques include sub-techniques that provide more granular detail about specific implementations or variations of the parent technique.
| Technique component | Description |
|---|---|
| Unique identifier | A code (e.g., T1566 for Phishing) that uniquely identifies each technique |
| Detailed description | Explanation of how the technique works and its variants |
| Procedure examples | Real-world examples of the technique in action by threat actors |
| Detection strategies | Methods for identifying when this technique is being used |
| Mitigation recommendations | Actions to prevent or limit the effectiveness of the technique |
| Related techniques | Connections to other techniques that might be used together |
Working with Google Cloud Platform? Explore Expel’s MITRE ATT&CK in GCP Mind Map Kit for a defender’s cheat sheet to better understand the tactics, techniques, and API calls that could be involved in a GCP attack.
Procedures
Procedures are the specific implementations of techniques used by actual threat actors. These represent the observable actions that attackers take when using a particular technique. For example, while “Phishing” is a technique, sending malicious PDF attachments with embedded JavaScript is a specific procedure that might be associated with specific threat groups.
The framework documents procedures used by various advanced persistent threat (APT) groups and other threat actors, providing concrete examples that help security teams understand how techniques manifest in real-world attacks.
MITRE ATT&CK Framework matrices and platforms
The MITRE ATT&CK Framework includes several specialized matrices designed for different environments:
ATT&CK for Enterprise: Focuses on identifying and imitating adversarial behavior in Windows, Mac, Linux, and cloud environments.
ATT&CK for Mobile: Addresses threat behavior for mobile devices using iOS and Android operating systems.
ATT&CK for Industrial Control Systems (ICS): Addresses threat behavior that impacts industrial control systems.
Cloud-specific coverage
The MITRE ATT&CK Cloud Matrix extends the main framework to focus exclusively on cloud services and attack techniques. It maps tactics and techniques used by adversaries to compromise cloud-based platforms such as AWS, Microsoft Azure, and Google Cloud Platform (GCP), recognizing that cloud environments have unique attack vectors and defensive requirements.
Running Microsoft Azure? Explore Expel’s MITRE ATT&CK in Microsoft Azure mind map to help set up your security monitoring amid Azure’s hundreds of services.
Key benefits of implementing the MITRE ATT&CK Framework
Organizations that implement the MITRE ATT&CK Framework in their security operations gain several significant advantages:
| Benefit | Description |
|---|---|
| Common language | Standardized terminology for more effective communication about threats |
| Improved threat modeling | More accurate and effective threat models based on actual adversary techniques |
| Gap analysis | Identification of areas where security controls might be lacking |
| Better prioritization | Focus on mitigating techniques most commonly used by relevant adversaries |
| Enhanced detection | More precise detection rules based on specific adversary techniques |
| Effective red team exercises | Red team operations structured around realistic adversary behaviors |
What is the MITRE ATT&CK Navigator?
The ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices. The Navigator allows users to create custom layers—visual representations of the ATT&CK matrix—to show defensive coverage, plan security exercises, or track threat intelligence. Security teams can use the Navigator to:
- Create custom layers showing their defensive coverage
- Plan red team exercises based on specific threat actor techniques
- Track detection maturity improvements over time
- Visualize gaps in security controls
- Share threat intelligence with stakeholders
The Navigator supports importing and exporting layers in JSON format, making it easy to share analysis between teams and organizations.
Want to improve your security coverage? See how Expel can help uplevel your MITRE ATT&CK coverage, showing you where you stand, suggesting improvements, and instantly enhancing your overall security posture across the attack lifecycle.
Practical applications of the MITRE ATT&CK Framework
Organizations across various industries apply the MITRE ATT&CK Framework in numerous practical ways:
Threat intelligence enrichment
Security teams use ATT&CK to categorize and contextualize threat intelligence, mapping observed indicators to specific techniques and threat actors. This enrichment helps organizations understand not just what happened, but why attackers took certain actions and what their ultimate objectives might be.
Security control validation
By mapping security controls and detection capabilities to ATT&CK techniques, organizations can systematically evaluate their defensive coverage. This process identifies blind spots where additional controls or detection mechanisms may be needed.
Incident response enhancement
When security incidents occur, responders use ATT&CK to identify the techniques in use and anticipate potential next steps in the attack chain. This foresight allows for more effective containment and eradication strategies.
Security product evaluation
When evaluating security products and services, organizations use ATT&CK as a benchmark to compare capabilities. Vendors increasingly map their products’ capabilities to the techniques they can detect or prevent.
Purple team exercises
Combined red and blue team exercises (purple teams) use ATT&CK as a common framework to structure their activities. Red teams emulate specific adversary techniques while blue teams attempt to detect and respond to them.
Threat hunting operations
The ATT&CK framework allows analysts to better understand the specifics of an attack via official definitions and terminology, which enhances communication between team members. This in turn accelerates and improves threat detection and response time.
Does your team struggle with cloud security complexity? Read Expel’s blog post on MITRE ATT&CK cheat sheets for GCP to see how our experts mapped patterns from real GCP incident investigations to the ATT&CK framework.
Implementation and best practices
Successfully implementing MITRE ATT&CK requires careful planning and adherence to best practices:
Integrate with existing security tools: Ensure ATT&CK mapping can work with your current security infrastructure and processes.
Start with high-priority techniques: According to the MITRE Engenuity Center for Threat-Informed Defense report Sightings Ecosystem: A Data-driven Analysis of ATT&CK in the Wild, 15 techniques made up 90% of the ATT&CK techniques observed from over 6 million real-world sightings between April 2019 and July 2021.
Establish behavioral baselines: Document normal authentication patterns and system behaviors to better detect anomalies.
Deploy comprehensive logging: Enable detailed logging across all systems to support ATT&CK-based detection.
Automate where possible: Develop automated response workflows for common attack scenarios.
Train security teams: Ensure analysts understand attack techniques and response strategies.
Regular assessment: Continuously evaluate and update your ATT&CK implementation based on new threats and organizational changes.
Challenges and solutions
Organizations implementing MITRE ATT&CK often face several challenges:
Challenge: Information overload from the extensive framework
Solution: Start with techniques most relevant to your industry and threat landscape
Challenge: Balancing comprehensive coverage with resource constraints
Solution: Prioritize techniques based on observed threat actor behavior in your sector
Challenge: Integration with existing security tools and processes
Solution: Use APIs and standardized formats to connect ATT&CK data with security platforms
Challenge: Keeping up with framework updates
Solution: The bi-annual content releases listed on the updates pages increment the major version number – establish processes for regular framework updates
Challenge: Measuring implementation effectiveness
Solution: Use metrics like technique coverage percentage and detection accuracy rates
Emerging trends in MITRE ATT&CK
The MITRE ATT&CK landscape continues to evolve with several notable trends:
AI-powered analytics integration: AI is used to automate phishing campaigns, evade security measures, and conduct advanced reconnaissance. Attackers leverage AI to create deepfakes, self-learning malware, and highly targeted social engineering attacks.
Cloud-native technique expansion: Growing focus on cloud-specific attack techniques as organizations continue digital transformation.
Supply chain attack coverage: Cybercriminals are increasingly targeting third-party vendors and software providers to infiltrate enterprise networks. These attacks exploit weaknesses in supply chains, allowing adversaries to compromise multiple organizations at once.
Mobile and IoT integration: Expanding coverage for mobile devices and Internet of Things environments.
Automation and orchestration: Integration with SOAR platforms for automated response to specific ATT&CK techniques.
Need help with your security operations? Discover how Expel’s security operations platform applies expert-written detection logic aligned to the MITRE ATT&CK Framework, continuously tuned based on threats observed across our entire platform.
MITRE ATT&CK Framework FAQ
How often is the MITRE ATT&CK Framework updated?
The framework is updated regularly, typically 2–3 times per year. Updates include new techniques, tactics, or groups based on emerging threat intelligence and community contributions. The most recent update is ATT&CK v17.1, released on April 22, 2025.
| Tactic category | Description |
|---|---|
| Initial access | Techniques used to gain an initial foothold within a network |
| Execution | Techniques that result in adversary-controlled code running on a system |
| Persistence | Techniques that maintain access across system restarts or credential changes |
| Privilege escalation | Techniques that enable attackers to gain higher-level permissions |
| Defense evasion | Techniques used to avoid detection and security defenses |
| Credential access | Techniques for stealing credentials like account names and passwords |
| Discovery | Techniques used to gain knowledge about the system and network |
| Lateral movement | Techniques to enter and control remote systems on a network |
| Collection | Techniques used to gather data relevant to the adversary’s goal |
| Command and control | Techniques for communication with compromised systems |
| Exfiltration | Techniques used to steal data from the target network |
| Impact | Techniques to disrupt, compromise, or destroy systems and data |
| Reconnaissance | Techniques for gathering information before the actual attack |
| Resource development | Techniques for building infrastructure to support operations |
Is the MITRE ATT&CK Framework only useful for large enterprises?
No, organizations of all sizes can benefit from implementing ATT&CK. Smaller organizations might start with a subset of techniques most relevant to their industry or threat landscape.
How does ATT&CK relate to other cybersecurity frameworks like NIST or ISO 27001?
ATT&CK focuses specifically on adversary behaviors, while frameworks like NIST or ISO 27001 focus on overall security program management. These frameworks are complementary and can be used together.
Can ATT&CK be used for compliance purposes?
While not designed primarily as a compliance framework, ATT&CK can support compliance efforts by helping organizations implement and validate security controls required by various regulations in a threat-informed way.
How do I get started with MITRE ATT&CK if I have limited resources?
Begin by exploring the MITRE ATT&CK website, identify techniques most relevant to your organization, and map your existing security controls to those techniques.
Ready to strengthen your security operations? See how Expel can augment your security team with detections aligned to the MITRE ATT&CK framework to improve accuracy and free your team from false positives and low-fidelity alerts.
How granular should our technique mappings be?
Aim for the most specific level possible – sub-techniques rather than parent techniques when applicable. This precision helps identify specific gaps and prioritize improvements. However, start with broader mappings if needed and refine them over time as your program matures.
How do we handle techniques that are only partially covered?
Document partial coverage explicitly, noting which aspects of the technique are addressed and which remain gaps. This transparency helps prioritize improvements and prevents overestimating your security posture. Consider using a coverage scale (e.g., none, partial, substantial, complete) for each mapping.
How frequently should we update our mappings?
Review and update mappings quarterly, or whenever significant changes occur in your environment, security controls, or the ATT&CK framework itself. Additionally, update relevant mappings after security incidents to incorporate lessons learned.
How can we measure the effectiveness of our mapping program?
Measure effectiveness through metrics like: percentage of relevant techniques with documented controls and detections, number of incidents involving unmapped techniques, time to update mappings after framework changes, and stakeholder satisfaction with mapping insights.
Should we prioritize control mapping or detection mapping?
Both are valuable, but if resources are limited, focus first on detection mapping. Understanding what you can detect provides immediate value for security operations, while control mapping is more valuable for longer-term security planning and investment decisions. Ideally, implement both in parallel when possible.
How Expel uses the MITRE ATT&CK Framework
At Expel, we’ve fully integrated the MITRE ATT&CK Framework into our managed detection and response (MDR) services. Our approach includes:
- Comprehensive detection coverage: We align our detection engineering with the MITRE ATT&CK Framework to ensure broad coverage across the attack lifecycle.
- Custom detection logic: Our security experts write custom detection logic mapped to ATT&CK techniques, continuously updating these based on threat intelligence and real-world observations from our customer base.
- MITRE ATT&CK mind maps: We’ve developed detailed mind maps for various cloud platforms that help security teams visualize and understand how attackers might leverage specific cloud services within the ATT&CK framework.
- Gap analysis and improvement: We help organizations assess their current security posture against the ATT&CK framework, identifying gaps and recommending improvements to enhance overall security resilience.
- Threat hunting based on ATT&CK: Our threat hunting capabilities leverage ATT&CK to develop hunting hypotheses based on the tactics and techniques attackers commonly use at each stage of the attack lifecycle.
By leveraging the MITRE ATT&CK Framework, Expel provides organizations with a more comprehensive, threat-informed security approach that helps detect, respond to, and mitigate cyber threats more effectively.
Looking to enhance your cloud security strategy? Explore our comprehensive collection of MITRE ATT&CK Mind Map Kits covering AWS, Azure, GCP, and Kubernetes environments to help safeguard your cloud infrastructure from common attack tactics.