Glossary · Security testing
What is MITRE ATT&CK?
Also known as: ATT&CK, ATT&CK Framework, Adversarial Tactics, Techniques, and Common Knowledge
MITRE ATT&CK is a free, globally used knowledge base of real-world adversary tactics and techniques observed in actual intrusions. It gives offense and defense a common language for describing how attackers operate, and is widely used to plan testing, measure detection coverage, and map findings to known behaviors.
Key takeaways
- MITRE ATT&CK is a free, openly available knowledge base of real adversary tactics and techniques.
- It is structured as tactics (the why) and techniques (the how) drawn from observed intrusions.
- It provides a shared language that aligns red teams, blue teams, and tooling.
- BAS, threat intelligence, and detection engineering commonly map their work to ATT&CK.
What is MITRE ATT&CK?
MITRE ATT&CK is a curated, publicly available knowledge base that catalogs how real adversaries behave during intrusions. Rather than theorizing, it documents techniques actually seen in the wild, organized so defenders can reason about attacker behavior in a structured way.
Its enduring value is as a common language. When a red team, a detection engineer, and a threat-intelligence analyst all describe an activity using the same ATT&CK technique, they can collaborate and measure without ambiguity.
How ATT&CK is structured: tactics and techniques
ATT&CK is organized into tactics and techniques. Tactics represent the adversary's goal at a given stage, the why, such as initial access, persistence, privilege escalation, or exfiltration. Techniques and sub-techniques describe the how: the specific methods used to achieve each tactic.
Several ATT&CK tactics map directly to concepts elsewhere in security testing, including privilege escalation and lateral movement, which are also building blocks of any real attack path.
- Tactics: the adversary's objective at each stage (the why)
- Techniques and sub-techniques: how each objective is achieved
- Procedures: specific real-world implementations observed
- Coverage mapping: which techniques your defenses detect
How ATT&CK is used in testing and compliance
Breach and attack simulation tools commonly emulate specific ATT&CK techniques, then report detection coverage as a heatmap across the matrix. This turns an abstract question, are we defended, into a concrete measurement against known techniques.
For compliance, mapping detections and tests to ATT&CK gives auditors a defensible, standards-based picture of control effectiveness. Combined with continuous control monitoring, ATT&CK coverage becomes ongoing evidence rather than a static claim.
Frequently asked questions
- Is MITRE ATT&CK free to use?
- Yes. MITRE ATT&CK is a free, publicly available knowledge base. Anyone can use it to plan testing, build detections, or map findings to known adversary behavior.
- What is the difference between a tactic and a technique in ATT&CK?
- A tactic is the adversary's goal at a stage of the attack, such as privilege escalation. A technique is the specific method used to achieve that goal. Sub-techniques describe even more granular variations.
- How does ATT&CK relate to breach and attack simulation?
- BAS tools typically emulate specific ATT&CK techniques and report which ones your defenses detect. ATT&CK provides the standardized catalog of techniques that BAS measures coverage against.