Definition and History
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible, curated knowledge base of adversary behaviors based on real-world observations. Created by MITRE Corporation in 2013 as an internal project called FMX (Fort Meade eXperiment) to document the tactics, techniques, and procedures (TTPs) used by advanced persistent threat (APT) groups, it was publicly released in 2015 and has since become the de facto standard for describing adversary behavior in cybersecurity.
Before ATT&CK, the industry lacked a common vocabulary for describing how attackers operate post-compromise. Security vendors used proprietary terminology, threat reports described the same behaviors with different names, and measuring defensive coverage was largely subjective. ATT&CK solved this by providing a taxonomy that is vendor-neutral, evidence-based, and continuously updated with new techniques as the threat landscape evolves.
The framework is maintained by MITRE with contributions from the global cybersecurity community. Each technique entry includes a description of the behavior, real-world examples of threat groups using it, data sources that could detect it, and suggested mitigations. This evidence-based approach — every technique is documented from observed adversary activity, not theoretical attacks — is what gives ATT&CK its credibility and practical utility.
The 14 Tactics
Tactics represent the adversary's objective — the why behind a specific action. The 14 tactics in the Enterprise matrix are arranged roughly in the order an adversary might progress through an attack, though real-world intrusions are rarely linear. An attacker may loop back to earlier tactics, skip stages entirely, or pursue multiple tactical objectives simultaneously.
| # | Tactic | ID | Objective |
|---|---|---|---|
| 1 | Reconnaissance | TA0043 | Gather information to plan the attack |
| 2 | Resource Development | TA0042 | Establish infrastructure and capabilities |
| 3 | Initial Access | TA0001 | Gain a foothold in the target environment |
| 4 | Execution | TA0002 | Run malicious code on a victim system |
| 5 | Persistence | TA0003 | Maintain access across restarts and credential changes |
| 6 | Privilege Escalation | TA0004 | Gain higher-level permissions |
| 7 | Defense Evasion | TA0005 | Avoid detection and bypass security controls |
| 8 | Credential Access | TA0006 | Steal account credentials |
| 9 | Discovery | TA0007 | Map the environment and identify targets |
| 10 | Lateral Movement | TA0008 | Move through the environment to reach objectives |
| 11 | Collection | TA0009 | Gather data of interest to the adversary |
| 12 | Command and Control | TA0011 | Communicate with compromised systems |
| 13 | Exfiltration | TA0010 | Steal data from the target environment |
| 14 | Impact | TA0040 | Disrupt availability or integrity of systems and data |
Each tactic contains multiple techniques — the specific methods adversaries use to achieve that tactical objective. Persistence, for example, includes techniques like Registry Run Keys, Scheduled Tasks, Boot Autostart, and DLL Side-Loading, among many others. Understanding the tactic-technique relationship is foundational: the tactic tells you what the adversary is trying to do, the technique tells you how they do it.
Techniques vs Sub-Techniques
Techniques are specific behaviors adversaries use to accomplish a tactical objective. Each technique has a unique identifier (e.g., T1059 for Command and Scripting Interpreter) and describes a distinct method of achieving the parent tactic's goal.
Sub-techniques provide additional granularity within a technique. T1059 (Command and Scripting Interpreter) has sub-techniques including T1059.001 (PowerShell), T1059.003 (Windows Command Shell), T1059.005 (Visual Basic), and T1059.006 (Python). Sub-techniques were introduced in 2020 to reduce the "technique bloat" problem — techniques that were growing too broad to be useful for detection or assessment.
The distinction matters for detection engineering. A detection for T1059 at the technique level would need to cover all scripting interpreters — an extremely broad rule. A detection for T1059.001 can focus specifically on PowerShell execution patterns, producing a more precise and tunable rule. When building detection coverage, map to the sub-technique level whenever possible.
Each technique and sub-technique entry in ATT&CK includes:
- Description — What the technique is and how it works
- Procedure examples — Real-world use by named threat groups (e.g., "APT28 has used PowerShell to execute scripts for credential harvesting")
- Mitigations — Controls that reduce the risk of the technique succeeding
- Detection — Data sources and detection logic suggestions
- References — Links to the threat reports that document the technique's use
ATT&CK Matrices: Enterprise, Mobile, ICS
MITRE maintains three separate ATT&CK matrices, each covering a different technology domain:
Enterprise
The Enterprise matrix is the most comprehensive and widely used. It covers adversary behavior against Windows, macOS, Linux, cloud environments (Azure AD, Office 365, Google Workspace, SaaS, IaaS), network infrastructure, and containers. With 14 tactics and 200+ techniques, it is the standard reference for corporate security teams, detection engineers, and threat intelligence analysts. When people say "ATT&CK" without qualification, they typically mean the Enterprise matrix.
Mobile
The Mobile matrix covers adversary behavior targeting Android and iOS devices. It includes techniques specific to mobile platforms: app store compromise, device administrator abuse, input prompt spoofing, and clipboard data interception. With the increasing use of mobile devices for corporate access, the Mobile matrix is becoming more relevant for enterprise security programs that extend beyond traditional endpoints.
ICS (Industrial Control Systems)
The ICS matrix covers adversary behavior targeting operational technology (OT) and industrial control systems — SCADA, PLCs, HMIs, engineering workstations, and historians. It includes 12 tactics (some unique to ICS, like Inhibit Response Function and Impair Process Control) and techniques specific to the industrial domain. This matrix is essential for organizations operating critical infrastructure — energy, water, manufacturing, and transportation.
Using ATT&CK for Detection
ATT&CK's practical value for detection engineering comes from its data sources and detection suggestions documented for each technique. These tell you what telemetry you need to collect and what patterns to look for.
Consider T1053.005 (Scheduled Task/Job: Scheduled Task). The ATT&CK entry documents that detection requires:
- Command execution — Monitoring for
schtasks.exeandat.exeexecutions with creation parameters - Scheduled task creation events — Windows Event Log 4698 (A scheduled task was created)
- File creation — New .job files in
C:\Windows\System32\Tasks - Process creation — Child processes spawned by the Task Scheduler service
From these data source requirements, a detection engineer can assess: Do we collect Sysmon logs with process creation events? Do we forward Windows Security Event Log 4698? Do we have file creation monitoring on the Tasks directory? Each gap represents either a data onboarding task or an accepted risk.
The detection approach for any technique typically follows a pattern: identify the data sources, understand the normal behavior baseline, define the malicious variants, write rules targeting the delta, and tune for the environment. ATT&CK's documentation accelerates the first two steps significantly — you do not have to research from scratch what telemetry is needed or how the technique manifests in logs.
Coverage Mapping and Gap Analysis
One of ATT&CK's most powerful applications is measuring detection coverage — answering the question: "What percentage of adversary behaviors can we actually detect?"
Coverage mapping involves three steps:
Step 1: Map existing detections. For every detection rule in your SIEM, identify which ATT&CK technique(s) it covers. This produces a mapping from your detection library to the ATT&CK matrix. Many organizations are surprised to find that their hundreds of SIEM rules cover only a fraction of the matrix, often concentrated in a few tactics (Initial Access, Execution) while others (Discovery, Lateral Movement) are nearly empty.
Step 2: Identify priority gaps. Not all gaps are equal. Use threat intelligence to determine which techniques are most relevant to your organization. If the threat actors targeting your sector primarily use techniques T1053 (Scheduled Tasks), T1059 (Command Scripting), and T1021 (Remote Services) for lateral movement, those gaps are higher priority than techniques used by actors targeting unrelated sectors.
Step 3: Build a roadmap. Prioritize new detections based on the gap analysis. Sequence them considering data availability (some techniques require data sources you may not collect yet), development effort (some detections are straightforward, others require complex correlation), and risk reduction (some techniques appear in many attack chains, giving them outsized defensive value).
Coverage is a spectrum, not a binary. For any technique, you might have zero coverage, partial coverage (detecting some variants but not all), full coverage (detecting all known variants with tested rules), or validated coverage (proven through attack simulation). Tracking this maturity level per technique gives you a much more accurate picture than a simple "covered/not covered" heatmap.
ATT&CK Navigator
ATT&CK Navigator is an open-source web application that enables creation, visualization, and annotation of custom ATT&CK matrix views. It is the primary tool for creating coverage heatmaps, comparing threat group profiles, and communicating defensive posture to stakeholders.
Common Navigator use cases include:
- Detection coverage heatmaps — Color-code techniques by detection maturity (red = no detection, yellow = partial, green = validated). This becomes your security team's scorecard and roadmap.
- Threat group overlays — Layer the techniques used by relevant threat groups onto your coverage map to identify the specific gaps that matter most. If APT29 uses 40 techniques and you detect 28, you know exactly which 12 to prioritize.
- Red team scope — Use Navigator to define the techniques a red team engagement should cover, then compare results against blue team detection performance.
- Vendor assessment — Compare the ATT&CK coverage claims of security products during procurement. Multiple layers in Navigator let you visualize what each tool contributes to your overall coverage.
Navigator layers can be exported as JSON, shared between teams, and version-controlled in Git. This enables tracking coverage changes over time — quarter over quarter, you can measure whether your detection program is actually closing gaps or just adding rules without improving coverage.
How Threadlinqs Maps 465 Techniques
Threadlinqs Intelligence maps every tracked threat to its corresponding MITRE ATT&CK techniques, currently covering 465 unique techniques across the Enterprise matrix. Each threat entry shows which techniques the threat actor uses, with detection rules written specifically for those techniques in SPL, KQL, and Sigma.
The platform's MITRE coverage view lets you explore technique coverage across the full matrix, filter by tactic, and drill into individual techniques to see which threats use them and which detections cover them. This enables the coverage mapping workflow described above without building the infrastructure from scratch — the threat-to-technique-to-detection mapping is maintained as part of the platform's intelligence pipeline.
Frequently Asked Questions
What does MITRE ATT&CK stand for?
Adversarial Tactics, Techniques, and Common Knowledge. MITRE is the nonprofit organization that maintains the framework. It was created in 2013 and publicly released in 2015, evolving from an internal project to the industry's standard taxonomy for adversary behavior.
How many tactics and techniques are in MITRE ATT&CK?
The Enterprise matrix contains 14 tactics and over 200 techniques, with hundreds of sub-techniques. The count changes with each update — MITRE releases major updates approximately twice per year, adding newly observed techniques and refining existing entries based on community feedback.
What is the difference between a tactic and a technique?
A tactic is the adversary's goal (the "why") — for example, gaining initial access or escalating privileges. A technique is the specific method used to achieve that goal (the "how") — for example, using a spear-phishing attachment for initial access or exploiting a vulnerability for privilege escalation. Tactics contain techniques, and techniques can serve multiple tactics.
How do I use MITRE ATT&CK for detection coverage mapping?
Map each detection rule to the ATT&CK technique(s) it covers, use ATT&CK Navigator to visualize coverage as a heatmap, identify gaps, then prioritize new detections based on the techniques most relevant to your threat landscape. Track coverage maturity over time to measure your detection program's progress.
What is the difference between MITRE ATT&CK and the Cyber Kill Chain?
The Cyber Kill Chain (Lockheed Martin, 2011) is a linear 7-stage intrusion model. MITRE ATT&CK (2015) is a comprehensive behavioral matrix with 14 tactics, 200+ techniques, and sub-techniques. ATT&CK provides far greater granularity and is the current industry standard. They are complementary: the Kill Chain describes the high-level flow, ATT&CK provides the detailed behavioral taxonomy within each stage.