What is MITRE ATT&CK?

Q: What's the difference between tactics and techniques?

Tactics represent the adversary's goal or objective — the 'why' behind an action. There are 14 enterprise tactics such as Initial Access, Execution, and Persistence. Techniques describe 'how' the adversary achieves that goal. For example, under the Execution tactic, T1059 Command and Scripting Interpreter is a technique. Sub-techniques provide even more specificity, like T1059.001 PowerShell.

// overview

A Living Knowledge Base of Adversary Behavior

Created and maintained by the MITRE Corporation, ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) documents how real-world threat actors gain access to systems, move laterally, escalate privileges, evade defenses, and achieve their objectives. First published in 2013 as an internal research project, it has grown into the industry standard framework used by SOC analysts, red teams, threat intelligence teams, and security vendors worldwide.

ATT&CK is organized into three primary matrices covering distinct technology domains:

Enterprise covers Windows, macOS, Linux, cloud (AWS, Azure, GCP), network infrastructure, containers, and SaaS platforms. This is the most widely referenced matrix with 14 tactics and hundreds of techniques.

Mobile covers Android and iOS adversary behaviors including app-based attacks, network-based manipulation, and device exploitation.

ICS (Industrial Control Systems) covers adversary behaviors targeting operational technology environments such as SCADA systems, PLCs, and engineering workstations.

// enterprise tactics

The 14 Enterprise Tactics

Tactics represent the adversary's objective — the reason behind each action in an intrusion. They are ordered roughly by the typical progression of an attack, from initial reconnaissance through final impact.

01
ReconnaissanceGathering information to plan future operations. Includes scanning infrastructure, harvesting credentials from breaches, and identifying employees through OSINT.
02
Resource DevelopmentEstablishing infrastructure and capabilities for the operation. Registering domains, compromising accounts, developing malware, and acquiring tools.
03
Initial AccessGaining the first foothold in a target network. Common vectors include phishing, exploiting public-facing applications, and trusted relationship abuse.
04
ExecutionRunning adversary-controlled code on target systems. PowerShell, command-line interpreters, scheduled tasks, and exploitation for client execution.
05
PersistenceMaintaining access across restarts and credential changes. Registry run keys, scheduled tasks, bootkit installation, and account manipulation.
06
Privilege EscalationGaining higher-level permissions. Exploiting misconfigurations, process injection, access token manipulation, and exploiting vulnerabilities for elevated execution.
07
Defense EvasionAvoiding detection by security tools and analysts. Obfuscation, indicator removal, disabling security software, masquerading, and rootkits.
08
Credential AccessStealing credentials for lateral movement and privilege escalation. Credential dumping, brute force, keylogging, and man-in-the-middle attacks.
09
DiscoveryMapping the environment after gaining access. Enumerating accounts, network shares, system information, domain trusts, and security software.
10
Lateral MovementMoving through the network to reach additional systems. Remote services, pass-the-hash, pass-the-ticket, and exploitation of remote services.
11
CollectionGathering data of interest before exfiltration. Archiving data, clipboard capture, email collection, and input capture from user activity.
12
Command and ControlCommunicating with compromised systems to maintain control. Encrypted channels, protocol tunneling, web services, and domain generation algorithms.
13
ExfiltrationStealing data from the target environment. Exfiltration over C2 channels, alternative protocols, web services, and physical media.
14
ImpactDisrupting, destroying, or manipulating systems and data. Data encryption for ransom, disk wiping, defacement, and denial of service.

// techniques & sub-techniques

Techniques vs Sub-techniques

Each tactic contains multiple techniques — specific methods adversaries use to achieve that tactical goal. Techniques are assigned T-codes (e.g., T1059). Sub-techniques add a decimal suffix to represent more granular variations of a parent technique.

This hierarchy allows analysts to track adversary behavior at the right level of specificity. A SOC alert might reference T1059.001 (PowerShell) while a strategic report discusses T1059 (Command and Scripting Interpreter) broadly.

// Example: Technique hierarchy

T1059  Command and Scripting Interpreter    // parent technique
  T1059.001  PowerShell                       // sub-technique
  T1059.002  AppleScript                      // sub-technique
  T1059.003  Windows Command Shell             // sub-technique
  T1059.004  Unix Shell                        // sub-technique
  T1059.005  Visual Basic                      // sub-technique
  T1059.006  Python                            // sub-technique
  T1059.007  JavaScript                        // sub-technique
  T1059.008  Network Device CLI                // sub-technique
  T1059.009  Cloud API                         // sub-technique

// Each sub-technique inherits its parent's tactic: Execution (TA0002)
// Data sources, mitigations, and detections are documented per sub-technique
      

// use cases

How Security Teams Use ATT&CK

ATT&CK is not just a reference document. It is an operational framework that security teams embed into their daily workflows, tooling, and reporting.

Threat Modeling

Map known adversaries to the techniques they use. If APT29 targets your industry, their documented TTPs tell you exactly which techniques to prioritize in your defenses.

Detection Gap Analysis

Overlay your existing detection rules against the ATT&CK matrix to identify blind spots. Techniques with no corresponding detection rules represent gaps an adversary could exploit undetected.

Red Team Planning

Structure adversary simulations around specific ATT&CK techniques. Validate whether your blue team can detect T1055 (Process Injection) or T1003 (OS Credential Dumping) in practice.

Incident Response Classification

Tag observed adversary behaviors during an incident with ATT&CK technique IDs. This creates a structured timeline that can be shared with peers, vendors, and ISACs using a common vocabulary.

// threadlinqs + att&ck

How Threadlinqs Maps to ATT&CK

Every threat on the Threadlinqs platform is mapped to specific MITRE ATT&CK techniques. This mapping powers detection engineering, coverage analysis, and actor profiling across the entire intelligence feed.

503

Techniques Tracked

Every technique observed in our threat intelligence feed is catalogued and linked to the threats, detections, and IOCs where it appears.

Coverage Map

Visual Drill-Down

An interactive heatmap organized by tactic, showing which techniques have detections and which remain uncovered. Click any cell to see associated threats.

Detection Debt

Per-Technique Scoring

Each technique receives a debt score based on threat frequency, severity, and whether corresponding SPL, KQL, or Sigma rules exist in the library.

Actor TTP Profiles

Adversary Mapping

Threat actor pages show the full set of ATT&CK techniques each group has been observed using, with links to the underlying threat reports.

// related

Frequently Asked Questions

How many techniques are in MITRE ATT&CK?

As of 2026, the MITRE ATT&CK Enterprise matrix contains over 200 techniques and nearly 700 sub-techniques. The exact count changes with each version release as MITRE adds newly observed adversary behaviors and refines existing entries. Mobile and ICS matrices add additional techniques specific to those domains.

What's the difference between tactics and techniques?

Tactics represent the adversary's goal or objective — the "why" behind an action. There are 14 enterprise tactics such as Initial Access, Execution, and Persistence. Techniques describe "how" the adversary achieves that goal. For example, under the Execution tactic, T1059 Command and Scripting Interpreter is a technique. Sub-techniques provide even more specificity, like T1059.001 PowerShell.

How do I measure my ATT&CK coverage?

Start by mapping your existing detection rules to ATT&CK technique IDs. Tools like the ATT&CK Navigator let you visualize which techniques you cover and where gaps exist. Threadlinqs provides a detection debt score per technique, showing which techniques in your threat landscape lack corresponding detections. Prioritize coverage based on the techniques most commonly used by threat actors targeting your industry.