If you work in cybersecurity, you have almost certainly encountered references to MITRE ATT&CK. It appears in vendor dashboards, threat intelligence reports, incident response playbooks, and compliance frameworks. Yet many security practitioners interact with ATT&CK only superficially, treating it as a taxonomy they recognize but rarely use to drive decisions. That is a missed opportunity. The framework is one of the most powerful tools available to security teams for understanding how adversaries actually operate, and more importantly, for identifying where your defenses have gaps.

This guide breaks down what ATT&CK is, how the matrix is structured, and how to apply it practically in detection engineering, threat intelligence, gap analysis, and incident response.

What is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary behavior based on real-world observations. It catalogs the tactics, techniques, and procedures (TTPs) that threat actors use across the attack lifecycle, from initial reconnaissance through data exfiltration and system destruction.

The project originated in 2013 as an internal research effort at MITRE Corporation, a federally funded research and development center. The original goal was to document adversary behavior observed against enterprise Windows environments as part of a project called FMX (Fort Meade Experiment). MITRE made the framework publicly available in 2015, and it has since grown into the de facto standard for describing and categorizing adversary behavior.

ATT&CK is maintained by MITRE with contributions from the global cybersecurity community, including government agencies, private sector security teams, and academic researchers. It is updated regularly as new techniques are observed in the wild. The framework currently covers Enterprise (Windows, macOS, Linux, cloud, network, containers), Mobile (Android, iOS), and ICS (industrial control systems) environments.

What makes ATT&CK different from earlier frameworks like the Lockheed Martin Cyber Kill Chain is its granularity. The Kill Chain describes attack phases at a high level. ATT&CK goes deeper, documenting the specific methods adversaries use within each phase, along with real-world examples, detection guidance, and references to the threat groups known to use each technique.

Understanding the Matrix

MITRE ATT&CK Enterprise Matrix showing all 14 tactics as columns with example techniques, grouped into pre-attack, initial compromise, post-compromise, and objectives phases

The ATT&CK framework is organized as a matrix, and understanding its structure is essential to using it effectively.

Tactics form the columns of the matrix. Each tactic represents the adversary’s objective at a given stage of an operation. Think of tactics as the “why” behind an action. For example, the adversary needs to establish persistence, so the tactic is Persistence. They need to move across systems, so the tactic is Lateral Movement.

Techniques fill the cells within each tactic column. These represent the “how.” Under the Persistence tactic, for instance, you will find techniques like Boot or Logon Autostart Execution, Scheduled Task/Job, and Create Account. Each technique describes a distinct method for achieving the tactical objective.

Sub-techniques provide additional granularity beneath certain techniques. Boot or Logon Autostart Execution, for example, has sub-techniques for Registry Run Keys, Authentication Packages, Kernel Modules, and others. Sub-techniques were introduced in 2020 to manage the growing number of variations without flattening the hierarchy.

Procedures are the specific implementations of techniques by particular threat actors or malware families. This is where ATT&CK connects abstract methods to observed reality. A procedure might document that APT29 uses scheduled tasks with a specific command syntax to maintain persistence on compromised systems. Procedures are found within the individual technique pages and in the threat group profiles.

The Enterprise matrix currently contains 14 tactics and over 200 techniques, with hundreds of sub-techniques beneath them. It is not a linear progression. Adversaries move through tactics in whatever order serves their objectives, often revisiting tactics multiple times during a single operation.

The 14 Tactics

ATT&CK attack lifecycle showing four phases from reconnaissance through impact, with Cisco detection products mapped to each phase of the kill chain

The 14 tactics in the Enterprise ATT&CK matrix can be grouped into logical phases to help understand the overall attack progression.

Pre-Attack

Reconnaissance covers how adversaries gather information about target organizations before launching an attack. This includes active scanning, searching open databases, and gathering victim identity and infrastructure information. Much of this activity happens outside your network perimeter and is difficult to detect directly.

Resource Development describes how adversaries build the infrastructure and capabilities they need for operations. This includes acquiring domains, establishing accounts on third-party services, developing custom malware, and obtaining valid credentials through purchase or theft.

Initial Compromise

Initial Access covers the techniques adversaries use to gain their first foothold in a target environment. Phishing, exploiting public-facing applications, and abusing valid accounts are among the most common. This is where firewall rules, email security gateways, and authentication controls serve as primary defenses.

Execution describes how adversaries run malicious code on target systems. This ranges from command-line interpreters and scripting engines to exploitation of client applications. Understanding execution techniques is critical for configuring EDR solutions and application control policies.

Persistence covers methods for maintaining access across system restarts, credential changes, and other interruptions. Adversaries who achieve initial access will almost always attempt to establish persistence early in their operation.

Post-Compromise

Privilege Escalation involves gaining higher-level permissions on a system or within a network. Techniques include exploiting software vulnerabilities, manipulating access tokens, and abusing elevated execution mechanisms. Many privilege escalation techniques overlap with persistence techniques, as both often involve modifying system configurations.

Defense Evasion is the largest tactic category, reflecting how much effort adversaries invest in avoiding detection. Techniques include disabling security tools, obfuscating files, clearing logs, and masquerading as legitimate processes. This is where the arms race between attackers and defenders is most active.

Credential Access describes techniques for stealing credentials, including dumping password hashes, intercepting authentication traffic, and extracting credentials from password stores. Implementing zero trust principles significantly reduces the impact of credential theft by requiring continuous verification rather than trusting a single authentication event.

Discovery covers how adversaries explore the environment after gaining access. They enumerate accounts, identify network topology, find shared drives, and locate sensitive data stores. Discovery activity often generates detectable signals when adversaries query Active Directory, scan internal networks, or enumerate cloud resources.

Lateral Movement describes how adversaries move from one system to another within the environment. Common techniques include using remote services, exploiting internal application vulnerabilities, and abusing administrative tools. Network segmentation and micro-segmentation are key controls for limiting lateral movement.

Collection covers how adversaries identify and gather the data they intend to steal. This includes staging data in central locations, capturing screen content, recording keystrokes, and accessing data from local systems, network shares, and cloud storage.

Action on Objectives

Command and Control (C2) describes how adversaries communicate with compromised systems. Techniques include using encrypted channels, web protocols, DNS tunneling, and legitimate cloud services to blend C2 traffic with normal network activity. SIEM platforms and network detection tools play a central role in identifying anomalous C2 patterns.

Exfiltration covers how adversaries transfer stolen data out of the target environment. This includes exfiltration over C2 channels, alternative protocols, web services, and even physical media. Data loss prevention controls and network monitoring are primary defenses.

Impact describes techniques used to disrupt operations, destroy data, or otherwise compromise the integrity or availability of systems. This includes data encryption for ransomware, data destruction, service disruption, and resource hijacking for cryptomining.

How to Use ATT&CK in Practice

The framework’s real value emerges when security teams move beyond treating it as a reference and start using it operationally. Here are four high-impact use cases.

Threat Intelligence Mapping

ATT&CK provides a common language for describing adversary behavior. When threat intelligence reports describe a campaign, mapping the observed activity to ATT&CK techniques creates a structured, comparable picture of the threat. You can overlay multiple threat actors on the same matrix to see where their TTPs converge and where they diverge. This helps prioritize defenses against the techniques most likely to target your environment based on the threat actors active in your industry.

Detection Engineering

Each ATT&CK technique page includes detection guidance describing what data sources and observable events are relevant. Security engineers can use this guidance to build and validate detection rules mapped to specific techniques. Rather than writing detections based on known indicators of compromise (which adversaries change frequently), ATT&CK encourages detection based on behaviors (which are harder for adversaries to change). This produces more durable, resilient detection coverage.

Gap Analysis

By mapping your existing detection capabilities to the ATT&CK matrix, you can identify which techniques you can detect, which you detect partially, and which you have no visibility into at all. This gap analysis drives informed investment decisions. Instead of purchasing tools based on marketing claims, you can evaluate solutions based on which ATT&CK techniques they help you detect or prevent. This is one of the most immediately actionable uses of the framework for any security team.

Incident Response

During an active investigation, mapping observed adversary activity to ATT&CK techniques provides structure and completeness. When responders identify that an adversary used a specific lateral movement technique, they can consult ATT&CK to understand what other techniques that threat group commonly employs, predict likely next steps, and ensure they are searching for evidence of the full attack chain rather than just the initially detected activity.

ATT&CK and Cisco XDR

Cisco XDR integrates MITRE ATT&CK directly into its incident investigation workflow. When XDR correlates alerts from across your security stack into a unified incident, it automatically maps the detected activity to the corresponding ATT&CK tactics and techniques. This mapping provides SOC analysts with an immediate understanding of where the adversary is in the attack lifecycle and what they are trying to accomplish.

The XDR incident view uses progressive disclosure to present this information at the right level of detail. At a glance, analysts see which tactics are represented in an incident, giving them an immediate sense of scope and severity. Drilling into a specific tactic reveals the techniques detected, the underlying evidence, and the affected assets. This layered approach prevents information overload while ensuring the full ATT&CK context is available when analysts need it.

The practical benefit is a common language across the SOC. When an analyst escalates an incident, they can describe it in terms of specific ATT&CK techniques rather than raw alert names or vendor-specific terminology. This shared vocabulary accelerates handoffs, reduces miscommunication, and improves the quality of documentation in incident reports. It also makes it straightforward to connect incident findings back to the broader gap analysis and detection engineering processes described above.

ATT&CK Navigator

The ATT&CK Navigator is an open-source web application maintained by MITRE that provides an interactive, visual interface for working with the ATT&CK matrix. It is freely available on GitHub and can be run locally or accessed through MITRE’s hosted instance.

Navigator allows security teams to create layered visualizations of the ATT&CK matrix. Common uses include building heatmaps of your detection coverage (green for techniques you detect well, red for gaps), overlaying threat actor profiles to see which techniques are relevant to your threat landscape, and comparing coverage across different security tools or teams.

The tool supports scoring, color coding, and annotations on any cell in the matrix. Teams can export their layers as JSON for version control or sharing, and they can overlay multiple layers to identify intersections and gaps. For example, you might overlay your detection coverage layer with a layer showing the techniques used by the top three threat groups targeting your industry, instantly revealing your highest-priority gaps.

Common Mistakes

Trying to cover everything at once. The ATT&CK matrix contains hundreds of techniques. Attempting to build detections for all of them simultaneously leads to shallow, low-quality coverage. Prioritization based on threat intelligence is essential.

Treating it as a compliance checklist. ATT&CK is not a set of requirements to check off. Having a detection rule mapped to a technique does not mean you can detect all implementations of that technique. The quality and depth of your detections matter more than the count of techniques covered.

Ignoring the procedures level. Techniques describe methods in the abstract. Procedures describe how specific adversaries actually implement those methods. The procedure level is where the most actionable detection and hunting guidance lives. A team that only reads technique descriptions without studying the associated procedures is missing critical context.

Getting Started

If your team is new to ATT&CK, the following approach provides the fastest path to practical value.

Start with threat intelligence relevant to your industry. Identify which threat groups are most active in your sector. ATT&CK maintains profiles for over 140 named threat groups with their associated techniques. Focus your initial efforts on the techniques used by the groups most likely to target you.

Leverage real-world data. Reports like the Verizon Data Breach Investigations Report (DBIR) and annual threat reports from CrowdStrike, Mandiant, and Cisco Talos identify the techniques most commonly observed in actual breaches. These reports help you focus on high-frequency techniques rather than exotic, rare ones.

Map your existing detections first. Before building new detections, audit what you already have. Many organizations discover they have more ATT&CK coverage than they realized, but it is undocumented and unmapped. This exercise also reveals quick wins where minor tuning of existing rules can close gaps.

Pick a manageable scope. Start with three to five high-priority techniques, build or validate detections for them, test those detections, and iterate. This produces better results than attempting broad coverage immediately.

Make it a continuous process. ATT&CK is updated regularly, threat landscapes shift, and your environment changes. Revisit your coverage map quarterly and adjust priorities based on current threat intelligence.

Key Takeaways

  • MITRE ATT&CK is a knowledge base of real-world adversary behavior, not a theoretical model. Its value comes from being grounded in observed attacks.
  • The matrix is organized by tactics (the adversary’s objectives) and techniques (the specific methods used to achieve those objectives). Understanding this structure is the foundation for using the framework effectively.
  • The four highest-impact uses are threat intelligence mapping, detection engineering, gap analysis, and structured incident response.
  • Cisco XDR maps detected activity to ATT&CK automatically, providing SOC teams with a common language for describing and escalating incidents.
  • Start small and prioritize based on threat intelligence relevant to your industry. Depth of coverage on high-priority techniques beats shallow coverage across the entire matrix.
  • ATT&CK Navigator is a free tool for visualizing your detection coverage and identifying gaps. Every security team should be using it.