MITRE ATT&CK Framework

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a curated knowledge base maintained by MITRE Corporation that catalogs how threat actors operate across the full attack lifecycle. It organizes adversary behavior into 14 tactics — from Initial Access to Impact — each containing specific techniques and sub-techniques observed in the wild. The framework covers multiple platforms including Windows, macOS, Linux, cloud environments, and mobile.

ATT&CK provides a common language for describing attacker behavior, enabling security teams to communicate precisely about threats, prioritize defensive gaps, and benchmark detection coverage. For DFIR analysts, it transforms raw IOCs and log anomalies into structured intelligence that can be compared across incidents, threat actors, and industries. Organizations that map their detections to ATT&CK can measure coverage objectively and identify blind spots before attackers exploit them.

The framework is organized into a matrix where columns represent tactics (the adversary's goal, e.g., Persistence, Lateral Movement) and rows represent techniques (the method used, e.g., T1053 Scheduled Task/Job). Each technique entry includes a description, real-world procedure examples, detection guidance, and mitigation recommendations. Analysts use ATT&CK during threat hunting by hypothesizing which techniques an adversary likely used and building queries around them. During incident response, findings are mapped to ATT&CK IDs to reconstruct the attack chain and attribute behavior to known threat groups.