MITRE ATT&CK
A knowledge base of adversary tactics, techniques and procedures. Used to classify threats and assess an organisation's detection capabilities.
What is MITRE ATT&CK?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a publicly available knowledge base documenting the tactics and techniques used by real-world adversaries. It was developed by the MITRE organisation based on observations of actual security incidents and is systematically updated by the research community.
The ATT&CK framework organises threat knowledge in a matrix format, where columns represent tactics (adversary objectives - e.g., Initial Access, Persistence, Lateral Movement) and rows represent techniques (methods for achieving a given objective). Each technique includes a description, examples of use by known APT groups, detection methods and defensive recommendations.
MITRE ATT&CK comes in three variants: Enterprise (IT systems - Windows, Linux, macOS, cloud), Mobile (iOS, Android) and ICS (industrial systems). The ICS variant is particularly relevant for organisations with OT infrastructure, as it describes techniques specific to industrial environments.
Why does it matter?
MITRE ATT&CK gives organisations a common language for describing threats. Instead of general statements like “we are exposed to APT”, a security team can precisely identify which techniques pose the greatest risk and what detection capabilities the organisation does (or does not) have.
The framework is used in red team engagements (as the basis for scenarios), in SOC operations (as a taxonomy for detection rules), in threat intelligence (to describe TTP of APT groups) and in board reporting (to visualise detection coverage). It is the de facto industry standard.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.