Trackr.Live The landing site for Trackr Services
§ Trackr.Live

MITRE ATT&CK

MITRE ATT&CK is the operational catalog of how adversaries actually behave, organized into a structured taxonomy that has become the de facto industry vocabulary for discussing adversary techniques. The framework was first published in 2015, has been maintained continuously since, and is now the central reference in essentially every serious threat intelligence program, detection engineering organization, and security operations center in 2026. Its dominance is well-earned — the catalog is empirically grounded, broadly adopted, and continuously updated — but the dominance has produced its own failure pattern, where organizations treat “we use ATT&CK” as the answer to questions the framework doesn’t actually answer.

This page is the deep-dive companion to the Threat Modeling Frameworks umbrella. The scope here is what ATT&CK actually is, how it’s structured, where it earns operational value, where it doesn’t, and how to use it well in 2026. The defensive counterpart D3FEND has its own subpage.

What ATT&CK actually is

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a curated catalog of adversary behavior. Each entry in the catalog describes a specific way adversaries attempt to compromise or operate within systems, with the entries organized into a hierarchical structure and connected through cross-references that map the relationships between techniques, the threat groups that use them, the software that implements them, the mitigations that address them, and the data sources that detect them.

The catalog is empirically grounded in the strict sense: every technique in the matrix is documented in actual observed adversary behavior. Speculative or theoretical attack patterns do not enter the catalog. The maintenance process is rigorous — new technique submissions are reviewed by MITRE’s analysts and require documentation of real observed use before inclusion. This grounding is what distinguishes ATT&CK from earlier and competing frameworks; the catalog reflects what adversaries are actually doing, not what they might theoretically do.

The catalog is maintained by MITRE Corporation, a not-for-profit federally funded research and development organization. MITRE accepts contributions from the broader security community — CTI vendors, security companies, government agencies, academic researchers, and individual practitioners — and curates them into the official catalog through a publication cycle that releases multiple updates per year. The current version as of mid-2026 is ATT&CK v15 (the major version increments roughly annually) with continuous minor updates.

The catalog is freely available under a license that permits commercial use, redistribution, and modification. The full catalog is published as both human-readable documentation at attack.mitre.org and as machine-readable STIX 2.1 data, which has enabled extensive third-party tooling integration.

The hierarchical structure

ATT&CK organizes adversary behavior into a four-level hierarchy:

Tactics are the highest-level grouping — the goals adversaries pursue during operations. The enterprise matrix has 14 tactics covering the full attack lifecycle. Each tactic represents a category of activity rather than a specific action.

Techniques are the specific methods adversaries use to accomplish each tactic. The enterprise matrix contains over 200 techniques as of mid-2026, with new ones added each release cycle. A technique describes what an adversary does, with enough detail to be operationally useful but not so much detail that it becomes a specific implementation.

Sub-techniques are finer-grained variants of techniques, introduced in the major restructuring in 2020. Where a technique might describe a broad behavior like “Credential Dumping,” sub-techniques describe specific approaches like “LSASS Memory” or “NTDS.” The enterprise matrix has over 400 sub-techniques in addition to the 200 parent techniques.

Procedures are specific implementations of techniques observed in actual incidents — the way a particular threat group used a particular technique in a particular operation. Procedures are not separately numbered in the catalog; they appear as descriptive text within technique entries and within the threat group and software entries.

The hierarchy is what the technique IDs encode. An entry like T1003.001 has parsing structure: T1003 is the parent technique (OS Credential Dumping), .001 is the specific sub-technique (LSASS Memory). When you see ATT&CK technique IDs in detection rules, threat intelligence reports, or red team plans, they always follow this T-number-dot-subnumber format.

The enterprise matrix tactics

The 14 tactics in the enterprise matrix, in roughly the order they appear in a typical attack lifecycle:

  1. Reconnaissance — gathering information that informs targeting, before any access has been established. Active scanning, target identification, victim host enumeration through public sources.
  2. Resource Development — establishing the resources needed for operations: infrastructure (domains, accounts, hosting), capabilities (malware, exploits), and identities (compromised credentials, fake personas).
  3. Initial Access — getting onto the target network. Phishing, exploit of public-facing applications, supply chain compromise, valid accounts use.
  4. Execution — running adversary-controlled code on the compromised system. Command line execution, scripting, container runtime abuse, native API use.
  5. Persistence — maintaining access across reboots and credential changes. Boot or logon autostart execution, scheduled tasks, account creation, event-triggered execution.
  6. Privilege Escalation — gaining higher privileges. Process injection, valid account use, exploitation of privilege escalation vulnerabilities.
  7. Defense Evasion — avoiding detection. Obfuscation, masquerading, disabling security tools, log clearing, trusted developer utility abuse.
  8. Credential Access — obtaining credentials. OS credential dumping, brute force, credential manipulation, password spraying.
  9. Discovery — learning about the environment. Account discovery, network service scanning, system information discovery, file and directory discovery.
  10. Lateral Movement — moving from the initial foothold to other systems. Remote services use, lateral tool transfer, internal spearphishing, exploitation of remote services.
  11. Collection — gathering data of interest. Data from local system, email collection, screen capture, audio capture, archive collected data.
  12. Command and Control — communicating with adversary infrastructure. Application layer protocols, encrypted channels, non-standard ports, proxy use.
  13. Exfiltration — getting data out. Exfiltration over C2 channel, exfiltration over alternative protocol, exfiltration over physical medium.
  14. Impact — the adversary’s final objective if disruptive. Data destruction, encryption for impact (ransomware), defacement, account access removal, disk wipe.

The tactic ordering is not strictly sequential. Real attacks move between tactics non-linearly: discovery happens throughout, credential access can occur at any stage where credentials are accessible, defense evasion is continuous rather than localized to a single phase. The tactic taxonomy is a structural organization rather than a workflow specification.

The tactic structure is what most detection content and CTI reporting hangs off of. A detection rule typically tags one or more techniques, which roll up to their parent tactics, which provides a coverage map showing which parts of the attack lifecycle the organization’s detection content addresses.

Techniques and sub-techniques in detail

A technique entry in the catalog contains several standard fields:

  • Name and ID — the technique identifier (T-number) and human-readable name.
  • Description — what the technique does, how adversaries use it, why it’s effective.
  • Procedure examples — specific instances of the technique observed in actual incidents, with citations to the threat groups or incidents involved.
  • Mitigations — defensive measures that address the technique, with links to the mitigation catalog.
  • Detection — guidance on telemetry sources and analytical approaches that detect the technique, with links to the data sources catalog.
  • Platforms — the operating systems and environments where the technique applies.
  • Permissions required — what level of access an adversary needs to use the technique.
  • Effective permissions — what level of access the technique provides.

The procedures sections are operationally the most valuable for analysts. They translate the abstract technique description into concrete examples that detection engineers can use to identify the technique in practice. “Brute Force: Password Spraying” (T1110.003) is a technique description; the procedure examples list specific instances of password spraying observed in incidents involving APT28, APT29, and many others, with detail on the specific tools and patterns.

The 2020 sub-technique restructuring is worth understanding because it changed how ATT&CK is used operationally. Before 2020, techniques were a flat list — “Credential Dumping” was a single technique covering all the specific approaches. The restructuring split many of the original techniques into parent-plus-sub-techniques, creating much finer-grained coverage. The change improved analytical precision but also broke a lot of existing tooling that had been built around the flat structure. Mature ATT&CK deployments in 2026 use sub-techniques where they exist; legacy tooling sometimes still operates only at the parent technique level.

The three matrices

ATT&CK is published as three matrices covering different operational environments:

Enterprise is the largest and most-used matrix, covering Windows, Linux, macOS, network devices, containers, and major cloud platforms (AWS, Azure, GCP, Google Workspace, Office 365, SaaS). The enterprise matrix is what most detection content and CTI work references. The platform tags within enterprise let users filter techniques to a specific environment — a Linux-only deployment can hide the Windows-specific techniques.

Mobile covers iOS and Android techniques. The mobile matrix is smaller than enterprise (roughly 70 techniques) and is used primarily by mobile security teams and CTI analysts tracking mobile-specific threats.

ICS (Industrial Control Systems) covers techniques targeting operational technology environments — SCADA systems, PLCs, industrial protocols, and the broader OT/IT integration surface. The ICS matrix is structurally similar to enterprise but uses tactics and techniques specific to the OT environment (impact tactics include “Damage to Property” and “Loss of Safety”; collection tactics include “I/O Image Manipulation”).

The three matrices share a common structure but maintain separate technique IDs. T1003 in the enterprise matrix is OS Credential Dumping; the ICS matrix uses different identifiers for its techniques. Cross-references between matrices exist where threat groups operate across multiple environments.

The ancillary catalogs

Beyond the technique matrices themselves, ATT&CK maintains several connected catalogs that provide context and operational guidance.

Threat groups

The groups catalog documents specific threat actors with their observed techniques, software, and operational patterns. Each group entry includes:

  • A description and alternative names (since different vendors use different naming schemes for the same actors).
  • A list of techniques the group has been observed using, with citations to specific incidents.
  • A list of software the group has been observed deploying.
  • Operational details about the group’s targeting, geography, and motivation.

The groups catalog as of mid-2026 covers approximately 150 named threat groups, from major state-aligned actors (APT28, APT29, APT41, Lazarus Group) through criminal ecosystem actors (FIN groups, ransomware affiliates) to specific named campaigns. The coverage is biased toward groups that have been publicly attributed by major CTI vendors; less-attributed activity may not appear.

The naming convention is a persistent source of confusion. APT28 is the Mandiant designation for the group also called Fancy Bear (CrowdStrike), Sofacy (multiple vendors), Pawn Storm (Trend Micro), Sednit (ESET), and several other names. ATT&CK uses MITRE’s own naming where possible but maintains the cross-references to vendor naming schemes. Always check the “Associated Groups” section when working across multiple vendor reports.

Software

The software catalog documents malware and tools used in adversary operations. Two subcategories:

  • Malware — programs developed specifically for malicious use. Cobalt Strike, Mimikatz, BloodHound, various RATs, named malware families, ransomware variants.
  • Tools — legitimate software adapted for adversary use. PowerShell, PsExec, AdFind, Rclone, legitimate remote administration tools used out of context.

Each software entry lists the techniques implemented by the software, the threat groups observed using it, and a description of the software’s behavior. The software catalog provides the connective tissue between technique coverage and toolchain coverage — knowing that APT29 uses Cobalt Strike, and that Cobalt Strike implements techniques T1055, T1071.001, T1059.001, and others, lets analysts reason about likely behavior even when specific incident details are limited.

Mitigations

The mitigations catalog documents defensive measures that address ATT&CK techniques. Each mitigation has a description and a list of techniques it addresses. The catalog includes both narrow technical mitigations (M1042 “Disable or Remove Feature or Program,” M1038 “Execution Prevention”) and broader programmatic mitigations (M1017 “User Training,” M1043 “Credential Access Protection”).

The mitigations catalog overlaps substantially with the D3FEND framework, which provides a more structured taxonomy of defensive countermeasures. Mature 2026 deployments often use D3FEND for defensive structure while keeping ATT&CK mitigations as a reference.

Data sources

The data sources catalog, restructured significantly in 2021, documents the telemetry sources required to detect techniques. Data sources include Process Creation, File Creation, Network Traffic Flow, Authentication Logs, Cloud Service Modification, and many others. Each technique entry lists the data sources required to detect it; each data source entry lists the techniques it helps detect.

The data sources catalog is the practical bridge between technique coverage and detection engineering. A detection engineer planning coverage for the credential access tactic uses the data sources catalog to determine what telemetry the SOC needs to ingest before any meaningful detection content can be written. The catalog is comprehensive enough to support gap analysis at the telemetry layer, which is where detection coverage typically fails before any rule-writing happens.

Operational use

ATT&CK appears in several distinct operational workflows in 2026, each of which uses different aspects of the framework.

Detection engineering coverage maps

The most common use of ATT&CK in production SOCs is as a coverage map: a visualization showing which techniques the organization has detection content for, color-coded by maturity or confidence. The standard tool is the ATT&CK Navigator, a web-based application that lets analysts overlay coverage data on the technique matrix.

The honest read on coverage maps: they are useful for communicating coverage at a glance, dangerous if interpreted as quality measurements. A coverage map showing “we have a detection for technique X” does not say whether that detection actually fires when X happens, what the false positive rate is, or whether the detection covers the specific sub-techniques and procedures the relevant threat actors actually use. A green tile in the Navigator can hide a detection rule that has not fired in two years because the underlying telemetry is missing, or a rule that fires hundreds of times a day on legitimate activity and gets suppressed.

The mature pattern is to maintain coverage maps as one input among several in detection engineering planning, alongside detection-specific metrics: alert volume, false-positive rate, true-positive rate against red team exercises, mean time to acknowledge, and the actual detection content’s coverage of specific procedures rather than just the parent techniques. The maps communicate what exists; they do not measure what works.

Red team and purple team planning

Red team operations are increasingly designed to exercise specific ATT&CK techniques against the organization’s defenses. A red team plan that says “we will exercise T1003.001 (LSASS Memory), T1078 (Valid Accounts), and T1021.001 (RDP)” gives the blue team a measurable target — detection coverage of those specific techniques is what the exercise tests.

Purple team exercises explicitly pair red team execution with blue team detection measurement, with both sides working from the same ATT&CK technique list. The output is a matrix showing which techniques the red team executed and which the blue team detected, with the gaps informing detection engineering priorities. This pattern has become the standard mature approach to defensive validation in mid-2026.

Threat intelligence reporting

ATT&CK technique tags are now expected in CTI reports. A report describing observed adversary activity will list the techniques used, with the technique IDs serving as machine-readable cross-references. The standardization has made CTI integration substantially easier — a SIEM ingesting CTI reports with ATT&CK tags can automatically check existing detection coverage against the techniques the report describes.

The pattern has its own failure mode: report writers who add ATT&CK tags as a checkbox exercise without ensuring the tags match the actual observed behavior. A report that lists “T1059.001 PowerShell” because the analyst remembered seeing PowerShell mentioned, but doesn’t describe the specific way PowerShell was used, provides less value than the tag suggests. Quality CTI maintains the discipline of mapping observed behavior to ATT&CK with the same rigor MITRE applies to its own catalog updates.

SOC analyst training and ramp-up

ATT&CK has become the standard vocabulary for SOC analyst training. New analysts learn the tactic structure, the major techniques, and the mapping between detection alerts and the underlying adversary behavior. The framework gives a common reference that lets analysts at different organizations communicate about activity without translation overhead.

The training value is high. The risk is that analysts who learn the framework but don’t develop the underlying analytical skills produce ATT&CK-tagged outputs that look professional but don’t reflect actual investigative depth.

Maturity assessment

Several maturity assessment frameworks use ATT&CK as their organizing structure. The ATT&CK Evaluations program, operated by MITRE itself, tests commercial security products against simulated adversary scenarios mapped to ATT&CK techniques. The evaluation results — which products detected which techniques — are published openly and are an important input into product selection decisions.

The evaluations have their critics. Some vendors have been accused of optimizing for the specific evaluations rather than for broad protective coverage. The published results require careful reading to extract what actually matters, and headline “we detected 100% of techniques” claims often hide important caveats. The evaluations are valuable when used carefully; less valuable when consumed as a leaderboard.

Tooling and integrations

The ATT&CK ecosystem includes substantial supporting tooling, both from MITRE and from third parties:

ATT&CK Navigator is the canonical visualization tool. Web-based, free, and used universally for coverage maps, comparison charts, and group/software overlays. The standard format for sharing ATT&CK-based analysis.

MITRE Caldera is MITRE’s open-source adversary emulation platform. Caldera implements ATT&CK techniques as automated “abilities” that can be combined into adversary profiles for red team exercises. Used heavily in purple team programs.

Atomic Red Team is Red Canary’s open-source library of small test scripts mapped to ATT&CK techniques. Atomic Red Team provides a faster path to red team validation than Caldera for organizations that need specific technique tests rather than full adversary emulation.

ATT&CK Workbench is MITRE’s tool for organizations that want to maintain their own extensions to the public ATT&CK catalog — local techniques specific to their environment, internal threat group tracking, custom mitigation mappings.

SIEM and EDR integrations are now standard. Splunk, Microsoft Sentinel, Elastic SIEM, Chronicle, CrowdStrike Falcon, SentinelOne, Carbon Black, and essentially every major vendor expose ATT&CK technique tags on their detection content and provide some form of coverage visualization. Quality varies; the tagging discipline varies more.

CTI platforms including ThreatConnect, Anomali, EclecticIQ, and various open-source equivalents support ATT&CK-tagged intelligence ingestion and correlation.

STIX 2.1 integration means ATT&CK data flows natively between systems that support STIX. The machine-readable format is what makes the broad tooling ecosystem possible.

The persistent pitfalls

Several failure patterns recur across organizations that adopt ATT&CK:

Tagging without operational consequence. Many organizations have invested heavily in tagging their detection content with ATT&CK techniques without using the tags for anything operationally useful. The tags exist in the metadata; nothing happens differently because of them. The work was performed because it was expected, not because it produced value.

Coverage map mistaken for detection quality. Already covered above. The Navigator visualization is communicative; it is not a quality measurement. Organizations that present coverage maps to executives without context for what the colors mean produce misleading impressions of defensive maturity.

Sub-technique under-utilization. Many organizations operate ATT&CK at the parent technique level only, ignoring sub-techniques. The parent technique “OS Credential Dumping” (T1003) is too broad to write meaningful detection content against; the sub-techniques (T1003.001 LSASS Memory, T1003.002 Security Account Manager, T1003.003 NTDS, etc.) are the operationally relevant level. Organizations that only track at the parent level produce coverage maps that overstate their actual coverage.

Threat group tracking without context. ATT&CK group entries describe techniques observed in past incidents. They are not predictions of future behavior, and they are not exhaustive lists of what the group can do. Treating “APT29 uses techniques A, B, C” as the complete set of techniques to defend against produces gaps when the group adapts.

Compliance use of the framework. Some compliance frameworks have begun requiring “ATT&CK coverage” without specifying what coverage actually means. Organizations responding to those requirements often produce ATT&CK documentation that satisfies the audit but does not improve defensive posture.

Vendor coverage claims. “Our product covers 95% of ATT&CK techniques” is a marketing claim that almost never withstands scrutiny. Real coverage requires telemetry, detection logic, low false-positive rates, and accurate tagging — vendor claims usually count “we have a detection rule that mentions the technique” as coverage, which is a much weaker claim than the marketing suggests.

Limits of the framework

Two structural limits of ATT&CK are worth being honest about:

ATT&CK describes known adversary behavior. Novel techniques — genuinely new approaches that haven’t been observed in the wild — are not in the catalog by design. Organizations that rely exclusively on ATT&CK for defensive planning are unprepared for techniques that haven’t been catalogued yet. The framework is necessary but not sufficient.

ATT&CK is observational, not predictive. The framework documents what has been observed. The relationship between “what has been observed” and “what is likely to happen to your specific organization” depends on threat intelligence specific to your environment, your adversaries, and your protective gaps. ATT&CK provides the structure; the threat-specific analysis is separate work.

The mature posture is to use ATT&CK as the operational vocabulary and the structural framework, while maintaining the intellectual humility that the framework is a description of the known landscape, not a guarantee of completeness.

Standards and references

  • MITRE ATT&CKattack.mitre.org, the canonical catalog.
  • ATT&CK Navigatormitre-attack.github.io/attack-navigator/, the visualization tool.
  • MITRE Calderacaldera.mitre.org, the adversary emulation platform.
  • Atomic Red Teamatomicredteam.io, the test library.
  • ATT&CK Evaluationsattackevals.mitre-engenuity.org, the vendor evaluation results.
  • STIX 2.1 — the machine-readable format ATT&CK is published in.
  • CTID (Center for Threat-Informed Defense) — MITRE Engenuity’s center that produces ATT&CK-adjacent research, including ATT&CK Workbench and several practical adoption guides.

How to actually use ATT&CK in 2026

For organizations starting from minimal ATT&CK adoption, a practical sequence:

  1. Adopt the vocabulary across the security team. Use ATT&CK technique IDs in incident reports, detection rules, threat intelligence consumption, and red team plans. The shared vocabulary reduces friction across functions and is the foundation for everything else.

  2. Build a coverage map of existing detection content using ATT&CK Navigator. The first map will be incomplete and overstated; expect this. The value of the first map is identifying what telemetry sources you actually have versus what techniques you’ve claimed to cover.

  3. Audit the telemetry against the data sources catalog. For each technique you claim coverage of, verify that the underlying data sources are actually being collected, retained, and indexed for query. This is the step that most often surfaces gaps that the coverage map hid.

  4. Run purple team exercises against the top-priority techniques. Pick 10-20 techniques based on threat intelligence relevant to your environment. Execute them via Caldera or Atomic Red Team. Measure detection coverage empirically. Use the results to prioritize detection engineering work.

  5. Integrate ATT&CK tagging into ongoing work. New detection content gets ATT&CK tags as part of the development standard. CTI intake gets parsed against ATT&CK techniques. Incident reports map observed behavior to ATT&CK technique IDs. The tagging discipline produces value over time as the organization’s institutional memory accumulates in a structured form.

  6. Maintain humility about coverage quality. Coverage maps communicate; they don’t measure. Real defensive maturity comes from the combination of telemetry quality, detection content quality, response capability, and continuous validation. ATT&CK is necessary for any of this; it is not sufficient for all of it.

The framework has earned its dominance. Used well, it transforms how security teams communicate and plan. Used poorly, it produces ATT&CK-tagged documentation that satisfies audits without improving defensive posture. The difference between the two outcomes is operational discipline, not the framework itself.

Where to go next on this site

Adjacent material on this site:

  • Threat Modeling Frameworks — the umbrella overview covering ATT&CK alongside the other major frameworks.
  • MITRE D3FEND — the defensive countermeasure catalog that pairs with ATT&CK.
  • The Cyber Kill Chain — the predecessor attack lifecycle model that ATT&CK extends and refines.
  • The Diamond Model — the CTI analytical framework that pairs naturally with ATT&CK for intelligence work.
  • STRIDE — the design-time threat categorization framework that operates at a different abstraction level than ATT&CK.

ATT&CK is in the category of frameworks where the meta-discussion about the framework occasionally substitutes for the operational work the framework enables. The goal of this page is the opposite: a working understanding of what ATT&CK is, what it does well, where its limits sit, and how to use it without the failure modes that the broad adoption has produced.