MITRE ATT&CK vs CAPEC: what is the difference?
Last reviewed June 2, 2026
MITRE ATT&CK and CAPEC are both MITRE knowledge bases, but they describe attacks at different levels. ATT&CK documents real-world adversary tactics and techniques observed during campaigns, focused on behavior inside an environment. CAPEC catalogs abstract, technology-agnostic attack patterns and maps them to the CWE weaknesses they exploit.
The short version
Both frameworks come from MITRE and both describe how attacks happen, but they answer different questions. ATT&CK answers what real adversaries actually do once engaged with a target. CAPEC answers what generic patterns an attacker could use to exploit a class of weakness.
A useful way to think about it: CAPEC is anchored to the weakness being exploited and stays abstract, while ATT&CK is anchored to observed adversary behavior and stays concrete.
Side-by-side comparison
| Dimension | MITRE ATT&CK | CAPEC |
|---|---|---|
| Primary focus | Real-world adversary behavior (TTPs) | Abstract attack patterns |
| Abstraction level | Concrete, observed techniques | Generic, technology-agnostic patterns |
| Grounded in | Documented intrusions and threat groups | Reasoned methods of exploiting weaknesses |
| Primary link | Maps to software, groups, and malware | Maps to CWE weaknesses |
| Main audience | Detection, threat intel, red and blue teams | Secure design, threat modeling, testing |
| Organizing model | Tactics, techniques, sub-techniques | Hierarchy of attack patterns by abstraction |
Scope and source
- ATT&CK is populated from observed, in the wild activity, so an entry typically reflects something a real adversary has been seen doing.
- CAPEC is populated from reasoned analysis of how a weakness can be exploited, so entries are broader and not tied to a specific campaign.
- ATT&CK leans toward post-compromise behavior across an enterprise, mobile, or ICS environment.
- CAPEC spans the full attack lifecycle but stays at the level of the technique against a weakness rather than a named actor.
How they connect
The frameworks are complementary rather than competing. CAPEC attack patterns are mapped to CWE weaknesses, tying the method of attack to the underlying flaw that makes it possible. Some CAPEC and ATT&CK entries are also cross referenced, letting an analyst pivot from an abstract pattern to the concrete techniques adversaries use in practice.
In a complete picture, CWE describes the weakness, CAPEC describes the abstract pattern that exploits it, and ATT&CK describes the real behavior defenders should expect to detect.
Keep exploring
- What is MITRE ATT&CK?Knowledge base of real-world adversary tactics and techniques.
- What is CAPEC?Catalog of abstract attack patterns mapped to weaknesses.
- CVE vs CWE vs CAPECHow the three catalogs relate to one another.
- What is the cyber kill chain?Staged model of how an intrusion unfolds.
- What is a CWE?Common Weakness Enumeration of software flaws.
- CAPEC directoryBrowse attack patterns in the CAPEC catalog.
Frequently asked questions
- Are ATT&CK and CAPEC maintained by the same organization?
- Yes. Both are MITRE knowledge bases, alongside CWE and the CVE program, though they serve different audiences and use cases.
- Which should I use for threat modeling?
- Both can apply. CAPEC is well suited to secure design and reasoning about how weaknesses could be exploited, while ATT&CK is well suited to modeling the behavior of real adversaries you expect to face.
- Does CAPEC map to ATT&CK?
- CAPEC primarily maps to CWE weaknesses, but selected entries are cross referenced with ATT&CK techniques so analysts can move between abstract patterns and observed behavior.
- Is one more detailed than the other?
- They are detailed in different ways. ATT&CK is concrete about observed techniques and the actors using them, while CAPEC is broader and technology-agnostic, describing patterns that apply across many systems.
