What is CAPEC (Common Attack Pattern Enumeration and Classification)?
Last reviewed June 2, 2026
CAPEC (Common Attack Pattern Enumeration and Classification) is a MITRE-maintained catalog of attack patterns: structured descriptions of how adversaries exploit weaknesses in software and systems. Where CWE describes the weakness, CAPEC describes the attack against it, and each CAPEC entry maps to the CWE weaknesses it targets.
CAPEC: a catalog of attack patterns
The Common Attack Pattern Enumeration and Classification (CAPEC) is a MITRE-maintained dictionary of known attack patterns. An attack pattern is an abstraction of the common methods adversaries use to exploit weaknesses, including the attacker prerequisites, the steps involved, the skills and resources required, and the consequences.
Each CAPEC entry has a stable identifier (for example, CAPEC-66) and a name (SQL Injection). The catalog answers the question "how would an attacker abuse this?" rather than "what is the flaw?" That framing makes CAPEC the attacker-centric counterpart to the defender-centric CWE.
How CAPEC relates to CWE
CAPEC attack patterns map to the CWE weaknesses they target. For example, CAPEC-66 (SQL Injection) references CWE-89 (the SQL injection weakness type). This linkage lets defenders pivot from a known weakness in their code to the attack patterns that exploit it, and from a threat technique back to the underlying weakness to fix.
The mental model is a chain: an attack pattern (CAPEC) targets a weakness type (CWE), which manifests as a concrete vulnerability instance (CVE) in a specific product.
How CAPEC is organized
Like CWE, CAPEC is hierarchical. Entries range from broad categories and meta attack patterns down to standard and detailed attack patterns. Each entry includes the typical severity, likelihood of attack, execution flow, required skills, and mitigations.
CAPEC also cross-references related frameworks. Many patterns map to MITRE ATT&CK techniques, giving a path from adversary tactics observed in the wild to the specific attack patterns and weaknesses involved.
- CAPEC-66 - SQL Injection (targets CWE-89).
- CAPEC-63 - Cross-Site Scripting (targets CWE-79).
- CAPEC-100 - Overflow Buffers (targets buffer-overflow weaknesses).
- CAPEC-126 - Path Traversal (targets CWE-22).
Why CAPEC matters
CAPEC helps threat modeling, secure design review, and red-team planning. By enumerating how an attacker would approach a system, teams can anticipate attacks during design rather than discovering them after deployment.
For defenders, CAPEC bridges the gap between abstract weaknesses and real-world threats: it connects the CWE you need to fix with the techniques attackers actually use and, through ATT&CK mappings, the behavior you might detect.
Keep exploring
- Browse the CAPEC directoryExplore attack patterns and the weaknesses they target.
- What is a CWE?The weakness types that CAPEC patterns target.
- CVE vs CWE vs CAPECHow instance, weakness, and attack relate.
- Browse the CWE directoryWeakness entries linked to attack patterns.
- What is MITRE ATT&CK?Knowledge base of adversary tactics and techniques.
- MITRE ATT&CK vs CAPECObserved behavior versus abstract attack patterns.
Frequently asked questions
- What is the difference between CAPEC and CWE?
- CWE catalogs weakness types (the flaws), while CAPEC catalogs attack patterns (how those flaws are exploited). CAPEC entries map to the CWE weaknesses they target.
- How is CAPEC different from MITRE ATT&CK?
- CAPEC describes application-level attack patterns tied to specific weaknesses, while ATT&CK describes adversary tactics and techniques observed across the broader intrusion lifecycle. Many CAPEC entries map to ATT&CK techniques.
- Who maintains CAPEC?
- CAPEC is maintained by MITRE with community input and is freely available, much like CWE.
- Does a CVE map to a CAPEC?
- Not directly. A CVE maps to a CWE weakness type, and CAPEC attack patterns map to those CWEs, so the link between a CVE and an attack pattern runs through the shared weakness.
