Skip to content

What is MITRE?

Last reviewed June 2, 2026

MITRE is a U.S. non-profit organization that operates several of the foundational standards in vulnerability management. It operates the CVE Program (sponsored by CISA), maintains the CWE catalog of weakness types and the CAPEC catalog of attack patterns, and develops the ATT&CK knowledge base of adversary tactics and techniques. These programs give the security industry a shared vocabulary for naming vulnerabilities, weaknesses, attacks, and adversary behavior.

MITRE in one sentence

MITRE is a not-for-profit organization that operates federally funded research and development centers in the United States and runs several public-interest cybersecurity programs. In the vulnerability world it is best known not for products but for the open standards and knowledge bases it stewards on behalf of the community.

If you have ever cited a CVE ID, mapped a bug to a CWE, modeled an attack with CAPEC, or referenced an ATT&CK technique, you have used something MITRE operates or maintains.

The MITRE programs that matter for vulnerabilities

Four MITRE-run efforts underpin much of modern vulnerability management. Each names a different layer of the problem.

  • CVE Program: assigns the CVE identifiers used to name specific, publicly disclosed vulnerabilities. MITRE operates it; CISA sponsors it.
  • CWE (Common Weakness Enumeration): a catalog of weakness types, the root-cause categories behind vulnerabilities.
  • CAPEC (Common Attack Pattern Enumeration and Classification): a catalog of attack patterns describing how adversaries exploit weaknesses.
  • ATT&CK: a knowledge base of real-world adversary tactics and techniques observed across the intrusion lifecycle.

MITRE's role in the CVE Program

MITRE operates the CVE Program, maintaining the core infrastructure and the official CVE List. It does not personally triage every vulnerability. Instead, a federated network of CVE Numbering Authorities (CNAs) assigns IDs and writes records, while MITRE acts as one of the two Top-Level Roots that oversee the program. CISA, the U.S. Cybersecurity and Infrastructure Security Agency, sponsors the program and is the other Top-Level Root.

This division is a common point of confusion: MITRE runs the program and the list, but the day-to-day assignment of CVE IDs is delegated to hundreds of CNAs around the world.

How the MITRE standards fit together

The MITRE catalogs interlock. A CAPEC attack pattern targets a CWE weakness type, which manifests as a CVE instance in a real product, and CAPEC and ATT&CK cross-reference each other to connect application-level attack patterns with observed adversary techniques.

This layering is why MITRE's work is so widely adopted: each standard answers a distinct question (which bug, what kind of flaw, how it is attacked, what the adversary does) while sharing a common, mappable structure.

Keep exploring

Frequently asked questions

What does MITRE do in cybersecurity?
MITRE operates the CVE Program and maintains the CWE, CAPEC, and ATT&CK knowledge bases, providing the security industry with shared standards for naming vulnerabilities, weaknesses, attack patterns, and adversary techniques.
Does MITRE assign CVE IDs?
MITRE operates the CVE Program and the CVE List, but most CVE IDs are assigned by CNAs. MITRE acts as a Top-Level Root overseeing the program rather than triaging every vulnerability itself.
Is MITRE the same as CISA?
No. MITRE is a non-profit that operates the CVE Program; CISA is the U.S. government agency that sponsors it. Both serve as Top-Level Roots in the CVE Program.
What is the difference between CAPEC and ATT&CK?
CAPEC catalogs application-level attack patterns tied to specific weaknesses, while ATT&CK describes broader adversary tactics and techniques observed in real intrusions. Both are maintained by MITRE and cross-reference each other.