What is MITRE ATT&CK?
Last reviewed June 2, 2026
MITRE ATT&CK is a globally accessible, curated knowledge base of adversary tactics and techniques based on real-world observations of cyber intrusions. It organizes attacker behavior into a matrix of tactics (the why) and techniques (the how), helping defenders model threats, build detections, and assess coverage. It differs from catalogs like CWE and CAPEC by focusing on observed post-compromise behavior rather than software weaknesses or abstract attack patterns.
What ATT&CK is
ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It is maintained by MITRE, a not for profit organization, and is published free of charge for use by defenders, threat intelligence analysts, and security vendors worldwide.
The knowledge base catalogs how real adversaries operate once they have gained access to or are targeting an environment. Each entry is grounded in observed behavior from documented intrusions, malware, and threat groups rather than theoretical possibilities.
ATT&CK is descriptive, not prescriptive. It tells you what attackers do and how, which lets defenders reason about detection and mitigation in terms of concrete behaviors.
The matrices: Enterprise, Mobile, and ICS
ATT&CK is divided into separate matrices that cover different technology domains. Each matrix arranges tactics as columns and the techniques that achieve each tactic underneath.
- Enterprise: covers Windows, macOS, Linux, cloud platforms, containers, and network infrastructure. It is the most widely used matrix.
- Mobile: covers techniques targeting iOS and Android devices.
- ICS: covers techniques targeting industrial control systems and operational technology environments.
Tactics, techniques, and sub-techniques
The model is layered. Tactics represent the adversary goal, techniques represent the means of achieving that goal, and sub-techniques describe more specific variations of a technique.
| Layer | Question it answers | Example |
|---|---|---|
| Tactic | Why is the adversary acting? | Credential Access |
| Technique | How is the goal achieved? | OS Credential Dumping |
| Sub-technique | What specific variation? | LSASS Memory dumping |
How ATT&CK differs from CWE and CAPEC
- CWE catalogs software and hardware weaknesses, the underlying flaws such as improper input validation that make systems vulnerable.
- CAPEC catalogs abstract attack patterns, the generic methods an attacker uses to exploit a weakness, and maps them to CWE entries.
- ATT&CK catalogs real-world adversary behavior observed during campaigns, focused largely on what happens after initial access.
- In short, CWE is the flaw, CAPEC is the abstract method of exploiting it, and ATT&CK is the observed behavior of real adversaries inside an environment.
How defenders use ATT&CK
- Detection engineering: writing and tuning analytics that fire on specific techniques.
- Threat modeling: identifying which techniques are most relevant to your environment and adversaries.
- Red and blue teaming: red teams emulate known adversary techniques while blue teams measure whether they are detected.
- Coverage assessment: using the ATT&CK Navigator to map current detections against the matrix and find gaps.
- Threat intelligence: describing adversary groups and malware in a common vocabulary so reporting is consistent across teams and vendors.
Keep exploring
- MITRE ATT&CK vs CAPECHow observed adversary behavior differs from abstract attack patterns.
- What is the cyber kill chain?Lockheed Martin model of the stages of an intrusion.
- What is MITRE?The organization behind ATT&CK, CVE, and CWE.
- What is CAPEC?Catalog of common attack patterns mapped to weaknesses.
- What is a CWE?Common Weakness Enumeration of software and hardware flaws.
- CAPEC directoryBrowse attack patterns in the CAPEC catalog.
Frequently asked questions
- Is MITRE ATT&CK free to use?
- Yes. ATT&CK is published by MITRE free of charge and is openly available for use by defenders, vendors, and researchers.
- What is the difference between a tactic and a technique?
- A tactic is the adversary goal, such as Credential Access, while a technique is the specific method used to achieve that goal, such as OS Credential Dumping. Sub-techniques describe narrower variations of a technique.
- What is the ATT&CK Navigator?
- The Navigator is a free web tool for annotating and exploring ATT&CK matrices. Teams use it to visualize detection coverage, highlight techniques used by specific adversaries, and identify gaps.
- Does ATT&CK replace CWE or CAPEC?
- No. The three are complementary. CWE describes weaknesses, CAPEC describes abstract attack patterns mapped to those weaknesses, and ATT&CK describes observed adversary behavior. Many teams use all three together.
