MITRE ATT&CK is the common language security teams use to describe how attackers behave. It is a free, curated knowledge base of real-world adversary tactics and techniques, and it underpins modern detection, threat intel and coverage measurement. This guide explains what ATT&CK is, how it is structured, and how teams use it.
What is MITRE ATT&CK?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally-used knowledge base of adversary behaviour, maintained by the non-profit MITRE and based on observed real-world attacks. Instead of cataloguing malware signatures, it catalogues behaviour — what attackers are trying to do and how — which makes it durable even as specific tools change.
Tactics, techniques and sub-techniques
The framework is organised in a hierarchy:
- Tactics — the attacker's goal, the "why" of an action (e.g. Initial Access, Persistence, Exfiltration).
- Techniques — the "how", the method used to achieve a tactic (e.g. Phishing, Valid Accounts — T1078).
- Sub-techniques — more specific variations of a technique.
- Procedures — the specific real-world implementations seen in the wild.
Behaviours are organised into matrices — Enterprise (the most used), Mobile, and ICS. The Enterprise matrix has 14 tactics that roughly follow an attack's progression:
| Stage | Example tactics |
|---|---|
| Get in | Reconnaissance, Resource Development, Initial Access |
| Run & stay | Execution, Persistence, Privilege Escalation, Defense Evasion |
| Operate | Credential Access, Discovery, Lateral Movement, Collection |
| Achieve goal | Command and Control, Exfiltration, Impact |
How security teams use ATT&CK
- Detection engineering — tag each detection with the technique it catches, creating a shared vocabulary.
- Coverage mapping — build a heatmap of which techniques you can detect and where the gaps are.
- Threat intelligence — describe adversary groups by the techniques they favour.
- Red/blue teaming — plan and measure exercises against a common framework.
- Prioritisation — an attack spanning many tactics is more serious than one noisy technique repeated.
Why behaviour beats signatures
Attackers swap tools constantly, but the underlying techniques change slowly. Detecting on behaviour (ATT&CK techniques) is more durable than chasing individual indicators.
How LogPulse uses MITRE ATT&CK
LogPulse ships 50+ built-in detections, each tagged with ATT&CK tactics and techniques, and derives a coverage heatmap from your enabled content so you can see gaps. Because risk-based alerting weights activity that spans more tactics and techniques higher, attack breadth across the ATT&CK matrix raises an entity's risk faster than repetitive noise. See what is SIEM and Security Monitoring (SIEM).