MITRE ATT&CK

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Maintained by the MITRE Corporation, it catalogues how threat actors operate across the full attack lifecycle, from initial access through lateral movement to data exfiltration, providing defenders with a structured language for understanding, detecting, and responding to threats.

For security teams, ATT&CK answers a fundamental question: how do real adversaries actually attack, and where are we exposed? Rather than relying on theoretical risk assessments or generic vulnerability scans, ATT&CK maps documented adversary behaviour to your specific environment, giving you a practical basis for prioritising defences.

Field	Detail
Full name	MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)
Type	Framework / Knowledge base
Maintained by	MITRE Corporation
First published	2013 (public release 2015)
Applies to	Threat intelligence, detection engineering, red teaming, purple teaming, security operations, threat modelling
UK relevance	Referenced in NCSC threat advisories; used by UK government and defence for threat-informed defence; applicable across NIS2 and CAF assessments
Wikipedia	ATT&CK
Wikidata	Q104434300

How ATT&CK is structured

The framework is organised around three core concepts. Tactics represent the adversary’s objective at each stage of an attack. There are 14 in the Enterprise matrix, covering everything from Initial Access and Persistence through to Lateral Movement and Exfiltration. These are the ‘why’ of an attack step. Techniques describe the specific methods used to achieve each tactic. Phishing, Pass-the-Hash, Remote Desktop Protocol abuse, and hundreds more. These are the ‘how’. Sub-techniques provide more granular detail, distinguishing, for example, between Spearphishing Attachment and Spearphishing Link.

Each technique is documented with real-world examples, detection guidance, and recommended mitigations, making the framework directly actionable for security teams, not just a theoretical exercise.

MITRE maintains domain-specific matrices for different environments. The Enterprise matrix covers Windows, macOS, Linux, cloud platforms (AWS, Azure, GCP), network infrastructure, and containers, with over 200 techniques and 400 sub-techniques mapped to real threat groups and software. The Mobile matrix covers Android and iOS. The ICS matrix covers industrial control systems and operational technology environments.

How organisations use ATT&CK

ATT&CK has become the common language for offensive and defensive security. In threat modelling, it maps identified threats to documented adversary techniques, showing you the likely attack paths against your specific systems. In detection engineering, it structures alert rules and SOC coverage around specific techniques, ensuring your monitoring addresses the full attack lifecycle rather than isolated indicators. In red teaming and purple teaming, it provides the playbook for structuring adversary simulations around real-world behaviour, testing whether your defences hold against documented attack patterns. And in gap analysis, it reveals which techniques you can detect, which you can prevent, and where blind spots remain.

For security leaders, ATT&CK provides a practical way to measure and communicate your detection coverage. Rather than abstract risk scores, you can show your board exactly which adversary techniques you’re protected against and which require investment.

ATT&CK in the UK

UK organisations use ATT&CK extensively across government and private sectors. The NCSC references ATT&CK techniques in threat advisories and sector-specific guidance. CREST-certified red team engagements increasingly structure attack scenarios around ATT&CK. NIS2 and NCSC CAF assessments benefit from ATT&CK-based detection coverage mapping. And financial services firms use ATT&CK for CBEST and TIBER-EU threat-led penetration testing.

How we use MITRE ATT&CK

We use MITRE ATT&CK across our threat modelling, penetration testing, and MXDR services. In threat modelling engagements, we map adversary techniques to your environment to identify the most likely attack paths. In CREST-certified penetration testing and red team exercises, we structure our approach around ATT&CK tactics to test your defences systematically. And in our MXDR service, we build detection coverage aligned to ATT&CK techniques, ensuring our SOC monitors for the adversary behaviours that matter to your threat profile.

Learn more about our threat intelligence services →

Related glossary terms

• Threat modelling – structured threat analysis that uses ATT&CK for adversary modelling
• CREST certification – accreditation for testing providers who use ATT&CK-aligned methodologies
• NCSC CAF – UK government framework that benefits from ATT&CK-based gap analysis

External references

• Wikipedia: ATT&CK – encyclopaedic overview
• Wikidata: Q104434300 – canonical entity identifier
• MITRE ATT&CK – official framework and knowledge base

Frequently asked questions