What is the MITRE ATT&CK Framework?

When security teams respond to a breach, they face a familiar problem: They must reconstruct a threat actor’s path without relying on consistent indicators. Malware families change, infrastructure shifts, and tools vary from one intrusion to the next. Yet the core behaviors often look the same. An adversary who steals credentials, moves laterally, and extracts data follows a pattern that repeats across countless investigations, even when the technical details differ.

The MITRE ATT&CK® framework addresses this challenge by documenting how adversaries operate in practice. It defines the tactics that represent an attacker’s objectives and the techniques they apply to achieve those objectives. Each entry is based on real investigations conducted by researchers and incident responders, which grounds the framework in what teams encounter inside actual environments.

For security teams, this turns the MITRE ATT&CK framework into both a reference and a playbook. The framework explains how its matrices are organized, which platforms and environments they cover, and how tactics and techniques connect from one phase of an attack to the next.

This article explains how the MITRE ATT&CK framework is structured, outlines the key benefits for defenders, and shows how to apply it in security operations.

MITRE ATT&CK framework defined

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. MITRE, a not-for-profit corporation that provides engineering and technical guidance to the United States federal government, created the framework during internal research in 2013 and released it publicly in 2015. Adoption grew quickly across security operations centers (SOCs), threat intelligence teams, red teams, and product vendors because the framework aligned with what practitioners observed in real environments.

MITRE ATT&CK catalogs how threat actors operate in the wild, drawing from documented activity collected by security researchers, threat hunters, and incident responders. MITRE maintains this curated knowledge base as a public resource so that defenders can rely on verified behaviors rather than speculative threat models. The goal is to give security teams a common language for the tactics and techniques that form the building blocks of intrusion activity.

The framework concentrates on post-compromise behavior. It documents how adversaries escalate privileges, impersonate users, move across systems, and pursue objectives after gaining access. This focus differs from approaches that look primarily at preventive controls. MITRE ATT&CK assumes a breach and maps the actions that follow, helping defenders understand how attacks progress and how each technique fits within the broader life cycle.

The MITRE ATT&CK framework continues to evolve as adversary tradecraft advances. MITRE publishes updates that reflect new platforms and emerging techniques. Recent additions include expanded cloud coverage and techniques that apply to ESXi environments, mirroring how modern intrusions extend far beyond the traditional corporate perimeter.

MITRE ATT&CK matrix and key components

Specific adversaries tend to use particular techniques. The MITRE ATT&CK Matrix catalogs information that correlates adversary groups with campaigns, helping security teams better understand the adversaries they are dealing with, evaluate their defenses, and strengthen security where it matters most.

Adversary tactics

Tactics represent the technical objectives adversaries pursue during an intrusion. The MITRE ATT&CK Matrix for Enterprise includes 14 tactics that span the full attack life cycle:

• Reconnaissance: Gathering information to plan future attacks.
• Resource Development: Acquiring or creating infrastructure, accounts, or tools for upcoming operations.
• Initial Access: Techniques used to gain a foothold in the target environment.
• Execution: Actions that run malicious code on local or remote systems.
• Persistence: Methods that maintain access across restarts or credential changes.
• Privilege Escalation: Attempts to gain higher-level permissions within the environment.
• Defense Evasion: Techniques that avoid detection during activity inside the network.
• Credential Access: Attempts to steal passwords, tokens, and other authentication artifacts.
• Discovery: Techniques for learning about systems, configurations, and network layout.
• Lateral Movement: Methods that let adversaries move between systems.
• Collection: Techniques for gathering information relevant to attacker objectives.
• Command and Control (C2): Methods for communicating with compromised systems and directing operations.
• Exfiltration: Techniques used to remove data from the environment.
• Impact: Actions that disrupt availability, corrupt data, or damage systems.

Adversary techniques

Techniques describe how adversaries carry out their objectives. MITRE ATT&CK currently lists 211 techniques and 468 sub-techniques for enterprise environments. Each technique includes details about how it works, which platforms it affects, which threat groups use it, how defenders can mitigate it, and where it has been observed in real investigations.

Sub-techniques add further specificity. For example, the broad “Phishing” technique splits into variants such as “Spearphishing Attachment,” “Spearphishing Link,” and “Spearphishing via Service.” This structure helps defenders identify not only the tactic in play but the exact method behind it. Defense Evasion remains the most frequently observed tactic in interactive intrusions as adversaries attempt to conceal their activity as legitimate system behavior.

MITRE ATT&CK matrices

MITRE organizes tactics and techniques into visual matrices, with tactics as columns and the associated techniques beneath each tactic. This format gives defenders an immediate view of how attack activity maps across Windows, macOS, and Linux environments; cloud platforms; and other environments.

The framework includes three primary matrices:

• MITRE ATT&CK Matrix for Enterprise
  Covers adversary behavior in Windows, Linux, macOS, and software as a service (SaaS) environments as well as in cloud platforms such as AWS, Azure, and Google Cloud.

• MITRE ATT&CK Matrix for Mobile
  Focuses on techniques used against Android and iOS devices.

• MITRE ATT&CK Matrix for ICS
  Documents behavior specific to industrial control systems (ICSs) and operational technology.

Security teams use these matrices to compare their detection coverage against known adversary techniques, which helps them identify visibility gaps and prioritize improvements.

Practical use cases for the framework

Organizations rely on MITRE ATT&CK to improve detection, validate defenses, and strengthen their overall security posture. The framework supports daily operations as well as long-term strategic planning across threat hunting, red teaming, engineering, and SOC management. Common applications include:

Threat detection and hunting

Threat hunters use MITRE ATT&CK to guide their searches for malicious behavior. Rather than looking for specific malware signatures, hunters search for behavioral patterns that match known techniques. This approach catches adversaries regardless of the specific tools they employ.

Hypothesis-driven hunting builds directly on the framework's structure. If hunters observe an initial access technique such as the use of valid credentials, they know how to investigate related techniques associated with credential theft, lateral movement through remote protocols, and persistence mechanisms common in these scenarios.

This behavioral approach is critical as adversaries shift away from malware-dependent attacks. From July 2024 to June 2025, interactive intrusions increased 27% year-over-year, and 81% of the intrusions in this time frame were malware-free. MITRE ATT&CK helps teams detect this activity because it tracks behaviors that signatures cannot identify. Many SOCs also use the framework to accelerate alert triage and improve the quality of investigations by aligning observed events with specific technique IDs.

Red teaming and adversary emulation

Red teams use MITRE ATT&CK to build attack scenarios that reflect the methods real adversaries employ. Mapping operations to known tactics, techniques, and procedures (TTPs) produces exercises that test defenses against concrete threats rather than theoretical weaknesses.

Teams that emulate specific threat actors follow the techniques associated with those groups in the MITRE ATT&CK framework. For instance, emulating SCATTERED SPIDER would require teams to employ techniques spanning identity compromise, cloud service abuse, and rapid lateral movement. A red team exercise based on this pattern would test whether defenders can detect each step in this rapid sequence and interrupt the intrusion before the adversary reaches its objective.

Organizations also use MITRE ATT&CK to assess the maturity of their security operations. Evaluating how well defenses detect techniques across the framework highlights strengths, weaknesses, and areas where investment will have the greatest impact.

Detection engineering and security monitoring

Security teams use MITRE ATT&CK to design behavioral detection rules and improve visibility. Every technique includes information about the logs, artifacts, and system events that signal its use. Analysts can translate this information into security incident and event management (SIEM) rules and analytics that alert on suspicious activity as it occurs.

Prioritization begins with understanding which techniques appear most frequently in real attacks. Teams then focus detection work on the behaviors most relevant to their environments and threat landscape. This prevents wasted effort and supports a risk-based coverage strategy.

Technologies that map alerts to MITRE ATT&CK technique IDs reduce manual correlation work. When alerts include technique context, analysts can immediately understand the significance of an event and track how individual behaviors connect across an intrusion.

How to implement the MITRE ATT&CK framework

Most organizations implement the MITRE ATT&CK framework in phases, beginning with a clear understanding of current detection coverage. Security teams start with mapping and gap analysis, expand their telemetry collection, and then mature their processes across detection engineering, hunting, and response.

Mapping and gap analysis

Implementation starts with understanding the organization’s current defensive posture. Teams map existing preventive and detective controls to MITRE ATT&CK techniques using tools such as the ATT&CK Navigator. This process shows which techniques have coverage and which remain unaddressed.

A gap analysis then identifies where to invest. Not every technique carries the same level of risk, and teams often prioritize techniques that appear frequently in their industry or align with the adversaries they are most likely to face.

The mapping process examines multiple control types. Preventive controls stop techniques from succeeding. Detective controls identify when techniques execute. Response capabilities determine how quickly teams can contain adversary activity once detected.

Required data and telemetry

Effective MITRE ATT&CK implementation relies on visibility into system and user activity. Telemetry sources must capture the behavioral signals associated with different techniques.

Important data sources include:

• Process execution logs: Track program launches, command-line parameters, and parent-child relationships.
• PowerShell logging: Record script content and execution details, as adversaries often abuse scripting for execution and discovery.
• File and registry modifications: Identify changes associated with persistence and defense evasion.
• Network connections: Surface internal and external communication patterns that signal C2 or lateral movement.
• Authentication events: Track successful and failed logins to spot credential access and unauthorized movement.

Endpoint detection and response (EDR) and extended detection and response (XDR) platforms provide broad telemetry aligned with MITRE ATT&CK technique coverage. These solutions correlate data across endpoints, identities, cloud workloads, and network layers, giving defenders the visibility needed for behavioral detection.

Cloud environments produce valuable signals for MITRE ATT&CK-aligned monitoring. Cloud intrusions increased 136% in the first half of 2025 compared to all of 2024, which means many attack sequences now unfold in cloud control planes rather than on traditional endpoints. Security teams need visibility into these platforms to track techniques related to identity misuse, misconfigured services, and unauthorized access.

Prioritization and maturity

Organizations improve their MITRE ATT&CK adoption over time by expanding coverage and refining processes as their capabilities grow. A phased model helps teams understand what progress looks like and where to focus next:

• Understand: Teams learn the structure of the framework and begin mapping incident findings to techniques.
• Track: The organization documents the techniques that appear in incidents and the controls that address them.
• Analyze: Teams conduct regular gap assessments and prioritize improvements based on observed adversary behavior.
• Integrate: MITRE ATT&CK becomes part of security operations workflows, from detection engineering to threat hunting and reporting.

Phased implementation ensures the framework aligns with the organization's size and maturity. Smaller teams can focus on high-priority techniques tied to their most relevant threats, and mature organizations can expand coverage across all tactics and embed the MITRE ATT&CK framework into multiple workflows.

Benefits of using the MITRE ATT&CK framework

Organizations that adopt the MITRE ATT&CK framework see measurable improvements across both tactical and strategic security functions. Using the framework:

• Improves behavioral detection design and coverage: The framework helps teams design detections that identify adversary actions rather than specific malware. This approach remains effective as attackers change tools and modify code to evade signatures.
• Provides a common language across teams: Security analysts, incident responders, threat intelligence teams, and red teams use consistent terminology when discussing threats. This shared vocabulary eliminates confusion and accelerates collaboration.
• Enables strategic security improvements: Organizations make data-driven decisions about defensive investments. Mapping coverage to the MITRE ATT&CK framework reveals which gaps matter most based on actual adversary behavior.
• Helps prioritize resources: Security teams focus their efforts on the techniques that adversaries use most frequently in their threat landscape. This targeted approach maximizes defensive value from limited resources.
• Aligns defenses with adversary behavior: Defenses address the methods adversaries actually employ rather than theoretical attack vectors. This practical focus improves detection accuracy and reduces false positives from unusual but benign activity.

Mitigation and defensive strategies

In addition to helping security teams understand adversary behavior, MITRE ATT&CK also connects many techniques to specific mitigation strategies that reduce the likelihood of those techniques succeeding. These mitigations give security teams practical guidance that they can include in threat modeling, hardening plans, and control reviews.

Organizations can integrate these mitigations into their threat modeling and system hardening efforts. For example, to prevent techniques that abuse PowerShell, the framework suggests restricting script execution policies, which enables enhanced logging and monitoring for suspicious script content. Techniques tied to lateral movement can be addressed through stronger authentication controls, segmentation, and tighter restrictions on administrative protocols.

These mitigations reinforce a layered security strategy. Preventive controls reduce the chance of a technique succeeding. Detective controls identify when an adversary attempts a technique despite those barriers. Response capabilities give teams a clear path to contain activity once it is identified. MITRE ATT&CK helps teams connect these layers to concrete adversary behaviors and integrate them into a more resilient defensive posture.

Framework limitations and considerations

MITRE ATT&CK delivers significant value, but it has limits that organizations should recognize before building a strategy around it:

• It does not prescribe tools or vendors. The framework describes adversary behavior at a technical level, but it does not prescribe which tools or technologies teams should deploy to detect or mitigate those behaviors. Each organization must determine the controls, platforms, and data sources that align with its environment.
• Implementation requires mature telemetry. Effective use of the framework also depends on a strong telemetry foundation. Organizations without comprehensive logging, endpoint visibility, or cloud monitoring face higher costs as they work toward the data coverage necessary for MITRE ATT&CK-aligned detection. Establishing this visibility often requires investments in EDR or XDR platforms, centralized log management, and correlation capabilities.

Behavior classification is complex.
Accurate behavior mapping adds additional complexity. Analysts must determine which actions correspond to specific techniques and how those actions fit within an overall intrusion sequence. This work requires experienced personnel who can interpret activity across systems and distinguish legitimate administrative behavior from malicious technique execution.

Conclusion

The MITRE ATT&CK framework plays a central role in modern cybersecurity. It provides a structured way to understand adversary behavior, identify defensive gaps, and guide improvement across detection, response, and system hardening.

Organizations gain the most value when they adopt MITRE ATT&CK in phases. Starting with a focused mapping effort helps teams understand their highest-priority risks. As they build telemetry and expand coverage, MITRE ATT&CK becomes an integral part of threat hunting, detection engineering, and operational strategy.

By aligning defenses with real adversary behavior, organizations can enhance their ability to detect threats, respond effectively, and continually improve their security maturity.

As a Research Partner with the MITRE Center for Threat-Informed Defense, CrowdStrike contributes to projects that advance threat-informed defense globally.