The MITRE ATT&CK® Framework is a globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. Developed and maintained by MITRE, a U.S. government-funded research organization, the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is used by security teams to understand attacker behavior, improve threat detection, and strengthen defense strategies.
Unlike traditional threat models that focus on indicators of compromise (IOCs), ATT&CK maps out how adversaries operate once they’re inside an environment, making it an essential resource for threat-informed defense.
What is the MITRE ATT&CK Framework?
The MITRE ATT&CK Framework is a curated matrix that categorizes the different stages of an attack lifecycle and describes how adversaries carry out actions within each stage. Each row in the matrix represents a tactic (the goal of an adversary), and each column represents techniques (the specific methods used to achieve that goal). Many techniques also have sub-techniques to provide greater detail.
Examples of tactics in the framework include:
- Initial Access – How attackers first gain entry into an environment
- Execution – How malicious code is run on a target system
- Persistence – How attackers maintain access over time
- Privilege Escalation – How they gain elevated permissions
- Defense Evasion – How they avoid detection
- Credential Access – How they steal authentication data
- Lateral Movement – How they move through the environment
- Exfiltration – How they extract data
By studying techniques such as phishing, credential dumping, or abusing valid accounts, defenders can align their detection, response, and prevention strategies with real-world adversary behavior.
Why MITRE ATT&CK matters
MITRE ATT&CK has become a cornerstone in cybersecurity because it shifts the focus from static defenses to dynamic, behavior-based detection. Its importance stems from several key factors:
- Real-world relevance: ATT&CK is based on publicly documented incidents and adversary reports, not theoretical attack models
- Standardized language: It provides a common vocabulary that improves communication among analysts, vendors, and security teams
- Threat-informed defense: It helps organizations tailor their defenses to the specific tactics and techniques most likely to be used against them
- Gap identification: Security teams can map their existing controls to ATT&CK and identify detection or response blind spots
- Red teaming and simulation: ATT&CK is widely used to design adversary emulation exercises and purple teaming engagements
Whether you’re a SOC analyst, threat hunter, or security architect, ATT&CK provides a consistent framework to strengthen defenses and measure effectiveness.
Structure of the ATT&CK matrix
The ATT&CK framework consists of multiple matrices tailored to different operational environments:
- Enterprise Matrix – Covers Windows, Linux, macOS, cloud, SaaS, containers, and network-based platforms
- Mobile Matrix – Focuses on tactics and techniques used to target mobile devices (Android and iOS)
- ICS Matrix – Targets industrial control systems (e.g., SCADA, OT environments)
Each matrix contains a range of tactics, techniques, and sub-techniques. For example:
- Tactic: Defense Evasion
- Technique: Obfuscated Files or Information (T1027)
- Sub-technique: Encoding (T1027.001)
Each technique entry includes a description, examples of use by known threat groups, mitigation recommendations, and references to detection methods. Techniques are also mapped to threat actor groups and malware families known to use them, helping analysts understand how specific threats operate.
MITRE ATT&CK vs. cyber kill chains
While both MITRE ATT&CK and the Lockheed Martin Cyber Kill Chain model the stages of an attack, ATT&CK offers a more granular and flexible approach. The kill chain is linear and high-level, whereas ATT&CK is non-linear and details specific TTPs that can occur in varying orders and combinations.
ATT&CK’s depth makes it more suitable for use in:
- Threat detection and alert tuning
- Threat intelligence enrichment
- SOC workflows and investigations
- MITRE-based evaluations of security tools
- Purple team collaboration and attack simulation
By adopting ATT&CK, organizations move beyond just blocking known threats—they begin to anticipate and detect attacker behavior in real time.
Common use cases for MITRE ATT&CK
ATT&CK is used across a wide range of cybersecurity disciplines. Key use cases include:
Detection engineering: Security teams build and test detection rules mapped to ATT&CK techniques, enabling visibility into suspicious behaviors.
Threat hunting: Analysts use ATT&CK to guide proactive investigations, focusing on high-risk tactics like lateral movement or persistence.
Red and purple teaming: ATT&CK is used to simulate adversary behavior in controlled environments, validating controls and incident response readiness.
Tool evaluation: Organizations evaluate the efficacy of EDR, SIEM, and XDR platforms based on their coverage of ATT&CK techniques.
Security posture assessment: ATT&CK mappings help organizations identify which attack techniques they can currently detect, respond to, or mitigate—and where gaps exist.
Threat intelligence mapping: Intelligence feeds and threat actor profiles are mapped to ATT&CK techniques, allowing faster attribution and context-aware response.
Challenges and limitations
Despite its value, ATT&CK has some limitations:
- Coverage gaps: Not all techniques are documented for every platform or threat group
- Maintenance burden: Keeping detection rules aligned with evolving techniques requires ongoing effort
- Detection quality varies: Not all techniques are equally detectable or well-supported by telemetry
- Misuse of mappings: Overreliance on ATT&CK as a checklist can lead to superficial coverage or a false sense of security
ATT&CK is most effective when used as a flexible guide, not a rigid checklist. Its value comes from enabling defenders to think like attackers—and build adaptive defenses accordingly.
How Orca Security helps
The Orca Cloud Security Platform integrates the MITRE ATT&CK Framework to help organizations understand and detect adversary behavior across AWS, Azure, Google Cloud, Oracle Cloud, Alibaba Cloud, and Kubernetes.
Orca empowers teams to:
- Map cloud risks and alerts to relevant MITRE ATT&CK techniques for faster triage and investigation
- Identify cloud risks that align with common TTPs
- Surface attack paths that show how adversaries could chain tactics like credential access, lateral movement, and data exfiltration
- Prioritize alerts based on MITRE context to reduce fatigue and accelerate Cloud Detection and Response (CDR)
- Leverage lightweight, real-time runtime security to stop in-progress threat and protect sensitive workloads
By aligning findings with MITRE ATT&CK, Orca enables threat-informed defense at cloud scale—helping teams understand not just what happened, but how and why it matters.
