Contact Us!

What is MITRE ATT&CK Framework? Complete Beginner’s Guide

The MITRE ATT&CK Framework has become the de facto standard for cybersecurity teams worldwide, with organizations across 190 countries using it to understand and defend against cyber threats. Maintained by the nonprofit MITRE Corporation since 2013, this free knowledge base documents real-world adversary behaviors observed in actual attacks, transforming abstract security concepts into actionable intelligence. Version 18, released in 2026, now covers 14 enterprise tactics, over 200 techniques with numerous sub-techniques, and profiles more than 133 threat groups alongside 680+ malicious software tools.

The framework addresses a fundamental challenge in cybersecurity: the lack of a common language to describe how attacks actually unfold. Before ATT&CK, security teams struggled to communicate about threats consistently, often missing gaps in their defenses because they didn’t have a structured way to map adversary behaviors. By providing a comprehensive taxonomy of adversary tactics, techniques, and procedures (TTPs) based on actual incident data, ATT&CK enables organizations to assess their security posture objectively, identify blind spots in detection coverage, and prioritize defensive improvements based on real threat activity rather than theoretical scenarios.

In this guide, you’ll learn what the MITRE ATT&CK Framework is and why it matters for beginners entering cybersecurity. We’ll break down the core concepts of tactics versus techniques, walk you through navigating the ATT&CK Matrix and Navigator tool step-by-step, explore real-world examples of threat groups and their methods, examine practical applications for detection and defense, and highlight common pitfalls to avoid when getting started with the framework.

Table of Contents

Introduction to MITRE ATT&CK

What is the MITRE ATT&CK Framework?

The MITRE ATT&CK Framework is a globally accessible knowledge base of adversary tactics, techniques, and procedures based on real-world observations, used to understand, detect, and mitigate cyber threats. Think of it as a comprehensive playbook that documents how attackers actually compromise systems, move through networks, and accomplish their objectives. Unlike generic security guidance, every entry in ATT&CK is grounded in documented incidents where security researchers observed these behaviors in actual attacks.

The framework launched in 2013 as an internal MITRE project and became publicly available in 2015. Since then, it has evolved into the industry’s most widely referenced model for understanding cyber adversary behavior. The current version, ATT&CK v18, includes 14 distinct enterprise tactics representing adversary goals throughout an attack lifecycle, more than 200 techniques describing specific methods to achieve those goals, and detailed profiles of threat groups ranging from nation-state actors to cybercriminal organizations. This extensive catalog provides security practitioners with a structured reference to compare their defensive capabilities against known attacker methods.

Why It Matters for Beginners

For those new to cybersecurity, ATT&CK provides an invaluable common language that eliminates confusion when discussing threats. When a security analyst mentions “lateral movement using Pass the Hash,” everyone familiar with the framework understands exactly which phase of an attack is being discussed and what specific technique is involved. This shared vocabulary accelerates learning and enables more productive conversations across security teams, whether you’re a SOC analyst, penetration tester, or incident responder.

The framework also helps organizations map their defensive controls to adversary behaviors systematically. Instead of deploying security tools without understanding what threats they actually address, teams can use ATT&CK to identify which techniques their current defenses detect and which create blind spots. According to Microsoft’s security guidance, this mapping exercise often reveals that organizations have concentrated defenses around initial access while leaving post-compromise techniques like credential dumping or data exfiltration poorly monitored.

ATT&CK enables proactive threat hunting by giving defenders a structured framework to search for suspicious activity. Rather than waiting for alerts from security tools, analysts can reference the framework to develop hypotheses about how attackers might operate in their environment, then hunt for evidence of those techniques. This proactive approach catches threats that evade automated detection and builds deeper expertise in understanding adversary tradecraft.

Tactics vs Techniques: The Core Structure

Understanding Tactics: The ‘Why’

Tactics represent the high-level goals or “why” behind adversary actions during different phases of an attack. The Enterprise ATT&CK Matrix organizes these as 14 distinct tactical objectives that mirror how attacks typically progress from initial compromise through final impact. Think of tactics as strategic objectives in a chess game, where each move serves a larger purpose in the overall campaign.

The 14 Enterprise tactics in order of typical attack progression include:

  1. Reconnaissance – Gathering information about targets
  2. Resource Development – Establishing infrastructure for attacks
  3. Initial Access – Getting into your network
  4. Execution – Running malicious code
  5. Persistence – Maintaining a foothold over time
  6. Privilege Escalation – Gaining higher-level permissions
  7. Defense Evasion – Avoiding detection by security tools
  8. Credential Access – Stealing account credentials
  9. Discovery – Learning about the internal environment
  10. Lateral Movement – Moving through the network to other systems
  11. Collection – Gathering data of interest
  12. Command and Control – Communicating with compromised systems
  13. Exfiltration – Stealing data out of the network
  14. Impact – Disrupting or destroying systems and data

Each tactic answers “what is the adversary trying to accomplish at this stage?” For example, during the Credential Access tactic, an attacker’s goal is to obtain legitimate credentials that allow them to blend in with normal user activity. The specific methods used to achieve this goal are described by techniques.

Techniques: The ‘How’

Techniques describe the specific methods or “how” adversaries achieve tactical objectives. The ATT&CK knowledge base contains over 200 techniques, many with multiple sub-techniques that provide additional detail about variations of each method. Continuing the chess analogy, if tactics are strategic objectives, techniques are the specific moves available to accomplish those objectives.

Consider the Initial Access tactic. One technique under this tactic is Phishing (T1566), which describes how attackers send fraudulent communications to trick victims into providing access. This technique includes sub-techniques for Spearphishing Attachment, Spearphishing Link, and Spearphishing via Service, each representing a different variant of the phishing approach. The framework provides detailed information for each technique, including how it works, what data sources can detect it, and what mitigations reduce its effectiveness.

The ATT&CK Matrix visualizes this relationship as a grid, with tactics forming the columns and techniques listed as rows beneath their corresponding tactic. This structure makes it easy to browse all the methods associated with a particular tactical objective and understand the breadth of options available to attackers at each phase.

The ATT&CK Matrices Overview

MITRE maintains separate matrices for different technology environments. The Enterprise matrix covers traditional IT environments including Windows, Linux, macOS, cloud platforms like Azure and AWS, and network infrastructure. The Mobile matrix addresses threats specific to iOS and Android devices. The ICS (Industrial Control Systems) matrix focuses on operational technology environments found in manufacturing, energy, and critical infrastructure sectors.

Most beginners start with the Enterprise matrix since it covers the broadest range of common scenarios. Each matrix follows the same structure of tactics as columns and techniques as rows, but the specific techniques listed vary based on the unique attack surfaces of each environment.

Getting Started with the Matrix

To begin exploring the framework, visit the Enterprise ATT&CK Matrix page. You’ll see a large grid with 14 columns representing tactics and rows showing techniques underneath each tactic. The interface may seem overwhelming at first, but understanding the layout makes navigation intuitive.

Start by clicking any tactic column header to understand that tactical objective. For example, selecting “Initial Access” opens a page explaining this tactic’s purpose and listing all 9 techniques adversaries use to gain initial access to networks. Each technique name is a clickable link that opens a detailed page with descriptions, examples from real threat groups, detection methods, and mitigations.

Click on a specific technique like “Phishing” to see its dedicated page. Here you’ll find a description of how the technique works, which threat groups have used it, what data sources can detect it (such as email gateway logs or user behavior analytics), and recommended mitigations like security awareness training. Real-world procedure examples show exactly how specific groups executed this technique in documented attacks, providing concrete context beyond theoretical descriptions.

Using ATT&CK Navigator

The ATT&CK Navigator is an interactive tool that lets you visualize, customize, and analyze the matrix. You can use it directly in your web browser without installation, or download it to run locally. Navigator transforms the static matrix into a dynamic workspace where you can highlight techniques, apply custom scoring, and create visual layers that represent different aspects of your security program.

To get started, visit the Navigator website and load the Enterprise layer. The default view shows all techniques in a color-coded grid. You can filter by platform (Windows, Linux, macOS, Cloud) to focus on techniques relevant to your environment. This filtering is essential because not all techniques apply to all platforms. For instance, techniques involving Windows registry manipulation won’t appear when you filter for Linux.

The layering feature allows you to overlay custom data onto the matrix. You might create a layer showing which techniques your current security tools detect, using green for strong coverage and red for gaps. Another layer could map techniques used by threat actors targeting your industry. By comparing layers, you can identify where your defenses align with real threats and where improvements are needed. Beginners should start simple by creating a single layer marking 5-10 techniques they want to monitor, then gradually build more complex assessments as they gain familiarity.

Simple Search Example

Let’s walk through searching for a specific technique. From the main ATT&CK website, use the search bar at the top of the page. Type “Phishing” and you’ll see results including the technique T1566. Click this result to open the technique’s detail page.

The technique page provides everything you need to understand Phishing within the ATT&CK context. The description explains how adversaries use fraudulent communications to obtain access or information. The “Procedure Examples” section shows real instances where threat groups employed phishing, such as APT28 using spearphishing emails with malicious attachments to compromise targets. Detection guidance suggests monitoring for suspicious email attachments, unusual user account activity following email receipt, and execution of files from email clients. Mitigations include restricting web-based content, implementing anti-phishing solutions, and conducting user awareness training.

This simple exercise demonstrates the value of ATT&CK as a learning resource. Rather than generic security advice, you’re seeing how real attackers use this technique, concrete methods to detect it, and practical ways to defend against it.

Real-World Examples: Threat Groups and ATT&CK

Example Threat Groups

ATT&CK profiles over 133 threat groups, providing detailed mappings of the techniques each group has used in documented campaigns. Understanding how real adversaries operate helps beginners connect abstract technique descriptions to actual threats. Let’s examine three well-documented groups with different profiles and motivations.

APT28, also known as Fancy Bear, is a Russian nation-state actor active since at least 2007. According to MITRE’s group profile, APT28 has used techniques across the entire attack lifecycle. During Initial Access, they employ spearphishing with links or attachments. For Execution, they’ve used Windows Management Instrumentation and PowerShell. Their Persistence techniques include creating new services and scheduled tasks. APT28 demonstrates sophisticated credential access through credential dumping and input capture. This mapping shows how a single threat group combines multiple techniques across different tactics to achieve their espionage objectives.

APT29, attributed to Russian intelligence services, shows a different technical profile. This group favors stealthy, long-term access and has demonstrated advanced capability in defense evasion. Their technique usage includes code signing with stolen certificates to appear legitimate, timestomp to manipulate file timestamps and hide traces, and process injection to run code within legitimate processes. For Command and Control, APT29 has used web protocols that blend with normal network traffic, making detection significantly harder. These technique choices reflect a group prioritizing operational security and long-term access over speed.

FIN7, a financially motivated cybercriminal group, demonstrates how ATT&CK maps to different adversary objectives. Rather than espionage, FIN7 targets payment card data and conducts ransomware operations. Their Initial Access frequently involves spearphishing, but targeting differs from nation-state actors by focusing on hospitality and retail sectors. FIN7 extensively uses living-off-the-land techniques, executing malicious tasks through legitimate Windows tools like PowerShell and WMI to avoid deploying obvious malware. Their Collection tactics include capturing point-of-sale data and mining credentials from web browsers. This mapping illustrates how technique selection aligns with criminal profit motives rather than intelligence gathering.

Tying It to Real Attacks

These group profiles transform ATT&CK from an abstract list into a practical threat intelligence tool. When you read that APT28 used PowerShell for Execution and Credential Dumping for Credential Access, you can reference those techniques to understand exactly what defenders should monitor. If your organization handles sensitive data valuable to nation-state actors, studying APT28 and APT29’s technique preferences helps you prioritize which detection capabilities to build first.

Similarly, if you work in retail or hospitality, understanding FIN7’s preference for living-off-the-land techniques emphasizes the importance of monitoring legitimate administrative tools for anomalous usage rather than relying solely on malware signatures. The framework’s threat group mappings provide a shortcut to understanding sophisticated attack patterns without experiencing them firsthand.

Applications and Use Cases

Threat Detection and Gap Analysis

Security teams use ATT&CK to enrich threat intelligence and assess detection coverage systematically. When a new threat report describes an attack, mapping the reported behaviors to ATT&CK techniques creates a standardized reference that can be compared against existing defenses. For example, a report about ransomware might mention “lateral movement via remote services” and “data encryption for impact.” Translating this into ATT&CK techniques (T1021 and T1486) allows security teams to check if their SIEM rules, EDR configurations, or network monitoring can detect these specific behaviors.

Gap analysis involves comparing the techniques you can detect against those used by relevant threats. The Picus Security beginner’s guide recommends starting with high-priority techniques based on your threat landscape. Load the ATT&CK Navigator, create a layer representing your current detection capabilities, and color-code techniques by coverage quality. Green might indicate comprehensive logging and alerting, yellow partial visibility, and red no coverage. This visual immediately reveals blind spots in your security program.

Detection engineering uses ATT&CK to develop behavioral analytics rather than signature-based rules. Instead of trying to catch specific malware variants, focus on detecting the techniques malware must use. For instance, regardless of which credential dumping tool an attacker uses (Mimikatz, custom scripts, or legitimate tools), the technique fundamentally involves accessing LSASS process memory on Windows. Building detection for this behavior catches multiple tools implementing the same technique, providing more resilient coverage than signatures for individual tools.

Red Teaming and Blue Teaming

Red teams use ATT&CK for adversary emulation, designing penetration tests that replicate how real threat groups operate. Rather than randomly trying exploits, red teams can select techniques from a relevant threat group’s profile and attempt to execute them against the organization’s defenses. This approach provides realistic testing that mirrors actual threats. For organizations concerned about APT29, a red team exercise emulating that group’s stealth and persistence techniques offers more valuable insights than generic penetration testing.

Blue teams benefit from ATT&CK-aligned exercises by knowing which techniques to monitor during testing. If the red team plans to use techniques T1078 (Valid Accounts), T1003 (Credential Dumping), and T1021 (Remote Services), blue team defenders can prepare detection hypotheses and validate whether their monitoring systems generate appropriate alerts. Post-exercise analysis reveals whether defenders detected the techniques as expected, which gaps allowed red team success, and what improvements would enhance future detection. For more context on these roles, see our guide on Red Team vs Blue Team.

Purple teaming, where red and blue teams collaborate, uses ATT&CK as the shared framework for coordinated exercises. Both teams reference the same technique descriptions, eliminating ambiguity about what was attempted and what should have been detected. This alignment makes post-exercise reviews more productive and ensures lessons learned translate into specific defensive improvements mapped to technique coverage.

The framework also guides security product evaluations. When vendors claim their tools detect threats, organizations can request evidence of detection capability mapped to specific ATT&CK techniques. Testing tools against a subset of high-priority techniques provides objective comparison data beyond marketing claims. Learn more about defensive strategies in our Blue Teaming beginner’s guide.

Common Pitfalls, Detection Strategies, and Hardening Tips

Common Beginner Mistakes

A frequent misconception is treating ATT&CK as a checklist where detecting all techniques equals perfect security. This approach is unrealistic and misses the framework’s intent. No organization can feasibly detect every technique, nor should they try. Instead, prioritize based on your threat landscape, critical assets, and realistic attacker paths through your environment. Picus Security’s research shows that focusing on the top 10-15 techniques relevant to your industry provides more value than scattered coverage of 100 techniques.

Over-relying on indicators of compromise (file hashes, IP addresses) rather than behavioral techniques creates brittle defenses. Attackers easily evade hash-based detection by modifying malware slightly or changing infrastructure. Detecting behaviors described by techniques proves more resilient. For instance, monitoring for processes accessing LSASS memory (indicating credential access attempts) catches multiple credential dumping tools regardless of their specific signatures. Shifting focus from “what” to “how” attackers operate builds more adaptable detection.

Another pitfall is implementing ATT&CK without mapping existing security controls to the framework first. Before adding new capabilities, understand what you already detect. Your EDR might cover numerous execution techniques, while your network monitoring has gaps in command and control detection. This baseline prevents duplicate investments and focuses improvements on actual gaps rather than strengthening already-covered areas.

Simple Detection and Hardening

Start detection efforts with high-fidelity techniques that generate clear signals with low false positive rates. Credential dumping, for example, typically involves unusual process access to LSASS that rarely occurs during legitimate operations. MITRE’s detection guidance for each technique provides data source recommendations. For Credential Dumping (T1003), useful data sources include process monitoring, API call monitoring, and access to LSASS process memory.

Begin developing analytics for behavioral detection using simple logic. For Pass the Hash lateral movement, monitor for authentication events using NTLM when Kerberos is typically used, especially from unusual source systems. For Scheduled Task creation persistence, alert on new scheduled tasks created outside of change windows, particularly those running with SYSTEM privileges or executing from unusual paths. These behavioral rules detect technique usage regardless of which specific tool implements them.

Hardening strategies should reference the mitigation guidance provided for each technique. ATT&CK includes specific recommendations that have proven effective against particular techniques. For Phishing, recommended mitigations include restricting web-based content through browser policies, implementing email authentication protocols like SPF and DMARC, and conducting regular user awareness training. For PowerShell abuse, mitigations include enabling logging, restricting execution policies, and using application control to prevent unauthorized scripts.

Focus hardening efforts on techniques that overlap with multiple threat groups relevant to your sector. If three different groups you’re concerned about all use WMI for execution, prioritizing WMI security (logging, restricting remote access, monitoring for anomalous usage) provides defensive value against multiple threats simultaneously. This overlap-based prioritization maximizes security investment return.

Implement a feedback loop between detection and hardening. When detections fire, analyze whether the triggered technique could have been prevented through better hardening. If you consistently detect credential dumping attempts, investigate whether additional LSASS protections like Credential Guard would prevent the technique from succeeding in the first place. For more comprehensive security context, explore our penetration testing guide to understand how attackers test these defenses.

Key Takeaways

  • The MITRE ATT&CK Framework provides a common, evidence-based language for describing adversary behavior, documenting 14 tactics and over 200 techniques based on real-world attacks observed since 2013.
  • Tactics represent the “why” (high-level goals like Initial Access or Lateral Movement), while techniques describe the “how” (specific methods like Phishing or Pass the Hash) with detailed sub-techniques providing additional granularity.
  • Navigate the framework effectively using the ATT&CK Matrix for browsing and the Navigator tool for creating custom views, filtering by platform, and performing gap analysis against your security controls.
  • Threat group profiles map real adversaries’ technique usage, helping beginners understand how different attackers operate and prioritize defenses based on relevant threats rather than theoretical scenarios.
  • Apply ATT&CK practically through detection engineering that focuses on behavioral analytics, gap analysis to identify blind spots, red/blue team exercises aligned to specific techniques, and security product evaluations based on technique coverage.
  • Avoid common pitfalls like treating ATT&CK as a comprehensive checklist, over-relying on indicators instead of behaviors, and deploying new capabilities without first mapping existing controls to the framework.
  • Start simple by focusing on 10-15 high-priority techniques relevant to your environment, build behavioral detections with low false positives, and implement mitigations that overlap across multiple relevant threat groups.

Frequently Asked Questions

What is the difference between tactics and techniques?

Tactics represent the high-level “why” behind adversary actions, answering what goal the attacker is trying to accomplish. The 14 Enterprise tactics include objectives like Initial Access, Persistence, and Lateral Movement. Techniques describe the “how,” providing specific methods to achieve each tactical goal. For example, under the Initial Access tactic, techniques include Phishing, Exploit Public-Facing Application, and Valid Accounts. A single tactic can have dozens of techniques, each with multiple sub-techniques for additional detail.

How do I start using the ATT&CK Navigator?

Visit the ATT&CK Navigator website and select “Create New Layer” to load the Enterprise matrix. Filter by platform relevant to your environment using the top menu. Begin by highlighting 5-10 techniques you want to focus on by clicking them and applying colors or scores. Save your layer locally for future reference. As you become comfortable, create multiple layers representing different aspects like current detection coverage, threat group techniques, or planned improvements, then compare layers to identify gaps.

What are the main matrices available?

MITRE maintains three primary matrices covering different technology environments. The Enterprise matrix addresses traditional IT including Windows, Linux, macOS, cloud platforms, and network infrastructure. The Mobile matrix focuses on threats specific to iOS and Android mobile devices. The ICS matrix covers Industrial Control Systems found in operational technology environments like manufacturing plants and power grids. Most beginners start with Enterprise as it covers the broadest range of common business scenarios.

How does ATT&CK help with threat detection?

ATT&CK enables detection teams to build behavioral analytics that catch attacker techniques regardless of which specific tools implement them. Rather than creating signatures for individual malware variants, you develop detection logic for the underlying techniques malware must use. The framework provides data source recommendations and detection methods for each technique, guiding where to collect logs and what patterns indicate malicious activity. Using Navigator to map your detection coverage reveals gaps and helps prioritize which techniques to address next.

What are common mistakes beginners make with ATT&CK?

The most common error is treating ATT&CK as a comprehensive checklist where detecting all techniques equals complete security. No organization can realistically detect every technique, nor should they try. Instead, prioritize based on relevant threat groups and critical assets. Another mistake is over-relying on indicators like file hashes instead of focusing on behavioral techniques that remain consistent across attacker tool variations. Finally, many organizations deploy new security capabilities without first mapping existing controls, leading to duplicate coverage instead of addressing actual gaps.

How does ATT&CK cover cloud and ICS environments?

The Enterprise matrix includes cloud platforms like AWS, Azure, GCP, and Office 365 as platform filters, with techniques specific to cloud environments such as abusing cloud APIs or accessing metadata services. When you filter the Enterprise matrix by “Cloud,” you’ll see techniques applicable to cloud infrastructure. For Industrial Control Systems, MITRE maintains a separate ICS matrix tailored to operational technology with tactics and techniques relevant to SCADA systems, PLCs, and industrial protocols. This specialized matrix addresses the unique attack surface of critical infrastructure and manufacturing environments.

References

Leave A Comment

All fields marked with an asterisk (*) are required