loading
Loading content
loading
Also known as ATT&CK
MITRE ATT&CK is a curated knowledge base of how adversaries actually behave, built from observed intrusions rather than theory. It organizes behavior into tactics (the attacker's goal, such as Initial Access or Persistence) and techniques (how they achieve it, such as Phishing or Valid Accounts). Each technique carries an ID like T1566, real-world usage notes, and the detections and mitigations that apply. It is the standard vocabulary that lets teams describe an attack the same way across tools and reports.
ATT&CK matters because it gives a shared map of attacker behavior. Defenders chart which techniques they can detect and find the gaps, while red teams design exercises that walk specific technique chains. It formalizes the tactics, techniques, and procedures concept and ties observed behavior back to a known threat actor when a group's pattern matches. Most threat intelligence reporting now tags findings with ATT&CK technique IDs.
For detection engineering, ATT&CK drives coverage tracking: you map each detection rule to the techniques it catches, then visualize the matrix to expose blind spots. In an automated workflow, you tag alerts and test results with technique IDs so coverage reporting stays current as new rules and findings flow in.
Related terms