What is the Mitre ATT&CK Framework?

The MITRE ATT&CK Framework is a public knowledge base that catalogs how cyber adversaries actually operate, based on real attacks observed in the wild.

Developed and maintained by MITRE Corporation, a nonprofit that runs federally funded research centers, ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It organizes attacker behavior into a structured matrix that maps out the full lifecycle of an intrusion—from initial reconnaissance through data exfiltration or impact. The framework distinguishes between tactics (the adversary's goals at each stage) and techniques (the specific methods used to achieve those goals), with sub-techniques providing even finer detail.

ATT&CK covers multiple technology domains: Enterprise environments (Windows, Linux, macOS, cloud platforms), Mobile devices, and Industrial Control Systems. Each technique entry includes descriptions of how it works, examples of threat groups that use it, detection strategies, and potential mitigations.

Security teams use ATT&CK as a common language for threat intelligence, a blueprint for red team exercises, a foundation for building detection rules, and a framework for assessing defensive coverage. Because it's grounded in documented adversary behavior rather than theoretical attack models, ATT&CK helps bridge the gap between abstract security concepts and the practical realities of defense.

MITRE began developing ATT&CK in 2013 as part of an internal research project to improve post-compromise detection. The team wanted to move beyond signature-based defenses that focused on malware samples and instead catalog adversary behaviors that persisted across different tools and campaigns. They studied real intrusions, threat intelligence reports, and penetration testing methodologies to extract patterns in how attackers move through networks. The first version, released publicly in 2015, focused on Windows enterprise environments and contained a relatively modest set of techniques. What made ATT&CK different from earlier frameworks was its grounding in observable adversary behavior rather than theoretical kill chains or abstract security models.

As the framework gained traction in the security community, MITRE expanded it to cover additional platforms—cloud infrastructure, Linux, macOS, mobile devices, and industrial control systems. The community itself began contributing observations, suggesting refinements, and building tools around the framework.

By 2018, ATT&CK had become something of an industry standard, referenced in threat reports, vendor product documentation, and security operations playbooks. MITRE continues to update the framework quarterly, adding new techniques as attackers develop them and refining existing entries based on community feedback and ongoing research.

ATT&CK matters because it gives defenders a structured way to think about what adversaries actually do, not just what malware they use. Traditional defenses often focused on indicators of compromise—specific file hashes, domains, or IP addresses—that attackers could easily change. By focusing on techniques and behaviors, ATT&CK helps organizations build detections that remain relevant even as tools evolve.

It's become the de facto standard for threat intelligence reporting, with most major security vendors and intelligence providers mapping their findings to ATT&CK techniques. This common language makes it possible to compare threat reports, assess defensive coverage, and prioritize security investments based on which techniques are most commonly used by relevant threat actors.

Security teams use the framework to identify gaps in their detection and response capabilities, structure red team exercises around realistic adversary behaviors, and measure how well their security controls would perform against specific threat groups. The framework also helps bridge communication gaps between technical teams and management by providing a clear, structured way to discuss threats and defensive posture. As attacks grow more sophisticated and span hybrid cloud environments, having a comprehensive map of adversary techniques becomes increasingly valuable for staying ahead of threats.

Plurilock's offensive security services use the ATT&CK framework as a foundation for realistic adversary simulation that tests your defenses against documented attacker behaviors. Our red team exercises don't just probe for vulnerabilities—they emulate the tactics and techniques used by real threat actors relevant to your industry and threat model.

We map findings to specific ATT&CK techniques, giving you clear visibility into which adversary behaviors your current defenses can detect and which slip through unnoticed. This approach helps prioritize remediation based on real-world attack patterns rather than theoretical risks.

Learn more about our adversary simulation and readiness services.