What Is MITRE ATT&CK: Tactics, Techniques and Use in SOC

MITRE ATT&CK is the public knowledge base that catalogues real attacker behaviour in tactics, techniques and procedures. It has been maintained by MITRE Corporation, a US non-profit, since 2013. Today it is the common language of the cybersecurity industry to describe how an adversary operates, to evaluate the defensive coverage of a SOC and to plan Red Team exercises.

This guide explains what MITRE ATT&CK is, how it is organised under the hood (tactics, techniques, sub-techniques, procedures), the 14 Enterprise tactics, how SOC teams, threat hunters and Red Teams use it day to day, what ATT&CK Navigator is, how it differs from the Cyber Kill Chain and from D3FEND, and when to lean on it to meet NIS2, DORA or ISO 27001.

What MITRE ATT&CK is

ATT&CK stands for Adversarial Tactics, Techniques and Common Knowledge. It is a public, free matrix that documents the behaviour of threat actors observed in forensic investigations, incident reports and threat intelligence publications.

Unlike a vulnerability catalogue such as CVE, which describes specific flaws in software, ATT&CK describes how an attacker behaves once inside: how they persist, escalate privileges, move laterally, exfiltrate data. The question it answers is not which bug the attacker used but what they do after.

What it brings operationally:

• Common language so SOC, Red Team, IT and leadership talk about the same event without ambiguity.
• Defensive coverage map: a team can measure which techniques it detects today and where the gaps are.
• Foundation for threat hunting: hunts are designed around concrete techniques, not gut feelings.
• Template for Red Team and purple team exercises: the scenario is built by chaining real techniques.
• Framework for executive reporting: translates technical alerts into adversary behaviour a board understands.

It is free, open, downloadable in JSON or STIX, and most SIEM, EDR and XDR products on the market already tag their rules with ATT&CK identifiers.

How the framework is structured

ATT&CK is organised in four levels of abstraction that go from general to concrete.

Tactics

These are the attacker's objectives, the "why" of an action. They answer questions like "what is the adversary trying to achieve at this step?". There are 14 in the current Enterprise matrix, ordered loosely along the typical flow of an intrusion.

Techniques

These are the concrete ways to fulfil a tactic. They answer "how do they do it?". For example, under the Credential Access tactic there are techniques like Brute Force (T1110), OS Credential Dumping (T1003) or Kerberoasting (part of T1558.003).

Every technique has a unique identifier (Txxxx), description, affected platforms, data sources to detect it, recommended mitigations and references to documented real cases.

Sub-techniques

Starting in 2020, MITRE refactored many techniques into sub-techniques to gain precision. For example, OS Credential Dumping (T1003) has sub-techniques for LSASS memory (T1003.001), Security Account Manager (T1003.002), NTDS (T1003.003), DCSync (T1003.006) and others. This makes detection surgical instead of generic.

Procedures

These are the specific implementation of a technique observed in a concrete group or piece of malware. A procedure answers "how exactly did APT29 do it in that incident?". MITRE documents procedures associated with more than 130 groups (APT28, FIN7, Lazarus, Conti, etc.) and with malware families (Cobalt Strike, Mimikatz, Emotet).

The industry shorthand is TTPs = Tactics, Techniques and Procedures. Mapping an intrusion to its ATT&CK TTPs allows attribution to a group when the procedures match what is already documented in the matrix for a specific actor.

The 14 Enterprise tactics

The Enterprise matrix (the one most SOCs default to, covering Windows, Linux, macOS, containers, networks and SaaS) has these 14 tactics in this order:

1. Reconnaissance. Active or passive collection of information on the target. This is where tools and techniques like OSINT and Google Dorks fit.
2. Resource Development. Preparation of the offensive infrastructure: domain registration, C2 server purchases, fake account creation.
3. Initial Access. Initial entry point. Phishing, exploitation of external services, abuse of valid accounts.
4. Execution. Running malicious code on the compromised system.
5. Persistence. Mechanisms to survive reboots or session closures: scheduled tasks, services, registry keys, new accounts.
6. Privilege Escalation. Gaining higher permissions: exploiting kernel vulnerabilities, token abuse, UAC bypass.
7. Defense Evasion. Bypassing controls: obfuscation, disabling antivirus, deleting logs, signing binaries.
8. Credential Access. Credential theft: LSASS dumping, Kerberos attacks, keyloggers, NTLM hash capture.
9. Discovery. Internal reconnaissance once inside: enumeration of users, systems, networks, services.
10. Lateral Movement. Movement between systems: SMB, RDP, WMI, Pass-the-Hash, remote service abuse.
11. Collection. Gathering information before exfiltrating: screenshots, microphone, mail reading, sensitive files.
12. Command and Control (C2). Communication between the attacker and the compromised asset: HTTP/S, DNS tunneling, Cobalt Strike, custom frameworks.
13. Exfiltration. Moving data out of the victim's environment.
14. Impact. Final action that affects the business: encryption via ransomware, destructive deletion, data manipulation, denial of service.

The first two tactics (Reconnaissance and Resource Development) were added in 2020. Before that, ATT&CK started directly at Initial Access.

Available matrices

ATT&CK is not a single matrix. MITRE maintains three main ones and several derivatives.

Enterprise

The broadest and the one used by 90% of SOCs. Covers Windows, macOS, Linux, containers (Docker, Kubernetes), network devices, Office 365, Google Workspace, Azure AD / Entra ID, IaaS (AWS, Azure, GCP) and SaaS. It is the default when someone says "I mapped the incident to ATT&CK".

Mobile

Tactics and techniques specific to Android and iOS. Useful in corporate mobile security programmes, MDM and mobile application pentesting.

ICS (Industrial Control Systems)

For industrial (OT) environments: SCADA, PLCs, process control systems. Tactics like Inhibit Response Function or Impair Process Control have no equivalent in Enterprise. A mandatory reference for energy, water and critical manufacturing sectors under NIS2.

There are also contributory matrices (Cloud, Containers) that in practice merged into Enterprise as platforms, and derivative projects like ATT&CK Flow to represent full attack chains.

ATT&CK Navigator

ATT&CK Navigator is a free web tool from MITRE that lets you overlay layers on the matrix to visualise coverage, gaps, hunts and campaigns.

Common use cases:

• SOC coverage map. One layer marks every technique the SIEM or EDR detects today. Another layer marks the ones the threat hunting team picks up in reactive hunts. Comparing the two surfaces the blind spots.
• Threat-informed defense. The threat intelligence team loads the set of techniques used by groups relevant to the sector and geography. Defence prioritises investment in those gaps.
• Red Team plan. The operator plans the exercise by marking the techniques they will execute and shares the layer with Blue Team at closeout for purple team work.
• Executive reporting. A coloured matrix (green detected, orange partial, red no coverage) communicates the defensive state to a committee better than a table of KPIs.

Navigator can run online at mitre-attack.github.io/attack-navigator or be deployed on-premise in an organisation.

MITRE ATT&CK in SOC and threat hunting

For a defensive team, ATT&CK delivers value on four fronts.

Rule and alert tagging. Every SIEM or EDR rule should carry the tag of the technique it detects. When an alert fires, the analyst sees the associated tactic and technique directly, which speeds up triage.

Hunt design. Instead of vague "look for weird stuff" sweeps, the threat hunter picks a technique (for example Pass-the-Hash, T1550.002) and builds a specific query against the telemetry that would appear if that technique is in use. ATT&CK indicates which data sources to query (process creation, authentication, network connection).

Detection measurement. Tests are periodically run with tools like Atomic Red Team or Caldera, which execute real techniques on controlled endpoints. What fires an alert counts as validated coverage; what does not fire becomes a gap to close.

Reporting to the committee. ATT&CK coverage is a metric that travels well to leadership: percentage of relevant techniques detected, month-over-month evolution, where to spend the next euro.

MITRE ATT&CK in Red Team

On the offensive side, ATT&CK structures the exercise.

• Planning. The client defines which techniques or groups to emulate (for example, "operate as FIN7" or "execute these 30 specific techniques").
• Execution. The operator documents every action mapped to its ATT&CK identifier. That lets Blue Team rebuild the timeline afterwards.
• Reporting. The final report includes both the attack narrative and a coloured matrix with the techniques used, the per-technique result (detected, partial, undetected) and recommendations per gap.
• Purple team. Operator and defender review every technique live, validate detection and tune rules on the spot. The most efficient way to close gaps.

Frameworks like TIBER-EU explicitly require the exercise TTPs to be mapped to a recognised framework. ATT&CK is the de facto standard. See DORA compliance guide for financial entities 2026 for how this fits regulated programmes.

ATT&CK compared to Lockheed Martin's Cyber Kill Chain

The Cyber Kill Chain (Lockheed Martin, 2011) is the conceptual predecessor. It models an attack in seven linear phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control and Actions on Objectives.

Practical differences with ATT&CK:

• Kill Chain is linear and high level. ATT&CK is modular and granular: inside "Actions on Objectives" there are dozens of concrete techniques.
• Kill Chain fits traditional attacks with malware well. ATT&CK also fits living-off-the-land intrusions, account abuse and cloud attacks.
• Kill Chain works for short executive reports. ATT&CK works for technical operations as well.
• Today most teams use Kill Chain as the high-level narrative and ATT&CK as the tactical-technical map.

They are not mutually exclusive. The Kill Chain phase "Installation" maps to the ATT&CK tactic Persistence, "Command & Control" maps to Command and Control, and so on.

ATT&CK compared to MITRE D3FEND

MITRE D3FEND, launched in 2021 with NSA funding, is the sister matrix of ATT&CK on the defensive side. It catalogues defensive techniques (hardening, detection, isolation, deception, eviction) and ties them to the offensive techniques they mitigate or detect.

D3FEND does not replace ATT&CK; it complements it. If ATT&CK answers "what does the attacker do?", D3FEND answers "what specific countermeasure neutralises that action?". For a mature security programme, both are used in parallel.

Limitations and common mistakes

ATT&CK is an excellent tool, but it has limits worth keeping in mind.

It is not exhaustive. It reflects what has been observed, not what is possible. Zero-day or novel techniques can take months to land in the matrix.

It is not prioritised out of the box. Every technique is marked equal. Each organisation has to prioritise the ones relevant to its sector, geography and tech stack. Detecting ICS techniques adds nothing to a pure SaaS company.

Coverage is not the same as security. A SOC can have 95% ATT&CK coverage on paper and still fail in production if rules are noisy, analysts are overloaded or there is no response after the alert.

Risk of "ATT&CK theatre". Reports with heavily coloured matrices that do not translate into real MTTD/MTTR. The matrix is a means, not an end.

Variable granularity. Some techniques have many sub-techniques; others remain broad blocks. That forces interpretation.

Compliance fit

Although ATT&CK does not appear by name in the legal texts, it does fit the controls the frameworks demand:

• NIS2 (article 21). Requires detection, incident management and analysis measures. Mapping capabilities to ATT&CK is the standard way to demonstrate defensive coverage in an audit. More in NIS2 in Spain: a compliance guide for 2026.
• DORA (articles 9, 17). ICT incident detection, response and reporting. ATT&CK structures both runbooks and post-incident reports. More in DORA compliance guide for financial entities 2026.
• ISO 27001:2022 (controls 8.16, 8.7, 5.25). Activity monitoring, malware protection, incident management. Documenting coverage with ATT&CK accelerates the audit.
• ENS (Spanish Royal Decree 311/2022). Measures op.exp and op.mon gain clarity if the organisation keeps a live ATT&CK Navigator map.

No Spanish regulatory framework mandates ATT&CK specifically, but auditors value organisations having a common language and a coverage metric. ATT&CK is the cheap answer to that expectation.

Frequently asked questions

What does "ATT&CK" stand for exactly?

It is the acronym for Adversarial Tactics, Techniques and Common Knowledge. The official spelling uses the ampersand and the trailing two letters (CK) representing the last two words. It's not a typo.

Is using MITRE ATT&CK free?

Yes. The matrix, the descriptions, ATT&CK Navigator, the dataset and the associated tools (Atomic Red Team, Caldera) are public and free. MITRE Corporation is a non-profit funded largely by US federal contracts.

What is the difference between a technique and a sub-technique?

The technique is the general method (for instance OS Credential Dumping, T1003). The sub-technique pins down the specific vector (T1003.001 LSASS, T1003.006 DCSync). Sub-techniques were introduced in 2020 to make detection and reporting more precise.

How does a small SOC start using ATT&CK?

The usual path is: 1) tag existing rules with their technique identifier; 2) load that coverage into ATT&CK Navigator; 3) prioritise the 20-30 techniques most relevant to the sector; 4) run Atomic Red Team against those techniques to validate real detection; 5) close gaps in order of impact. You don't need to cover all 600 techniques; you need to cover the ones that matter, and cover them well.

Does ATT&CK replace OWASP, CIS or NIST?

No. ATT&CK speaks about adversary behaviour; OWASP about application vulnerabilities; CIS about secure configuration; NIST CSF about governance and functions. They are different layers of the same security programme and they complement each other.

What is Atomic Red Team?

An open source project maintained by Red Canary that provides small atomic tests (a script, a command) to execute each ATT&CK technique in a controlled environment. It lets you empirically validate whether the defences detect what they are supposed to detect.

Related resources

• What is threat hunting and how it works: the discipline that makes the most intensive use of ATT&CK.
• What is a SOC (Security Operations Center): the team that usually keeps ATT&CK coverage as a live metric.
• What is SIEM and how it works: the platform where each rule is tagged with ATT&CK identifiers.
• What is EDR (Endpoint Detection and Response) and What is MDR (Managed Detection and Response): controls that ship with ATT&CK mapping by default.
• What is OSINT: cycle, sources, tools: the discipline that drives the Reconnaissance tactic.
• What is ransomware: how it works: the threat family whose TTPs are most often mapped against ATT&CK Impact and Credential Access.

ATT&CK applied at Secra

At Secra we use MITRE ATT&CK to map every Red Team finding and to measure the defensive coverage of clients when we audit SOC, SIEM or contracted MDR services. The deliverable is a live Navigator matrix that the security team maintains after the project, compares year over year and uses to justify investment decisions, not a PDF to file away. If you want to validate your ATT&CK coverage with a purple team exercise or audit a detection and response vendor proposal, get in touch through contact or check our managed cybersecurity services.