Ask two security teams to describe the same breach and you’ll often get two incompatible stories. One says “the attacker used malware,” another says “they moved laterally.” Both are true and neither is precise enough to act on. This vocabulary problem — the fact that defenders had no shared, granular way to describe adversary behavior — is exactly the gap MITRE ATT&CK was built to close. It isn’t a scanner, a product, or a scoring system. It’s a knowledge base: a structured, publicly maintained catalog of the things real attackers do once they’re inside or trying to get inside a network, documented from observed intrusions rather than theory.
That last point matters and is frequently misunderstood. ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is not a list of vulnerabilities or a compliance checklist. It describes behavior. A missing patch is a weakness; using stolen credentials to log in over RDP is a behavior. ATT&CK concerns itself entirely with the latter.
The Layers: Goals, Methods, and Specifics
The framework is organized as a hierarchy, and understanding those three levels is most of understanding ATT&CK at all.
Tactics answer the question why — the adversary’s short-term goal at a given moment. These are the columns of the well-known ATT&CK matrix, and for enterprise environments there are fourteen of them, roughly following the arc of an intrusion:
- Reconnaissance and Resource Development (pre-compromise setup)
- Initial Access (getting a foothold)
- Execution, Persistence, Privilege Escalation
- Defense Evasion, Credential Access, Discovery
- Lateral Movement, Collection
- Command and Control, Exfiltration, Impact
A common mistake is to read these left-to-right as a strict sequence. They aren’t a kill chain. An intrusion loops, skips, and revisits tactics constantly — an attacker might do discovery, escalate privileges, then do more discovery. Think of tactics as categories of intent, not stages you tick off.
Techniques answer how — the specific method used to achieve a tactic. Each has an ID like T1566 (Phishing) or T1055 (Process Injection). Where a technique is broad, ATT&CK breaks it into sub-techniques with a suffixed ID: T1566.001 is Spearphishing Attachment, T1566.002 is Spearphishing Link. One technique can belong to more than one tactic — credential dumping, for example, serves Credential Access, but the credentials it yields feed Lateral Movement.
Procedures are the ground-truth layer: the exact, in-the-wild implementation of a technique by a specific actor or piece of malware. If the technique is “OS Credential Dumping: LSASS Memory” (T1003.001), a procedure is the concrete way it was carried out — say, an operator running Mimikatz’s sekurlsa::logonpasswords, or using comsvcs.dll to dump the LSASS process:
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\temp\out.dmp fullThat single command line is a procedure. It maps up to sub-technique T1003.001, which sits under the Credential Access tactic. Procedures are where detection engineering lives, because they’re what actually shows up in your logs — a signed Windows binary (rundll32.exe) touching LSASS memory is a far more useful alert than the abstract idea of “credential access.”
More Than One Matrix
ATT&CK isn’t a single grid. The Enterprise matrix is the best known and covers Windows, macOS, Linux, cloud platforms (IaaS, SaaS, identity providers), containers, and networking gear. Alongside it sit the Mobile matrix (Android and iOS) and ICS, aimed at industrial control systems where the “Impact” tactics involve physically disrupting processes rather than encrypting files. Which matrix you use depends on what you’re defending; the structure is identical across all three.
The project also tracks groups (named threat actors such as G-numbered entries), software (malware and tools), mitigations, and data sources — the telemetry you’d need to catch a given technique. These cross-references are what turn a static catalog into an analytical tool: you can pivot from a threat group to every technique it’s known to use, then to the data sources that would reveal them.
Where It Sits Among Other Models
ATT&CK is often confused with two neighbors, and the distinction is worth drawing clearly.
Lockheed Martin’s Cyber Kill Chain is a linear, seven-stage model of an intrusion’s lifecycle. It’s excellent for high-level narrative but coarse — it tells you an attacker reached “Actions on Objectives” without describing the dozens of distinct techniques that phase might contain. ATT&CK is the finer-grained complement: less about the overarching sequence, more about the specific behaviors within it.
The Diamond Model frames each intrusion event around four vertices — adversary, capability, infrastructure, victim — and is a reasoning tool for analysts connecting related activity. ATT&CK slots neatly into its “capability” vertex.
The practical takeaway: these aren’t competitors. Many teams use the Kill Chain or Diamond Model to structure the story of an incident and ATT&CK to populate it with precise, shared terminology.
Putting It to Work
The framework earns its keep in a handful of concrete ways:
- Detection and gap analysis. Teams map their existing detections to technique IDs and produce a coverage “heatmap,” exposing blind spots — often via the free ATT&CK Navigator, which lets you color and annotate the matrix.
- Threat-informed defense. Rather than trying to cover all ~200 techniques at once, you prioritize the ones used by the actors that realistically target your industry, pulled straight from the group profiles.
- Adversary emulation and red teaming. Purple teams script realistic attack chains against these techniques; the open-source Atomic Red Team project ships small tests keyed directly to ATT&CK IDs, so you can safely fire a single technique and confirm your sensors light up.
- SOC communication and reporting. When an analyst tags an alert
T1059.001(PowerShell), everyone downstream — from the incident responder to the threat-intel writer to the CISO’s report — knows exactly what happened without ambiguity.
A word of caution that experienced practitioners learn quickly: coverage is not the same as security. A matrix that’s green across the board can lull a team into false confidence, because a “detection” for a technique might catch one procedure and miss a dozen others. ATT&CK measures the breadth of behaviors you’ve considered, not the depth or reliability of any single detection.
The Real Value
Strip away the matrix graphics and ATT&CK’s contribution is deceptively simple: it gave the defensive community a common, evidence-based vocabulary for adversary behavior, maintained in the open and updated as new tradecraft appears. That shared language is what lets a threat-intel report, a SIEM rule, a red-team plan, and a board-level risk briefing all point at the same underlying reality. Used well, it shifts a security program from chasing indicators — which attackers change cheaply — toward understanding behaviors, which they can’t abandon without abandoning their objectives. That reframing, more than any single technique ID, is why the framework became foundational.
