MITRE ATT&CK

Security Operations πŸ›‘οΈ β€’ Threats ⚠️ β€’ Security Testing πŸ” β€’ Sec+ Glossary πŸ“– β€’ Difficulty: free

What is MITRE ATT&CK?

MITRE ATT&CK is a knowledge base of real-world attacker tactics and techniques that helps security teams understand, detect, and defend against adversary behavior.

Examples

  • A SOC team maps suspicious PowerShell use and credential dumping activity to ATT&CK techniques to improve its investigation and detection rules.
  • A purple team uses ATT&CK to choose realistic attacker behaviors to simulate during a validation exercise.

Discover πŸ”Ž

Security teams often collect alerts, logs, and threat reports, but those pieces do not always fit together easily. One alert may mention a script, another may show unusual login activity, and a third may point to strange network traffic. MITRE ATT&CK helps organize that kind of information by focusing on what attackers actually do during real intrusions.

That is why ATT&CK has become so useful. It gives defenders a shared language for describing attacker behavior. Instead of speaking only in vague terms like β€œthe attacker moved around the network,” teams can describe the specific techniques involved and connect those actions to detection, threat hunting, incident response, and security testing.

Remember: MITRE ATT&CK is not a tool that blocks attacks by itself. It is a framework for understanding and organizing attacker behavior.

Summary πŸ“

MITRE ATT&CK is a structured knowledge base of attacker tactics and techniques. It helps security teams understand how adversaries behave, map detections more clearly, improve threat hunting, and communicate defensive gaps in a practical way. Its value comes from organizing real-world attacker behavior into a form defenders can study and use.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.