MITRE ATT&CK

Security+ 🏆 • Security Operations 🛡️ • Difficulty: free

Definition

MITRE ATT&CK is a public knowledge base that catalogs real-world adversary behavior—organized as tactics (goals), techniques (how), and procedures (specific examples)—to give defenders a common language for threat modeling, detection, testing, and reporting.

Examples

After a phishing incident, the SOC maps the activity to Initial Access and Execution tactics and writes detections for suspicious Office spawning PowerShell, improving coverage where the technique was used.
A blue team loads its log-source coverage into ATT&CK Navigator, sees a gap in Credential Access, and designs hunts for LSASS memory reads and abnormal credential dumping tools.

Discover 🔎

ATT&CK gives security teams a shared map of how attackers actually operate. Instead of vague labels like “advanced malware,” it describes concrete behaviors—how access is gained, how persistence is kept, how credentials are stolen, and how data leaves the network. Because it’s based on observed activity, it helps turn theory into practical detection and response.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.