Home/ Blog/ Explainers/ Article
Blog · Explainers

What is MITRE ATT&CK? Tactics, techniques, and how defenders actually use it

A plain-English guide to MITRE ATT&CK: what it is, how its tactics and techniques are organized, a real intrusion mapped step by step, and how defenders use it.

A matrix of tiles, some lit and some dark, like a coverage map of attacker techniques
By Suriq's Jack · ·Explainers · 6 min read

MITRE ATT&CK is a free, globally maintained knowledge base of the tactics and techniques real attackers use, organized by the stages of an intrusion. Every technique has a stable ID, like T1110 for brute force, so defenders can describe, detect, and measure their coverage against specific adversary behavior in one shared language.

The easiest way to picture it: imagine a detailed playbook of how burglars actually operate, not "burglars are bad" but "here is how they pick a lock, here is how they disable an alarm, here is how they find the safe, here is how they carry the loot out." ATT&CK is that playbook for cyber attacks, written down and kept current by studying what real intruders do. Instead of treating threats as a vague cloud of "malware" and "hackers," it breaks an intrusion into the goals an attacker pursues and the concrete methods they use to reach each one. That turns a fuzzy problem into a checklist you can plan against.

MITRE ATT&CK at a glance14tacticsthe attacker's goals200+techniqueswith finer sub-techniques2013maintained sincefree and open
The ATT&CK Enterprise matrix. Source: attack.mitre.org.

Why ATT&CK exists

Before ATT&CK, every security vendor, report, and team described attacks in its own words. One product called something "lateral movement," another called the same behavior "internal pivoting," and a threat report called it something else again. Comparing tools or sharing intelligence meant constantly translating between private vocabularies.

MITRE, a US non-profit that runs federally funded research centers, started ATT&CK in 2013 from a simple idea: catalog adversary behavior based on real-world observations, give each behavior a stable name and ID, and publish it for everyone. The framework grew from a Windows-focused project into a public standard now used across government, industry, and the security-product community. The point was never to be academic. It was to give defenders a common map so they could talk about, test, and improve their detection in the same language attackers' behavior could be described in.

How MITRE ATT&CK is organized

The framework is a matrix. The columns are tactics, the attacker's objective at each stage: Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Lateral Movement, Collection, Exfiltration, and more, roughly following the order of an intrusion. A tactic answers why an attacker is doing something.

Under each tactic sit the techniques, the specific ways an attacker accomplishes that goal. A technique answers how. Many techniques also break down into finer sub-techniques, so Brute Force (T1110) splits into password guessing, password spraying, credential stuffing, and password cracking, each with its own ID like T1110.001.

Tactic (the goal)Example techniqueID
Initial AccessExploit Public-Facing ApplicationT1190
ExecutionCommand and Scripting InterpreterT1059
PersistenceScheduled Task/JobT1053
Credential AccessBrute ForceT1110
Defense EvasionImpair DefensesT1562
DiscoveryNetwork Service DiscoveryT1046
ExfiltrationExfiltration Over C2 ChannelT1041
A sample of ATT&CK tactics, each with one example technique and its ID. Source: MITRE ATT&CK Enterprise matrix, attack.mitre.org.

Those IDs are the important part. They give every team, vendor, and report the same name for the same behavior, so "we detect T1110" means exactly one thing everywhere. There are separate matrices for Enterprise (Windows, Linux, macOS, cloud, containers, and identity), Mobile, and Industrial Control Systems, because an attack on a factory controller looks nothing like an attack on a phone.

A real intrusion, mapped to ATT&CK

The framework clicks once you see an attack walked through it. Here is a common shape of a breach, with each step labeled by its tactic and technique:

  • The attacker finds an unpatched, internet-facing web application and exploits it to get a foothold. That is Initial Access via Exploit Public-Facing Application (T1190).
  • They run commands on the compromised server to look around and pull down tools. That is Execution via Command and Scripting Interpreter (T1059).
  • To survive a reboot, they create a scheduled task that quietly re-launches their access. That is Persistence via Scheduled Task/Job (T1053).
  • They try common and stolen passwords against other accounts to widen their reach. That is Credential Access via Brute Force (T1110).
  • Before stealing data, they turn off or blind the security tooling. That is Defense Evasion via Impair Defenses (T1562).
  • Finally they package the data and send it out through their command channel. That is Exfiltration via Exfiltration Over C2 Channel (T1041).
One intrusion, mapped to ATT&CKT1190: Initial Access. T1059: Execution. T1053: Persistence. T1110: Credential Access. T1562: Defense Evasion. T1041: Exfiltration.One intrusion, mapped to ATT&CKT1190Initial AccessT1059ExecutionT1053PersistenceT1110CredentialAccessT1562Defense EvasionT1041Exfiltration
A common breach shape: each stage is one ATT&CK technique. The named techniques are in the table above.

Written as a story, it is one breach. Written in ATT&CK, it is a precise sequence of six techniques across six tactics, each of which a defender can try to detect independently. If you catch the attacker at the scheduled task or the brute force, you can stop the intrusion before the exfiltration, and ATT&CK is what lets you reason about exactly where in the chain your detections sit.

How defenders actually use ATT&CK

ATT&CK is most useful as a coverage map. The practical workflow looks like this:

  • Map detections to techniques. For each detection rule you run, record which technique it catches. Now your rule set speaks the same language as the threats, and you can ask precise questions like "can we see Impair Defenses on Linux?"
  • Find the gaps. Lay your covered techniques over the matrix and the blank cells are your blind spots. The free ATT&CK Navigator is built for exactly this: you colour in what you cover and the holes become obvious. That coloured-in matrix is a prioritized backlog for detection engineering, grounded in real adversary behavior rather than guesswork.
  • Add context to alerts. When an alert carries its technique ID and tactic, a responder immediately knows where the activity sits in an intrusion and what tends to come next, which speeds up triage and reduces the chance of dismissing a real early-stage signal.
  • Threat-model against real actors. Threat-intelligence reports describe the techniques a given group is known to use. Overlay those on your coverage map and you can answer a concrete board-level question: "could we detect this specific adversary if they targeted us?"
  • Run purple-team exercises. Red teams emulate a named set of techniques, blue teams check what fired, and the gaps feed straight back into the backlog. ATT&CK turns a vague "we did a pen test" into a measurable, repeatable loop.

The honest limits

ATT&CK is powerful, but it is not magic, and treating it as a scoreboard is a common mistake. It describes what is known and observed, so a brand-new or bespoke technique will not be on the matrix yet. "We have a detection for T1110" does not mean that detection is tuned well, fires reliably, or covers every sub-technique. And a matrix that is all green can lull a team into a false sense of safety when the real question is whether each of those detections actually works under pressure. ATT&CK is a map of the terrain. It is not proof you have walked it, and it does not replace testing.

Where Suriq fits

Suriq runs a managed SIEM whose detections are mapped to MITRE ATT&CK. When an alert fires, it arrives with the relevant technique and tactic attached, so an analyst sees not just that a brute-force attempt happened, but that it is T1110 under Credential Access and what usually comes next in that chain. For teams doing structured threat hunting, that shared technique vocabulary is what makes coverage measurable instead of anecdotal, and it is what lets a small team reason about a big matrix without getting lost in it. If you want that mapping and the people watching it without building and running the pipeline yourself, that is the managed detection model Suriq is built around.

Topics
Detection & threat hunting

Frequently asked questions

What does MITRE ATT&CK stand for?

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. MITRE is the non-profit research organization that created and maintains it. The name describes exactly what it is: a shared, common catalog of the tactics and techniques attackers use.

What is the difference between a tactic and a technique in ATT&CK?

A tactic is the attacker's goal at a stage of the intrusion, such as Credential Access or Lateral Movement. A technique is a specific way they achieve that goal, such as Brute Force (T1110). Tactics are the columns of the matrix; techniques are the entries under each column.

Is MITRE ATT&CK free to use?

Yes. ATT&CK is published by MITRE, a non-profit, and is free to read, reference, and build on. The matrices, technique pages, and the ATT&CK Navigator tool are all publicly available at attack.mitre.org with no account required.

What is the MITRE ATT&CK Navigator?

The Navigator is a free web tool from MITRE for annotating the ATT&CK matrix. Teams colour in the techniques they can detect, mark their gaps, and overlay a specific threat actor's known techniques to see how their coverage lines up against that adversary.

How does a SIEM use MITRE ATT&CK?

A SIEM tags each detection rule with the ATT&CK technique it catches, so when an alert fires it carries the technique ID and tactic. That tells an analyst not just that something happened, but where it sits in the attack lifecycle and what behaviour tends to come next.

Does having a detection for a technique mean I am protected from it?

No. ATT&CK coverage shows you have a detection mapped to a technique, not that the detection is tuned, that it fires reliably, or that it covers every variation. It is a map of the terrain, not proof you have secured it. Coverage is a starting point for testing, not a finish line.

Keep reading
Explainers

What is a SIEM, in plain terms (and how it differs from a SOC and EDR)

What a SIEM is, what it actually does, and how it differs from a SOC, an EDR, and plain log management - explained by a team that runs one.

Noam Alum · Jun 27, 2026

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.

Get Access Meet the clan