What does MITRE ATT&CK stand for?

MITRE is the not-for-profit operator. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The framework catalogs the things attackers actually do.

How is it different from OWASP?

OWASP focuses on web application vulnerabilities — the bugs. ATT&CK focuses on attacker behavior across an entire intrusion — what they do after they get in.

Who uses MITRE ATT&CK?

Red teams use it to plan engagements. Blue teams use it to map coverage of their detections. Compliance frameworks reference it. EDR and SIEM vendors tag their detections by ATT&CK technique.

What are tactics and techniques?

Tactics are the why — Initial Access, Persistence, Lateral Movement. Techniques are the how — Phishing, Scheduled Tasks, Pass-the-Hash. Each tactic has many techniques mapped to it.

Is there a MITRE ATT&CK Navigator?

Yes. The ATT&CK Navigator is a free web tool for visualizing coverage, highlighting techniques a particular adversary uses, and tracking your detection or testing progress.

Glossary · Security

What is MITRE ATT&CK?

MITRE ATT&CK is a globally accessible, community-maintained knowledge base of the tactics and techniques attackers use in real intrusions, organized by phase — initial access, execution, persistence, privilege escalation, lateral movement, exfiltration — and used as the common language between red teams, blue teams, and threat intelligence analysts.

Where it came from

MITRE is a not-for-profit US research operator that runs federally funded R&D centers. In 2013 a team there started cataloging post-compromise attacker behavior — what threat actors actually do after they get a foothold — to give defenders a vocabulary for describing intrusions. The first public release came in 2015. Today ATT&CK is the de facto language of adversary behavior, cited in compliance frameworks, threat intelligence reports, and red team engagement specs across the industry.

What are tactics, techniques, and procedures (TTPs)?

ATT&CK organizes adversary behavior into a hierarchy. Tactics are the high-level "why" — Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact. Techniques are the specific "how" under each tactic — phishing, scheduled tasks, valid accounts, pass-the-hash, and so on. Sub-techniques add another layer of specificity. The whole catalog runs to hundreds of entries, each with examples from real intrusions and detection guidance.

The ATT&CK Navigator

The Navigator is a free web tool that visualizes the framework as a color-codable matrix. Defenders use it to mark which techniques their detection rules cover, which are unaddressed, and which their last red-team engagement actually triggered. Threat intel teams use it to overlay specific adversary groups — show me every technique APT29 has been observed using in public reporting — and compare against their own coverage. It is the closest thing the industry has to a shared canvas for defensive maturity.

What is the difference between MITRE ATT&CK and OWASP?

Both are taxonomies, but they cover different ground. OWASP Top 10 is about application-layer vulnerabilities — the bugs attackers exploit to get in or escalate. ATT&CK is about adversary behavior across the whole intrusion lifecycle — what they do once they are in. A complete security program touches both: OWASP for app development, ATT&CK for detection engineering and incident response.

At QUANT LAB

Our MITRE ATT&CK assessment engagements help organizations measure their current detection and prevention coverage across the framework. We map your existing controls — EDR, SIEM rules, identity protection, network sensors — to ATT&CK techniques, identify the gaps, and prioritize the ones with the highest blast radius. The same mapping shows up in our pentest reports, which tag every finding with the relevant tactic and technique IDs so your blue team can correlate them to detection coverage.

ATT&CK for cloud, mobile, and ICS

The original framework focused on enterprise endpoints. Since then MITRE has shipped specialized matrices: ATT&CK for Cloud (AWS, Azure, GCP, Office 365, Google Workspace), ATT&CK for Mobile (iOS, Android), and ATT&CK for ICS (industrial control systems). Each uses the same tactic backbone but lists the techniques that apply in that environment. For a SaaS company most relevant work happens in the enterprise and cloud matrices; for a fintech that runs mobile apps, mobile matters too. The matrices share terminology and structure, which means analysts trained on one can read the others without relearning the vocabulary. That portability is part of why ATT&CK has outpaced every previous attempt at an industry-standard taxonomy.

Long-form deep-dives that use this term

All posts

Related terms

Mapping your defenses to ATT&CK?

We measure where you have coverage, where you have blind spots, and what to fix first. Book a 30-minute consultation.

MITRE ATT&CK assessment