What is MITRE ATT&CK?
ATT&CK, for Adversarial Tactics, Techniques and Common Knowledge, is a knowledge base maintained by the MITRE organization. Based on real-world observations, it documents how attackers operate, step by step, once they have entered an environment.
The content is organized into matrices (Enterprise, Mobile, industrial systems). The columns represent tactics, that is the attackers' objectives, and each tactic groups techniques and sub-techniques, which describe how those objectives are achieved.
Why it matters for your organization
ATT&CK shifts defense from "which tool" to "which behavior". An attacker can swap out malware, but the underlying techniques, such as abusing legitimate system tools, are more stable and therefore easier to detect durably.
It is also a common reference that aligns detection, response and threat-intelligence teams on a shared vocabulary, and lets you objectively measure where your defensive blind spots lie.
How to use ATT&CK
- Map detection: tie each rule and sensor to the techniques it covers.
- Prioritize: focus on the techniques most used against your sector.
- Simulate: guide red-team and purple-team exercises.
- Structure CTI: describe threat actors' modes of operation with a shared vocabulary.
Where organizations most often fall short
The most common pitfall is treating ATT&CK as a mere checklist, trying to "cover" as many techniques as possible without regard to their relevance to your environment. The value comes from prioritizing by real threat, not from theoretical completeness.