Skip to content
FortaRisks
Back to the glossaryThreat intelligence

MITRE ATT&CK

MITRE ATT&CK is a public knowledge base cataloging the tactics, techniques and procedures (TTPs) attackers actually use. Organized into matrices, it serves as a common language to describe adversary behavior, design detection and assess defensive coverage.

Updated on July 2, 2026

What is MITRE ATT&CK?

ATT&CK, for Adversarial Tactics, Techniques and Common Knowledge, is a knowledge base maintained by the MITRE organization. Based on real-world observations, it documents how attackers operate, step by step, once they have entered an environment.

The content is organized into matrices (Enterprise, Mobile, industrial systems). The columns represent tactics, that is the attackers' objectives, and each tactic groups techniques and sub-techniques, which describe how those objectives are achieved.

Why it matters for your organization

ATT&CK shifts defense from "which tool" to "which behavior". An attacker can swap out malware, but the underlying techniques, such as abusing legitimate system tools, are more stable and therefore easier to detect durably.

It is also a common reference that aligns detection, response and threat-intelligence teams on a shared vocabulary, and lets you objectively measure where your defensive blind spots lie.

How to use ATT&CK

  • Map detection: tie each rule and sensor to the techniques it covers.
  • Prioritize: focus on the techniques most used against your sector.
  • Simulate: guide red-team and purple-team exercises.
  • Structure CTI: describe threat actors' modes of operation with a shared vocabulary.

Where organizations most often fall short

The most common pitfall is treating ATT&CK as a mere checklist, trying to "cover" as many techniques as possible without regard to their relevance to your environment. The value comes from prioritizing by real threat, not from theoretical completeness.

Frequently asked questions

What is the difference between a tactic and a technique in ATT&CK?

A tactic is the attacker's objective at a given stage (for example gaining initial access, moving laterally, exfiltrating data). A technique is the concrete way of achieving that objective. A tactic therefore groups many possible techniques and sub-techniques.

What is MITRE ATT&CK actually used for?

To move from tool-centric defense to defense centered on attacker behavior. It is used to map detection coverage, prioritize the techniques most relevant to your sector, guide attack-simulation exercises and structure threat-intelligence reports.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.