In depth
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is the de-facto industry vocabulary for describing what attackers actually do once they are inside an environment. The framework organises post-compromise behaviour into 14 tactics — initial access, execution, persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, impact, plus reconnaissance and resource development on the pre-compromise side — and underneath each tactic enumerates dozens of techniques and hundreds of sub-techniques observed in real intrusions and documented from incident-response engagements, threat-intelligence reports and public security research.
Three matrices cover different attack surfaces: Enterprise (Windows, macOS, Linux, network devices), Mobile (iOS and Android), and ICS (industrial control systems). Cloud sub-matrices for AWS, Azure, GCP, SaaS, IaaS and Azure AD let cloud-native teams map control-plane abuse the same way enterprise teams map Active Directory abuse. The MITRE ATT&CK Navigator is a free web tool for building heatmaps of coverage — green for "detected and prevented," yellow for "detected only," red for "blind spot" — which becomes the canonical artefact in Red, Blue and Purple Team retrospectives.
ATT&CK is most powerful when it is used end-to-end. Threat-intelligence teams tag IOCs with the techniques the related campaign uses. Detection engineers write Sigma rules per technique. Red Team operators plan engagements as ATT&CK paths. Blue Team postmortems list the techniques observed and the techniques missed. Compliance teams use the matrix as the closing of the "what controls do we have" question that frameworks like SOC 2 and ISO 27001 leave open.
Common pitfalls: counting techniques rather than measuring detection quality, mistaking sub-technique sprawl for coverage, and ignoring the data-source layer (ATT&CK Data Sources tell you what telemetry a detection needs — without that telemetry the detection is theoretical). See Lazarus Group MITRE ATT&CK techniques for a worked example of one adversary mapped end-to-end.
Three matrices cover different attack surfaces: Enterprise (Windows, macOS, Linux, network devices), Mobile (iOS and Android), and ICS (industrial control systems). Cloud sub-matrices for AWS, Azure, GCP, SaaS, IaaS and Azure AD let cloud-native teams map control-plane abuse the same way enterprise teams map Active Directory abuse. The MITRE ATT&CK Navigator is a free web tool for building heatmaps of coverage — green for "detected and prevented," yellow for "detected only," red for "blind spot" — which becomes the canonical artefact in Red, Blue and Purple Team retrospectives.
ATT&CK is most powerful when it is used end-to-end. Threat-intelligence teams tag IOCs with the techniques the related campaign uses. Detection engineers write Sigma rules per technique. Red Team operators plan engagements as ATT&CK paths. Blue Team postmortems list the techniques observed and the techniques missed. Compliance teams use the matrix as the closing of the "what controls do we have" question that frameworks like SOC 2 and ISO 27001 leave open.
Common pitfalls: counting techniques rather than measuring detection quality, mistaking sub-technique sprawl for coverage, and ignoring the data-source layer (ATT&CK Data Sources tell you what telemetry a detection needs — without that telemetry the detection is theoretical). See Lazarus Group MITRE ATT&CK techniques for a worked example of one adversary mapped end-to-end.