Glossary Term

MITRE ATT&CK Framework

MITRE ATT&CK™ is a knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world cybersecurity observations. MITRE, which is a government-funded research organization, created ATT&CK in 2013 to help organizations across the world – from the private sector to government and solution providers – develop more effective cybersecurity practices.

ATT&CK’s cyberattack observations are displayed in Matrices, which provide a visual representation of the TTPs spanning Windows, Mac, and Linux platforms.

ATT&CK is available to everyone and every organization free of charge and is updated quarterly based on publicly available threat intelligence and incident reporting.

Because ATT&CK is constantly developing based on new attack vectors, contributions from outside MITRE are welcome to help the community uncover new techniques and other relevant information.


ATT&CK was created to help protect Microsoft Windows, Linux, and MacOS systems from adversary TTPs, and then expanded to also include mobile devices. However, ATT&CK is a framework that also offers practical ways for enterprises to assess and improve their security posture. For instance, the framework can be used to understand the effectiveness of defensive measures including intrusion detection, threat hunting, security engineering, threat intelligence, red teaming, and risk management.

The MITRE ATT&CK Design and Philosophy whitepaper outlines several use cases to help organizations and security professionals understand how they can better use the information and resources provided by ATT&CK:

Adversary Emulation

Adversary emulation is a process used by defenders and threat hunting teams to imitate a security threat to understand how specific adversaries operate against a technology domain.

ATT&CK can be used by security teams to help them create these adversary emulation scenarios at all stages of the threat lifecycle, which greatly improves their defensive measures.

Red Teaming

Red Teaming is an attack simulation designed to measure how well an organization can withstand a threat from a real-life adversary. The result is to understand what type of impact a breach can have on an organization and its systems.

ATT&CK can be used to create red team plans and organize operations to avoid certain defensive measures that may be in place within a network.

Behavioral Analytics Development

Attacks are constantly evolving, which is why traditional methods of identifying malicious activity on a network are no longer good enough. Organizations can use behavioral analytics to learn how an adversary may interact within their networks to identify and stop suspicious activity in its tracks.

ATT&CK can be used as a tool to construct and test analytics to detect adversarial behavior within an environment.

Defensive Gap Assessment

A defensive gap assessment is carried out by organizations to uncover gaps within their security posture that can potentially leave them susceptible to cyber risks.

ATT&CK can be used to assess an organization’s security tools to identify their security shortfalls. This enables an organization to understand which parts of the matrix they should focus their security investments so that they can ensure they’re purchasing only the right security product(s) for their specific needs.

SOC Maturity Assessment

A Security Operations Center (SOC) continuously monitors for threats against an organization’s network. Understanding the maturity of a SOC enables an organization to know the effectiveness of its defensive measures.

ATT&CK can be used as one measurement to determine how effective a SOC is at detecting, analyzing and responding to particular attack types of even parts of the attack lifecycle.

Cyber Threat Intelligence Enrichment

Cyber threat intelligence includes information about malware, tools, TTPs, tradecraft, behavior, and other threat indicators. Understanding how different threat scenarios use the same technique allows analysts and defenders to focus on impactful and efficient defenses against them.

ATT&CK can be used by security teams to document adversary group profiles from a behavioral perspective so that they can better map defenses to the threat actors and scenarios most relevant to their organization.

How Awake Security Models, Hunts, & Visualizes TTPs

ATT&CK has emerged to become the industry standard helping security teams to understand how to stay one step ahead of adversary tactics, techniques, and procedures. But a security team’s defensive measures are only as good as the technology they have to support that knowledge.

Awake’s Adversarial Modeling™ capability enables the modeling of complex adversary TTPs that span the dimensions of time, entities, protocols, frequency, and attack stages. The Awake Security Platform can then hunt for and visualize the attack, while also providing the context necessary for triage, incident response, and remediation. Additionally, Awake’s security researchers are constantly updating the platform with new models, which are designed to evolve as attackers evolve, and thus giving organizations the power to detect new and evolving TTPs.

Also See



If you liked what you just read, subscribe to hear about our threat research and security analysis.