MITRE ATT&CK Framework

ENTITY

Details the MITRE ATT&CK framework and its "Getting Started" roadmap for threat-informed defense, updated to include cross-references to the MITRE D3FEND framework for mapping defensive engineering.

Updated 4/12/2026mitre, attack, threat-intelligence, d3fend

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Developed by the MITRE Corporation, it provides a foundational taxonomy for describing post-compromise adversary behaviors. It is used extensively across the private sector, government, and cybersecurity communities to build specific threat models and methodologies. The framework is open and available to any organization at no charge.

How ATT&CK Works

ATT&CK revolutionized the language security practitioners use to discuss cyber threats. Instead of focusing solely on traditional indicators of compromise (IoCs) like IP addresses or domain names, ATT&CK models adversary behavior via offensive techniques organized by the tactical objectives they support.

The framework is structured around two primary components:

  • Tactics: These represent the short-term tactical objectives an adversary aims to achieve during an intrusion (e.g., Initial Access, Credential Access, Exfiltration).
  • Techniques: These detail the specific behavioral methods adversaries use to achieve those tactical objectives.

To facilitate threat intelligence sharing, ATT&CK knowledge is frequently encoded using the STIX 2.0 specification.

The Cyber Analytics Repository (CAR)

A key counterpart to the ATT&CK framework is the Cyber Analytics Repository (CAR). While ATT&CK catalogs the techniques, CAR identifies objects related to key operating system and processing events. It catalogs MITRE-developed analytics from a Security Operations Center (SOC) operator's perspective and maps them directly to the specific ATT&CK techniques they are designed to detect.

Getting Started with ATT&CK

Adopting ATT&CK is a fundamental step in Building a Threat-Informed Defense Strategy. The MITRE "Getting Started" roadmap encourages organizations to act proactively rather than waiting for a real intrusion to test their methods.

Organizations typically begin by:

  1. Identifying the threat actors and techniques most relevant to their specific industry.
  2. Mapping existing security controls and telemetry to these ATT&CK techniques.
  3. Using this mapping to identify gaps in visibility, detection, or prevention capabilities.
  4. Developing or tuning analytics (often leveraging CAR) to close high-priority gaps.

Relationship to D3FEND and Other Frameworks

While ATT&CK focuses on adversary behaviors, it serves as an especially critical counterpart to the MITRE D3FEND Framework.

  • ATT&CK models the threat landscape via offensive techniques from an adversary's perspective.
  • D3FEND models the countermeasure space from a hardware or software engineer's perspective, focusing on defensive engineering and specific mitigation technologies.

By cross-referencing ATT&CK's offensive techniques with D3FEND's countermeasures, security teams can effectively translate threat intelligence into specific engineering responses. Vendors and practitioners use this relationship to describe precisely what adversary behaviors their products can detect, prevent, or monitor.

Furthermore, ATT&CK integrates seamlessly into the broader landscape of Cybersecurity Frameworks & Standards. It has influenced and been influenced by models like the ODNI Cyber Threat Framework and DoDCAR, while simultaneously helping organizations operationalize the high-level security controls enumerated in the NIST Cybersecurity Framework (CSF) 2.0 and NIST SP 800-53 Revision 5.