What Is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Originally developed by MITRE Corporation for a government research project, ATT&CK has evolved into the de facto standard for describing and categorizing adversary behavior across the cybersecurity industry.

The framework catalogs the full lifecycle of an attack, from initial reconnaissance through data exfiltration and impact. Each entry in the framework is based on documented real-world use by threat actors, making it a practical reference rather than a theoretical model. As of early 2026, the Enterprise ATT&CK matrix contains 14 tactics, over 200 techniques, and hundreds of sub-techniques, each with detailed descriptions, real-world examples, detection guidance, and mitigation recommendations.

The Framework Structure: Tactics, Techniques, and Procedures

Understanding the hierarchical structure of ATT&CK is essential for using it effectively in penetration testing.

Tactics: The "Why"

Tactics represent the adversary's tactical objective, the reason for performing an action. They answer the question "what is the attacker trying to achieve at this stage?" The 14 Enterprise tactics form the columns of the ATT&CK matrix and represent the phases of an attack lifecycle:

  1. Reconnaissance (TA0043): Gathering information to plan the operation
  2. Resource Development (TA0042): Establishing resources to support the operation
  3. Initial Access (TA0001): Gaining a foothold in the target environment
  4. Execution (TA0002): Running malicious code
  5. Persistence (TA0003): Maintaining presence across restarts and credential changes
  6. Privilege Escalation (TA0004): Gaining higher-level permissions
  7. Defense Evasion (TA0005): Avoiding detection
  8. Credential Access (TA0006): Stealing credentials
  9. Discovery (TA0007): Learning about the environment
  10. Lateral Movement (TA0008): Moving through the environment
  11. Collection (TA0009): Gathering data of interest
  12. Command and Control (TA0011): Communicating with compromised systems
  13. Exfiltration (TA0010): Stealing data from the environment
  14. Impact (TA0040): Disrupting availability or compromising integrity

Techniques: The "How"

Techniques describe how an adversary achieves a tactical objective. Each technique sits under one or more tactics and describes a specific method used by real-world threat actors. For example, under the Initial Access tactic, techniques include Phishing (T1566), Exploit Public-Facing Application (T1190), Valid Accounts (T1078), and several others.

Many techniques have sub-techniques that provide more granular detail. For example, Phishing (T1566) has sub-techniques including Spearphishing Attachment (T1566.001), Spearphishing Link (T1566.002), and Spearphishing via Service (T1566.003). This hierarchical detail allows testers to precisely describe their activities and map them to specific documented adversary behaviors.

Procedures: The "What Exactly"

Procedures are the specific implementations of techniques by particular threat groups or malware. They represent the most granular level of ATT&CK and provide concrete examples of how techniques have been used in the wild. For penetration testers, procedures serve as inspiration for realistic attack scenarios and help ensure that testing reflects actual adversary tradecraft rather than theoretical possibilities.

Using ATT&CK to Plan Penetration Testing Engagements

One of the most valuable applications of ATT&CK for offensive security professionals is using it to plan and scope engagements that align with realistic threat scenarios.

Threat-Informed Engagement Planning

Rather than conducting a generic penetration test, ATT&CK enables threat-informed testing where the engagement is designed to simulate the specific techniques used by threat actors that are most relevant to the client's industry, geography, and technology stack. This approach produces findings that directly address the organization's most likely threats.

The planning process works as follows:

  1. Identify relevant threat groups: Use ATT&CK's threat group profiles to identify adversaries that target your client's industry. For a San Francisco financial technology company, for example, you might focus on groups like APT38 (financially motivated) or FIN7 (targeting financial services).
  2. Map their techniques: Review the techniques used by the identified threat groups and create a composite technique profile that represents the most likely attack scenarios.
  3. Design the engagement: Structure the penetration test to exercise the identified techniques, ensuring that the client's defenses are tested against realistic adversary behavior.
  4. Define success criteria: Use the technique mapping to establish clear objectives for each phase of the engagement, such as "achieve initial access using T1566.001 (Spearphishing Attachment) or T1190 (Exploit Public-Facing Application)."

Scoping with ATT&CK Coverage

ATT&CK provides an objective framework for discussing engagement scope with clients. Instead of vague descriptions like "we will test your network security," you can specify exactly which tactics and techniques will be in scope. This precision helps clients understand what they are paying for and enables meaningful comparison between testing providers.

Engagement Type Primary ATT&CK Tactics Typical Technique Count
External Penetration Test Reconnaissance, Initial Access, Execution 15-25
Internal Penetration Test Discovery, Lateral Movement, Privilege Escalation, Credential Access 30-50
Red Team Engagement All 14 tactics 50-100+
Purple Team Exercise Selected tactics based on threat model 20-40 (focused)
Social Engineering Assessment Reconnaissance, Initial Access, Execution 10-15

Mapping Penetration Testing Activities to ATT&CK

During an engagement, every significant action performed by the testing team can be mapped to one or more ATT&CK techniques. This mapping serves multiple purposes: it ensures comprehensive coverage of relevant techniques, provides a structured narrative for the final report, and enables the client's security team to evaluate their detection capabilities against specific adversary behaviors.

Initial Access Techniques in Practice

The Initial Access tactic is where most penetration tests begin. Common techniques used by our team at CyberGuards include:

  • T1190 - Exploit Public-Facing Application: Identifying and exploiting vulnerabilities in web applications, VPN concentrators, mail servers, and other internet-facing services
  • T1566.001 - Spearphishing Attachment: Crafting targeted phishing emails with malicious attachments designed to bypass email security controls
  • T1566.002 - Spearphishing Link: Delivering credential harvesting pages or drive-by download links through targeted emails
  • T1078 - Valid Accounts: Using credentials obtained through OSINT, credential stuffing, or password spraying to gain initial access
  • T1133 - External Remote Services: Accessing VPN, RDP, or other remote access services using compromised or default credentials

Post-Exploitation Techniques

After gaining initial access, penetration testers and red team operators progress through multiple ATT&CK tactics as they attempt to achieve their objectives. Key technique areas include:

Discovery (TA0007):

  • T1087 - Account Discovery: Enumerating user and service accounts in the domain
  • T1018 - Remote System Discovery: Identifying other hosts on the network
  • T1069 - Permission Groups Discovery: Mapping group memberships and privilege structures
  • T1046 - Network Service Discovery: Scanning for accessible services on internal hosts

Credential Access (TA0006):

  • T1003 - OS Credential Dumping: Extracting credentials from memory, registry, or SAM database
  • T1558 - Steal or Forge Kerberos Tickets: Kerberoasting, AS-REP roasting, golden/silver ticket attacks
  • T1552 - Unsecured Credentials: Finding passwords in files, scripts, or configuration stores

Lateral Movement (TA0008):

  • T1021 - Remote Services: Using RDP, SMB, SSH, or WinRM to move between hosts
  • T1550 - Use Alternate Authentication Material: Pass-the-hash, pass-the-ticket attacks
  • T1570 - Lateral Tool Transfer: Moving tools to compromised hosts for further exploitation
Practical Tip: Maintain a running log of ATT&CK technique IDs as you progress through the engagement. This real-time mapping makes report writing significantly more efficient and ensures nothing is missed when documenting your attack path.

Reporting with ATT&CK

ATT&CK-mapped reporting is one of the most significant improvements you can make to penetration test deliverables. Rather than presenting findings as an unstructured list of vulnerabilities, ATT&CK-mapped reports tell a coherent story about what an adversary could achieve and which defensive controls need improvement.

Attack Path Narratives

Structure your report around the attack path, mapping each step to its corresponding ATT&CK technique. This narrative approach helps non-technical stakeholders understand how individual vulnerabilities combine to create real-world risk. For example:

"The engagement began with reconnaissance (TA0043) using open-source intelligence gathering to identify target employees and technology. Initial access (TA0001) was achieved through spearphishing (T1566.001) targeting a member of the finance team. Following execution of the payload (TA0002) via user execution (T1204.002), the team established persistence (TA0003) through a scheduled task (T1053.005). Privilege escalation (TA0004) was achieved by exploiting a misconfigured Group Policy Object (T1484.001), leading to domain admin access. Credential access (TA0006) through DCSync (T1003.006) provided credentials for all domain accounts."

Detection Gap Analysis

For each technique executed during the engagement, document whether the client's security tools detected the activity, how long detection took, and whether the detection triggered an appropriate response. This detection gap analysis is one of the most actionable deliverables for a security operations team because it maps directly to specific detection rules and monitoring capabilities they need to implement or improve.

Technique ATT&CK ID Detected? Detection Time Response?
Spearphishing Attachment T1566.001 Partial (email filter) Immediate No alert generated
PowerShell Execution T1059.001 Yes (EDR) 12 seconds Alert generated, not investigated
Kerberoasting T1558.003 No N/A N/A
Pass-the-Hash T1550.002 No N/A N/A
DCSync T1003.006 Yes (SIEM rule) 4 hours Incident created after 4 hours

The ATT&CK Navigator Tool

The ATT&CK Navigator is an open-source web application that provides a visual interface for exploring and annotating the ATT&CK matrix. For penetration testers, it is an invaluable tool for engagement planning, coverage tracking, and report visualization.

Using Navigator for Engagement Planning

Create a Navigator layer that highlights the techniques associated with the threat groups most relevant to your client. This visual representation makes it easy to discuss scope with stakeholders and ensures that the engagement covers the techniques that matter most.

Using Navigator for Coverage Visualization

During and after the engagement, create a Navigator layer showing which techniques were tested, which succeeded, and which were detected. Color-coding techniques by detection status (green for detected, red for undetected, yellow for partially detected) creates a powerful visual summary that immediately communicates the organization's detection posture.

Using Navigator for Gap Analysis

Overlay the threat group technique layer with the detection results layer to produce a gap analysis that highlights exactly where the organization's defenses need improvement relative to the threats they face. This is one of the most compelling and actionable deliverables you can provide to a client.

ATT&CK for Purple Team Exercises

Purple team exercises, where offensive and defensive teams work collaboratively, derive enormous value from ATT&CK. The framework provides a shared vocabulary and objective structure for the exercise.

A typical ATT&CK-based purple team exercise follows this pattern:

  1. Select techniques: Choose 20-40 techniques relevant to the organization's threat model
  2. Execute and observe: The red team executes each technique while the blue team monitors their detection tools in real time
  3. Document results: For each technique, record whether it was detected, how it was detected, and what response actions were triggered
  4. Tune and retry: For undetected techniques, the blue team implements or adjusts detection rules and the red team re-executes to verify detection
  5. Measure improvement: Track detection coverage over time across multiple exercises

This structured approach transforms penetration testing from a point-in-time assessment into a continuous improvement program. Our Bay Area clients who adopt this model typically see significant improvement in their detection capabilities within 2-3 quarterly exercise cycles.

Important Distinction: ATT&CK maps what adversaries do, not how effective they are. A technique marked as "tested successfully" in your engagement does not mean every adversary could execute it. Context matters: the skill required, the specific environment conditions, and the access level needed all affect real-world exploitability.

Common Mistakes When Using ATT&CK for Testing

While ATT&CK is an extraordinarily useful framework, there are common mistakes that diminish its value when applied to penetration testing.

  • Attempting to cover every technique: The matrix contains over 200 techniques. Trying to test all of them in a single engagement produces shallow coverage. Focus on the techniques most relevant to the client's threat model.
  • Confusing technique testing with vulnerability testing: ATT&CK maps adversary behaviors, not vulnerabilities. A technique may succeed due to a combination of misconfigurations, weak controls, and normal functionality rather than a single exploitable vulnerability.
  • Ignoring the detection side: Mapping your attack to ATT&CK without evaluating whether each technique was detected misses half the value. Always include detection analysis in ATT&CK-mapped engagements.
  • Using ATT&CK as a checklist rather than a framework: ATT&CK is most powerful when used to tell a story about adversary behavior, not as a checkbox exercise where each technique is tested in isolation.
  • Neglecting to update technique references: ATT&CK is regularly updated. Ensure you are referencing the current version of the framework and that your technique mappings are accurate.

Getting Started with ATT&CK-Informed Testing

For organizations that have not yet incorporated ATT&CK into their security testing program, here is a practical starting path:

  1. Identify your top 3 threat groups: Use ATT&CK's groups page to find adversaries that target your industry and geography
  2. Map their techniques: Create a combined technique profile using the Navigator tool
  3. Assess current coverage: Evaluate which of these techniques your existing security controls can detect
  4. Conduct a targeted engagement: Work with your penetration testing provider to design an engagement focused on the gaps you have identified
  5. Iterate: Use the results to improve detection, then retest to verify improvement

At CyberGuards, our San Francisco-based red team conducts ATT&CK-mapped engagements that provide organizations with a clear picture of their defensive coverage against realistic adversary scenarios. We use the framework not as a theoretical exercise but as a practical tool for improving our clients' security posture against the threats they actually face.