What It Is
A comprehensive knowledge base of adversary behavior, built from real-world observations of how threat actors actually operate. ATT&CK organizes everything into a matrix of tactics (the adversary’s goal) and techniques (how they achieve it):
14 Tactics:
- Reconnaissance — Gathering information to plan an attack
- Resource Development — Establishing infrastructure and capabilities
- Initial Access — Getting into the network (phishing, exploits, supply chain)
- Execution — Running adversary code
- Persistence — Maintaining a foothold across restarts
- Privilege Escalation — Getting higher-level permissions
- Defense Evasion — Avoiding detection
- Credential Access — Stealing credentials
- Discovery — Learning about the environment
- Lateral Movement — Moving through the network
- Collection — Gathering target data
- Command and Control — Communicating with compromised systems
- Exfiltration — Stealing data out of the network
- Impact — Disrupting, destroying, or manipulating systems and data
Each tactic contains dozens of techniques and sub-techniques. Each technique includes real-world examples, detection guidance, and mitigation recommendations.
Why It Matters
ATT&CK is not a testing methodology. It’s the shared language between offense, defense, and threat intelligence.
Before ATT&CK, a pentester might write “we escalated privileges using a kernel exploit.” After ATT&CK, that’s T1068 — Exploitation for Privilege Escalation under the Privilege Escalation tactic — a specific, searchable, cross-referenceable identifier that maps to known threat groups, detection rules, and mitigation strategies.
This matters because it connects three conversations that used to happen separately:
- Red team: “We used T1566.001 (Spearphishing Attachment) for initial access”
- Blue team: “Do we have detection coverage for T1566.001?”
- Threat intel: “APT29 has been observed using T1566.001 against organizations in our sector”
Same language. Same identifier. Actionable across all three functions.
When to Use It
Always. ATT&CK enriches every other framework in this catalog:
- With PTES/ISSAF: Tag exploitation and post-exploitation findings with ATT&CK technique IDs
- With CBEST/TIBER-EU: The threat intelligence phase uses ATT&CK to describe adversary TTPs being simulated
- With OWASP WSTG/MASTG: Map web and mobile findings to relevant ATT&CK techniques
- For detection: Build coverage heat maps showing which techniques your SOC can detect vs. which are blind spots
- For threat modeling: Identify which ATT&CK techniques are most likely given your threat landscape
The Offensive Angle
ATT&CK’s Groups section is gold for red teamers. It catalogs the techniques used by specific threat groups (APT28, Lazarus Group, FIN7, etc.) with citations to the threat intelligence reports that documented them. If you’re building a red team engagement that simulates a specific adversary — which is exactly what CBEST and TIBER-EU require — ATT&CK Groups is where you build your playbook.
The Navigator tool lets you create visual heat maps of technique coverage — useful for showing a client exactly which adversary capabilities you tested and which remain untested.
Pairs Well With
- Every framework in this catalog — ATT&CK is the universal connector
- PTES — Technique IDs on findings make reports actionable for defenders
- CBEST / TIBER-EU — TTP descriptions in threat intelligence phases
- Sigma rules / detection engineering — Detection coverage mapped to ATT&CK techniques