Skip to Content
Detection and Response

What is MITRE ATT&CK?

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Think of it as a map of attacker behavior: instead of describing threats vaguely, it names every step of an attack, which lets you measure whether your defense actually covers what attackers really do.

Zamak TechnologiesUpdated on July 10, 2026

How MITRE ATT&CK is organized

The framework arranges attacker behavior into a matrix that reads left to right, from the attacker's first move to the final impact.

1

Tactics: the attacker's goal

14 tactics that answer why the attacker acts, from initial reconnaissance to final impact. Examples: initial access, lateral movement, exfiltration.

2

Techniques: how they pull it off

More than 200 techniques describing the concrete method behind each tactic, such as phishing for initial access or stealing a credential to move around.

3

Sub-techniques and procedures: the real detail

Specific variations and real examples of how known attack groups carried out each technique.

4

The matrix: the full map

It all comes together into a grid read from the left (first move) to the right (impact): the full picture of an attack.

Source: MITRE (attack.mitre.org).

The phases of an attack, in ATT&CK terms

  • Reconnaissance and entry The attacker studies the target and looks for the first door: a phishing email, a leaked credential, an exposed flaw. (Reconnaissance, resource development, initial access.)
  • Execution and persistence Runs the malicious code and makes sure it stays even after a reboot, creating hidden access. (Execution, persistence, privilege escalation.)
  • Evasion and credential theft Hides from defenses and captures passwords and keys to pass as a legitimate user. (Defense evasion, credential access.)
  • Discovery and lateral movement Maps the network from the inside and hops from one system to another, hunting for what has value. (Discovery, lateral movement.)
  • Collection, control and exfiltration Gathers the data, keeps a command channel to the attacker and sends the information out. (Collection, command and control, exfiltration.)
  • Impact The final blow: encrypting data (ransomware), deleting, committing fraud or halting the operation. (Impact.)

Why this matters to your defense

14 tactics
describe the full cycle of an attack in MITRE ATT&CK (MITRE)
$ 4.44M
average cost of a data breach (IBM 2025)
11 days
median time an intruder goes unnoticed on the network (Mandiant 2025)

Vague threat talk ('we protect against hackers') cannot be measured. MITRE ATT&CK gives a shared, evidence-based map, so a company can ask a concrete question: does my defense detect these specific behaviors? That matters because a data breach runs an average of $ 4.44 million (IBM, Cost of a Data Breach 2025) and the intruder typically sits undetected on the network for 11 days (Mandiant, M-Trends 2025). The value of ATT&CK is turning 'I hope we are covered' into 'here are the attacker behaviors we detect, and the gaps we do not'. Security teams and tools worldwide map their detection to ATT&CK for exactly that reason.

How to use MITRE ATT&CK in practice

You do not need to master the framework. What turns ATT&CK into real protection is:

  1. Map your defense to real behaviorInstead of trusting a product's promise, check which ATT&CK techniques your defense actually detects.
  2. Find the gapsThe techniques no one covers are exactly where the next attack gets in.
  3. Speak a common languageWhen the internal team, the provider and the insurer use the same map, an incident is described without ambiguity.
  4. Prioritize by what threatens youFocus on the techniques the groups attacking your industry actually use, not all of them at once.
  5. Put it to the testExercises that simulate real ATT&CK techniques show whether detection works before the real attack.

In practice

The question ATT&CK answers: if an intruder used technique X, would anyone at your company see it? A map with no one to read it is still just a map.

How Zamak uses MITRE ATT&CK

Zamak Technologies guides detection and response by the ATT&CK map, so defense is measured against real attacker behavior, not a generic checklist. A good starting point is the cybersecurity diagnostic, which shows where the gaps are. It is part of Cybersecurity and Threat Intelligence in the Zamak Method.

Frequently asked questions about MITRE ATT&CK

What does the acronym ATT&CK stand for?
ATT&CK stands for Adversarial Tactics, Techniques and Common Knowledge. It is a knowledge base maintained by MITRE, a non-profit organization, and it is open and free to use.
What is the difference between a tactic and a technique in ATT&CK?
A tactic is the attacker's goal (why they act): for example, gaining initial access. A technique is the method (how they do it): for example, a phishing email. One tactic gathers many possible techniques.
Is MITRE ATT&CK a tool I install?
No. It is a knowledge base, a reference map. Security tools (like EDR, MDR and XDR) and teams use that map to organize detection and describe attacks. You benefit from it through whoever runs your defense.
What is the difference between MITRE ATT&CK and an antivirus?
Antivirus is a protection; ATT&CK is the map that helps measure whether the protection covers what attackers do. One does not replace the other: ATT&CK makes defense verifiable.
Does a small company need to worry about MITRE ATT&CK?
A small company does not need to master ATT&CK, but it gains when the defense it hires is guided by it. Automated attacks use the same cataloged techniques, regardless of the target's size.
How does MITRE ATT&CK help after an attack?
It gives precise language to reconstruct what happened: which techniques the intruder used, in what order and where the defense failed. That speeds up response and closes the right gap, instead of just putting out the fire.

Related terms

Detection and Response
Network and Access
Securing the Use of AI
Shadow AIAI governancePrompt injectionOWASP LLM Top 10Deepfake
Vulnerabilities and Security Testing
Vulnerability ManagementPenetration Testing (pentest)Vulnerability ScanningBrute-Force AttackSQL InjectionCross-Site Scripting (XSS)SAST and DAST