What is MITRE ATT&CK?
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Think of it as a map of attacker behavior: instead of describing threats vaguely, it names every step of an attack, which lets you measure whether your defense actually covers what attackers really do.
How MITRE ATT&CK is organized
The framework arranges attacker behavior into a matrix that reads left to right, from the attacker's first move to the final impact.
Tactics: the attacker's goal
14 tactics that answer why the attacker acts, from initial reconnaissance to final impact. Examples: initial access, lateral movement, exfiltration.
Techniques: how they pull it off
More than 200 techniques describing the concrete method behind each tactic, such as phishing for initial access or stealing a credential to move around.
Sub-techniques and procedures: the real detail
Specific variations and real examples of how known attack groups carried out each technique.
The matrix: the full map
It all comes together into a grid read from the left (first move) to the right (impact): the full picture of an attack.
Source: MITRE (attack.mitre.org).
The phases of an attack, in ATT&CK terms
- Reconnaissance and entry The attacker studies the target and looks for the first door: a phishing email, a leaked credential, an exposed flaw. (Reconnaissance, resource development, initial access.)
- Execution and persistence Runs the malicious code and makes sure it stays even after a reboot, creating hidden access. (Execution, persistence, privilege escalation.)
- Evasion and credential theft Hides from defenses and captures passwords and keys to pass as a legitimate user. (Defense evasion, credential access.)
- Discovery and lateral movement Maps the network from the inside and hops from one system to another, hunting for what has value. (Discovery, lateral movement.)
- Collection, control and exfiltration Gathers the data, keeps a command channel to the attacker and sends the information out. (Collection, command and control, exfiltration.)
- Impact The final blow: encrypting data (ransomware), deleting, committing fraud or halting the operation. (Impact.)
Why this matters to your defense
Vague threat talk ('we protect against hackers') cannot be measured. MITRE ATT&CK gives a shared, evidence-based map, so a company can ask a concrete question: does my defense detect these specific behaviors? That matters because a data breach runs an average of $ 4.44 million (IBM, Cost of a Data Breach 2025) and the intruder typically sits undetected on the network for 11 days (Mandiant, M-Trends 2025). The value of ATT&CK is turning 'I hope we are covered' into 'here are the attacker behaviors we detect, and the gaps we do not'. Security teams and tools worldwide map their detection to ATT&CK for exactly that reason.
How to use MITRE ATT&CK in practice
You do not need to master the framework. What turns ATT&CK into real protection is:
- Map your defense to real behaviorInstead of trusting a product's promise, check which ATT&CK techniques your defense actually detects.
- Find the gapsThe techniques no one covers are exactly where the next attack gets in.
- Speak a common languageWhen the internal team, the provider and the insurer use the same map, an incident is described without ambiguity.
- Prioritize by what threatens youFocus on the techniques the groups attacking your industry actually use, not all of them at once.
- Put it to the testExercises that simulate real ATT&CK techniques show whether detection works before the real attack.
In practice
The question ATT&CK answers: if an intruder used technique X, would anyone at your company see it? A map with no one to read it is still just a map.
How Zamak uses MITRE ATT&CK
Zamak Technologies guides detection and response by the ATT&CK map, so defense is measured against real attacker behavior, not a generic checklist. A good starting point is the cybersecurity diagnostic, which shows where the gaps are. It is part of Cybersecurity and Threat Intelligence in the Zamak Method.