What is MITRE ATT&CK?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a free, public database maintained by a nonprofit called MITRE. It documents every known method that hackers use to break into systems, move around networks, steal data, and cause damage.
It's not a product or a tool you buy — it's a knowledge base. Think of it as an encyclopedia of hacking techniques, organized into categories based on what the attacker is trying to accomplish at each stage of an attack.
Think of it this way
Imagine a playbook that lists every move a burglar could use to break into a building — picking locks, climbing through windows, hiding in delivery trucks, disabling alarms, finding the safe, sneaking out the back. MITRE ATT&CK is that playbook, but for cyber attacks. When we know every move an attacker could make, we can check whether your security would catch each one.
How is it Organized?
ATT&CK organizes attacks into tactics (the attacker's goal at each stage) and techniques (the specific methods they use to achieve that goal). Here are some examples:
Initial Access — How they get in
Phishing emails, exploiting a website vulnerability, using stolen passwords, plugging in a malicious USB drive. These are all different techniques an attacker might use to get their first foothold in your network.
Privilege Escalation — How they get more power
Once inside, an attacker usually starts with limited access (like a regular employee account). Privilege escalation techniques let them upgrade to administrator access, giving them control over more systems.
Lateral Movement — How they spread
After getting into one computer, attackers move to others on the network. They might use remote desktop, file sharing connections, or management tools that IT departments use every day — turning your own tools against you.
Exfiltration — How they steal data
The endgame for many attacks. The attacker copies your sensitive data — customer information, financial records, trade secrets — and sends it out of your network to servers they control.
There are 14 tactics in total, with hundreds of specific techniques across all of them.
What Does "Mapping to ATT&CK" Mean?
When we map your security to ATT&CK, we're going through each technique and asking: "If an attacker tried this, would we detect it?"
The result is a coverage map — a visual grid showing which attack techniques your current security tools and rules can detect, and which ones would go unnoticed. Green means you're covered. Red means there's a gap.
This is powerful because it shifts the conversation from vague claims like "we have good security" to specific, measurable statements like "we can detect 78% of known lateral movement techniques."
Why Does This Matter for Your Business?
- Find your blind spots — you can't fix what you can't see. ATT&CK mapping shows exactly where attackers could slip through
- Prioritize spending — instead of buying every security tool on the market, invest in the ones that close your biggest gaps
- Measure improvement — run the mapping again after making changes and see your coverage percentage go up
- Speak the same language — ATT&CK is used by security teams worldwide. When you speak ATT&CK, vendors, auditors, and partners understand exactly what you mean
- Insurance and compliance — increasingly, cyber insurers and compliance frameworks reference ATT&CK as a benchmark for security maturity
What You Get
- ATT&CK coverage heat map — visual grid showing which techniques you can detect and which you can't
- Coverage percentage — your overall detection score across all 14 tactics
- Gap analysis — prioritized list of the most dangerous uncovered techniques
- Recommendations — specific detection rules, log sources, or tools needed to close each gap
- Before-and-after comparison — if this is a follow-up engagement, we show how your coverage has improved