What are ATT&CK tactics vs techniques?

Tactics are adversary objectives (why), techniques are methods (how). 14 tactics: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact. Each tactic has multiple techniques. Example: Persistence (tactic) → Create Account (technique) → Domain Account (sub-technique). Use tactics for strategic planning, techniques for detection rules, sub-techniques for specific indicators.

How to use ATT&CK for threat hunting?

ATT&CK-based hunting workflow: 1) Select threat actor/campaign (APT29, Ryuk ransomware). 2) Review associated techniques from ATT&CK. 3) Develop hypotheses (if technique used, what logs/artifacts?). 4) Create detection queries (SIEM, EDR). 5) Hunt across environment. 6) Document findings. 7) Update detections. Example: T1003 OS Credential Dumping → search for LSASS access, registry hives, suspicious PowerShell. Map detections to techniques for coverage visibility.

What is ATT&CK Navigator?

ATT&CK Navigator is web-based tool for visualizing ATT&CK coverage. Features: color-code techniques (detected, not detected), layer overlays (compare defenses), export matrices, annotate techniques. Use cases: gap analysis (what techniques not detected?), tool evaluation (which techniques does EDR detect?), threat modeling (which APT techniques apply?), detection prioritization. JSON export for sharing. Version: supports all ATT&CK matrices (Enterprise, Mobile, ICS). Official tool from MITRE.

How to map detections to ATT&CK?

Detection mapping identifies which techniques your controls detect. Process: 1) Inventory security tools (EDR, SIEM, IDS, AV). 2) Review detection rules/signatures. 3) Map each detection to ATT&CK technique. 4) Score confidence (high/medium/low detection). 5) Visualize in Navigator (color-code). 6) Identify gaps. 7) Prioritize new detections. Example: Sysmon Event 10 (process access) → maps to T1003.001 (LSASS Memory). Frameworks: Detection as Code (Sigma), ATT&CK Navigator layers.

What are ATT&CK sub-techniques?

Sub-techniques are specific implementations of broader techniques. Added in 2020 to increase granularity. Example: T1003 OS Credential Dumping has sub-techniques: T1003.001 LSASS Memory, T1003.002 Security Account Manager, T1003.003 NTDS, etc. Helps: precise detection engineering, reduce false positives, better threat reporting. Format: T####.### (technique.sub-technique). Not all techniques have sub-techniques. Use for: detailed mapping, specific IOC creation, incident attribution.

How to use ATT&CK for red teaming?

Red team ATT&CK integration: 1) Select target techniques based on scenario (APT emulation, ransomware). 2) Plan attack chain (Initial Access → Persistence → Lateral Movement → Impact). 3) Use ATT&CK for tool selection (which tools implement technique?). 4) Document techniques used during engagement. 5) Map results to ATT&CK for report (show gaps). 6) Test blue team detections per technique. Tools: Atomic Red Team (automated tests), Caldera (C2), Red Canary Atomic tests.

What are ATT&CK data sources?

Data sources identify logs/telemetry needed to detect techniques. Examples: Process Monitoring (Sysmon, EDR), Network Traffic (NetFlow, PCAP), Windows Event Logs (Security, System), File Monitoring (FIM), Cloud Audit Logs (CloudTrail, Azure Monitor). Each technique lists required data sources. Use for: logging strategy, tool requirements, detection feasibility. ATT&CK v10+ includes data components (specific log events). Example: T1003 needs Process Access (Sysmon Event 10), Windows Event 4656.

Home/Tools/Security/MITRE ATT&CK Navigator

MITRE ATT&CK Navigator

Explore adversary tactics, techniques, and procedures (TTPs) using the MITRE ATT&CK framework

100% Private - Runs Entirely in Your Browser

No data is sent to any server. All processing happens locally on your device.

Loading MITRE ATT&CK Navigator...

Platform

View

Loading interactive tool...

JavaScript Required

This interactive tool requires JavaScript to function. Please enable JavaScript in your browser to use the full features.

The tool description and documentation above provide information about this tool's capabilities. For the best experience, please enable JavaScript and refresh the page.

Need Professional Security Testing?

Our penetration testers find vulnerabilities before attackers do. Get a comprehensive security assessment.

Learn About Penetration Testing Explore Risk Assessment

What Is the MITRE ATT&CK Framework

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Maintained by the MITRE Corporation, it catalogs how threat actors operate—from initial access through data exfiltration—providing a common language for describing cyber threats, evaluating defenses, and prioritizing security investments.

ATT&CK has become the de facto standard for threat intelligence, security operations, and red/purple teaming. Over 80% of enterprise security teams use it to map detection coverage, assess security gaps, and communicate about threats. The framework covers Enterprise (Windows, macOS, Linux, cloud, containers, network), Mobile (Android, iOS), and ICS (Industrial Control Systems) platforms.

How MITRE ATT&CK Is Structured

The framework organizes adversary behavior into a hierarchical taxonomy:

Level	Description	Example
Tactic	The adversary's goal (the "why")	TA0001: Initial Access
Technique	How the goal is achieved	T1566: Phishing
Sub-technique	Specific variation of a technique	T1566.001: Spearphishing Attachment
Procedure	Real-world implementation by a threat group	APT29 used spearphishing with COVID-19 lures

Enterprise ATT&CK Tactics (kill chain order):

Reconnaissance (TA0043) — Gathering target information
Resource Development (TA0042) — Setting up infrastructure
Initial Access (TA0001) — Getting into the network
Execution (TA0002) — Running malicious code
Persistence (TA0003) — Maintaining access across restarts
Privilege Escalation (TA0004) — Getting higher-level permissions
Defense Evasion (TA0005) — Avoiding detection
Credential Access (TA0006) — Stealing credentials
Discovery (TA0007) — Understanding the environment
Lateral Movement (TA0008) — Moving through the network
Collection (TA0009) — Gathering target data
Command and Control (TA0011) — Communicating with compromised systems
Exfiltration (TA0010) — Stealing data
Impact (TA0040) — Disrupting operations

Common Use Cases

Detection engineering: Map SIEM rules and EDR detections to ATT&CK techniques to identify coverage gaps
Threat intelligence: Describe adversary behavior using standardized technique IDs for consistent analysis
Red teaming: Structure penetration tests around specific techniques to test organizational defenses
Security assessments: Evaluate security posture by measuring coverage across ATT&CK tactics
Vendor evaluation: Compare security products based on which ATT&CK techniques they detect

Best Practices

Start with the most common techniques — Focus detection efforts on T1059 (Command Interpreter), T1053 (Scheduled Task), T1566 (Phishing), and other frequently observed techniques first
Map your existing detections — Inventory current SIEM rules and EDR capabilities against ATT&CK to find blind spots
Use ATT&CK Navigator — MITRE's free visualization tool helps map coverage, plan improvements, and compare threat profiles
Track adversary groups relevant to your industry — Not all techniques apply equally; prioritize based on threat actors targeting your sector
Combine with other frameworks — Use ATT&CK alongside the NIST CSF, CIS Controls, and D3FEND for a comprehensive security strategy

References & Citations

MITRE Corporation. (2024). MITRE ATT&CK. Retrieved from https://attack.mitre.org/ (accessed January 2025)
MITRE Corporation. (2024). ATT&CK Navigator. Retrieved from https://mitre-attack.github.io/attack-navigator/ (accessed January 2025)
MITRE Corporation. (2024). Getting Started with ATT&CK. Retrieved from https://attack.mitre.org/resources/getting-started/ (accessed January 2025)

Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.

Key Security Terms

Understand the essential concepts behind this tool

Threat Intelligence

Evidence-based knowledge about existing or emerging threats used to inform security decisions and response.

Learn more →

View all terms in our glossary →

Frequently Asked Questions

Common questions about the MITRE ATT&CK Navigator

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is globally-accessible knowledge base of adversary behaviors. Organized by 14 tactics (objectives) and 200+ techniques (methods). Covers: Enterprise (Windows, Linux, macOS, Cloud), Mobile, ICS (industrial). Used for: threat intelligence, detection engineering, red teaming, security assessments. Based on real-world observations. Free, community-driven. Updated quarterly. Essential reference for cybersecurity professionals.