MITRE ATT&CK is a free, publicly available knowledge base that catalogs how real-world attackers actually operate — the specific tactics, techniques, and procedures (TTPs) observed across thousands of intrusions. Maintained by the MITRE Corporation since its public release in 2015, the framework now spans three matrices (Enterprise, Mobile, and ICS) and organizes adversary behavior into 14 top-level tactics, more than 200 techniques, and over 450 documented sub-techniques. Instead of describing malware by name or listing indicators of compromise that expire in days, ATT&CK describes behavior — "OS Credential Dumping" or "Supply Chain Compromise" — that persists across campaigns and threat actors for years. Security teams use it as a common vocabulary to describe threats, a checklist to test detection coverage, and a map to prioritize defenses. For software supply chain security specifically, ATT&CK's Initial Access tactic (TA0001) includes Technique T1195, Supply Chain Compromise, which directly names the class of attack behind incidents like SolarWinds (2020) and the XZ Utils backdoor (CVE-2024-3094, discovered March 2024).
What is MITRE ATT&CK, exactly?
MITRE ATT&CK is a curated, continuously updated database of adversary tactics and techniques based on real-world observations, published by MITRE and used globally as a common reference for describing and defending against cyberattacks. The acronym stands for Adversarial Tactics, Techniques, and Common Knowledge. Each entry in the knowledge base links a "tactic" (the attacker's goal, such as Privilege Escalation) to one or more "techniques" (the specific method used to achieve it, such as Exploitation for Privilege Escalation, T1068) and, where relevant, "sub-techniques" that add further specificity. As of the Enterprise matrix's current version, ATT&CK documents 14 tactics and catalogs the behavior of hundreds of named threat groups, from APT29 to Lazarus Group, each with a profile listing which techniques they have been observed using. Every technique page includes real intrusion evidence, mitigation guidance, and detection data sources, making it as useful for red teams simulating attacks as it is for blue teams building detections.
Who created MITRE ATT&CK and why?
MITRE ATT&CK was created by the MITRE Corporation, a US-based not-for-profit that also runs the CVE and CWE programs, starting as an internal research project in 2013 before its first public release in May 2015. The original goal was narrow: researchers at MITRE were running the FMX (Fort Meade Experiment) to study how well endpoint detection tools caught post-compromise adversary behavior on Windows systems, and needed a structured, shared vocabulary to record what attackers did after gaining a foothold. That internal taxonomy evolved into the public ATT&CK framework, which expanded from Windows-only techniques to cover macOS and Linux (2017), cloud platforms like AWS, Azure, GCP, and SaaS/Office 365 (2019 onward), mobile devices, and industrial control systems. In 2019, MITRE spun out MITRE Engenuity, a subsidiary that runs the ATT&CK Evaluations program, independently testing security products (including EDR and XDR vendors) against emulated adversary techniques and publishing the results.
How is the ATT&CK framework structured?
The ATT&CK Enterprise matrix is structured as a grid of 14 tactics across the top and the techniques that accomplish each tactic listed underneath, moving left to right in roughly the order an attack unfolds. The 14 tactics are: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. Each tactic contains multiple techniques — for example, Initial Access (TA0001) includes Phishing (T1566), Exploit Public-Facing Application (T1190), Valid Accounts (T1078), and Supply Chain Compromise (T1195). Many techniques break down further into sub-techniques; T1195 splits into T1195.001 (Compromise Software Dependencies and Development Tools), T1195.002 (Compromise Software Supply Chain), and T1195.003 (Compromise Hardware Supply Chain). This layered structure — tactic to technique to sub-technique — lets a SOC analyst describe an incident at exactly the level of precision the evidence supports, and lets a CISO roll findings back up to tactic-level coverage reports for the board.
How does ATT&CK differ from CVE and CWE?
ATT&CK differs from CVE and CWE because it describes attacker behavior rather than software flaws: CVE (Common Vulnerabilities and Exposures, launched 1999) catalogs specific vulnerabilities in specific software versions, CWE (Common Weakness Enumeration, launched 2006) catalogs the underlying classes of coding or design weakness that cause those vulnerabilities, and ATT&CK catalogs what an adversary does before and after exploiting one. All three are maintained under MITRE's umbrella and interlock: a single CVE, such as CVE-2021-44228 (Log4Shell), maps to a CWE category (CWE-502, Deserialization of Untrusted Data) and enables an attacker to execute an ATT&CK technique like Exploit Public-Facing Application (T1190) as an entry point, followed by Command and Control (TA0011) techniques once inside. Where CVE tells you "this specific package version is vulnerable" and CWE tells you "this is the general shape of the flaw," ATT&CK tells you "here is what happens next, and here is how to detect it." Security programs that rely on CVE data alone see the exposure but miss the behavioral chain an attacker uses to actually cause damage.
How do security teams use ATT&CK in practice?
Security teams use ATT&CK primarily for threat-informed detection engineering, red team planning, and vendor evaluation, mapping their own telemetry and controls against the matrix to find gaps. A common workflow is a "heat map" exercise: a SOC lists which of the 200+ techniques it currently has a documented detection for, color-codes coverage (detected, partial, none), and prioritizes engineering work on the gaps most relevant to the threat groups it faces, using ATT&CK's own group profiles (over 150 tracked as of recent releases, including FIN7, APT41, and Sandworm) to decide what "relevant" means for their sector. Incident responders use ATT&CK notation to write reports that are machine-parseable and comparable across incidents — writing "T1059.001" (PowerShell) instead of a prose description that a different analyst might phrase differently six months later. The framework also underpins tools like MITRE Caldera (adversary emulation) and the open-source Center for Threat-Informed Defense's Attack Flow project, and it is the scoring basis for the independent ATT&CK Evaluations that let buyers compare EDR/XDR products on detection rates against specific technique sets rather than marketing claims.
What are the limitations of MITRE ATT&CK?
MITRE ATT&CK's main limitation is that it documents observed behavior after the fact, so it is inherently reactive and does not by itself tell a team which of their own assets are actually exploitable right now. A technique entry like T1195.002 confirms that supply chain compromise is a known, named attack pattern with real-world precedent, but the matrix has no mechanism to tell a specific engineering team whether their specific build pipeline, their specific vulnerable dependency, or their specific exposed CI/CD credential is reachable by an attacker — that requires runtime and code-path analysis the framework was never designed to provide. ATT&CK also grows continuously (new sub-techniques are added with nearly every biannual release, and the Enterprise matrix has roughly doubled in technique count since 2018), which means coverage maps go stale and teams that treat a single heat-map exercise as "done" quickly fall behind. Finally, ATT&CK describes what attackers do, not which of the thousands of alerts, CVEs, or misconfigurations in a given environment map to a technique that is genuinely reachable in that environment's actual code and runtime — closing that gap requires tooling built for it.
How Safeguard Helps
Safeguard closes the gap between ATT&CK's behavioral catalog and an organization's actual risk by running reachability analysis across ingested and generated SBOMs to determine which vulnerable dependencies — the kind that map to techniques like T1190 and T1195 — are actually invoked by application code rather than sitting dormant in an unused library path. Griffin AI, Safeguard's detection engine, correlates findings against known attacker TTPs so teams can prioritize the CVEs and misconfigurations that correspond to techniques their tracked threat groups actually use, instead of chasing every CVSS-critical finding equally. When Safeguard confirms a reachable, exploitable path, it can open an auto-fix pull request that remediates the underlying dependency or configuration directly in the repository, cutting the time between "technique detected" and "technique closed." Combined with continuous SBOM generation across build pipelines, this gives security teams the threat-informed context ATT&CK provides plus the exploitability evidence it was never designed to deliver.