Cybersecurity

MITRE ATT&CK Explained: The Adversary Playbook

MITRE ATT&CK is a free, globally used knowledge base of real-world attacker behaviours — organised as tactics (the attacker's goals) and techniques (how they achieve them). It gives security teams a shared language for describing and detecting attacks.

Tactics and techniques

Tactics are the "why" — e.g. Initial Access, Persistence, Privilege Escalation, Lateral Movement, Exfiltration. Each tactic contains many techniques (the "how") — e.g. under Initial Access: phishing, exploiting public-facing apps, valid accounts. Each technique has a unique ID (like T1566 for phishing).

How SOCs use it

Analysts map alerts to ATT&CK techniques to understand where in an attack they are and what comes next; detection engineers use it to find coverage gaps ("we can't detect lateral movement — let's fix that"). It connects directly to the cyber kill chain and is core modern SOC knowledge.

Frequently asked questions

What is MITRE ATT&CK?

A free knowledge base cataloguing real adversary tactics and techniques, used as a common language for detecting and describing cyberattacks.

What is the difference between a tactic and a technique?

A tactic is the attacker's goal (e.g. Persistence); a technique is the specific method used to achieve it (e.g. modifying registry run keys).

How do SOC teams use ATT&CK?

To map detections to attacker behaviours, identify coverage gaps, and communicate incidents in a standard, shared vocabulary.

VS
Vipul Sir — Lead Instructor, Attila Technologies20+ years in Cisco networking. Teaching CCNA, CCNP, CCIE & CyberOps in Ahmedabad since 2004.

Want hands-on training?

Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.

Start your networking career with Attila Technologies

Hands-on Cisco training, real lab devices and placement support in Ahmedabad.