MITRE ATT&CK Explained: The Adversary Playbook
MITRE ATT&CK is a free, globally used knowledge base of real-world attacker behaviours — organised as tactics (the attacker's goals) and techniques (how they achieve them). It gives security teams a shared language for describing and detecting attacks.
Tactics and techniques
Tactics are the "why" — e.g. Initial Access, Persistence, Privilege Escalation, Lateral Movement, Exfiltration. Each tactic contains many techniques (the "how") — e.g. under Initial Access: phishing, exploiting public-facing apps, valid accounts. Each technique has a unique ID (like T1566 for phishing).
How SOCs use it
Analysts map alerts to ATT&CK techniques to understand where in an attack they are and what comes next; detection engineers use it to find coverage gaps ("we can't detect lateral movement — let's fix that"). It connects directly to the cyber kill chain and is core modern SOC knowledge.
Frequently asked questions
What is MITRE ATT&CK?
A free knowledge base cataloguing real adversary tactics and techniques, used as a common language for detecting and describing cyberattacks.
What is the difference between a tactic and a technique?
A tactic is the attacker's goal (e.g. Persistence); a technique is the specific method used to achieve it (e.g. modifying registry run keys).
How do SOC teams use ATT&CK?
To map detections to attacker behaviours, identify coverage gaps, and communicate incidents in a standard, shared vocabulary.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.