MITRE ATT&CK is the shared vocabulary the security industry uses to describe how attacks unfold. A taxonomy of adversary behaviour, organised by goal.
Before ATT&CK, every vendor and CTI shop had its own way of describing what attackers did. Different names for the same techniques, different categories, different levels of detail. ATT&CK gave the industry a common set of identifiers (T1566, T1059, etc.) so a Recorded Future report and a CrowdStrike write-up could be talking about the same thing.
The three-layer structure
- Tactics — the why. The adversary's goal at a given stage. Initial Access, Execution, Persistence, Privilege Escalation, etc. There are 14 tactics in the Enterprise matrix.
- Techniques — the how. Specific methods used to achieve a tactic. "Phishing" is a technique under Initial Access (T1566).
- Sub-techniques — the more specific how. "Spearphishing Attachment" is a sub-technique under Phishing (T1566.001).
The matrices
ATT&CK isn't one matrix — it's several, by environment:
- Enterprise — Windows, macOS, Linux, cloud, containers, network. The most-used one.
- Mobile — iOS, Android.
- ICS — industrial control systems.
How it shows up day-to-day
- CTI reports map observed behaviour to ATT&CK technique IDs, so a CISO can see at a glance what an actor does.
- Detection engineers write rules tagged with technique IDs — "we catch T1059.001 (PowerShell) via these three queries".
- Threat hunters use the matrix as a checklist: "have we got coverage for every Initial Access technique an APT in our sector is known to use?"
- Red and purple teams use it to plan exercises and report coverage gaps to leadership.
ATT&CK Navigator. Free, open-source visualisation layer for the matrix. You can shade techniques an actor uses, overlay multiple actors at once, and export the result as a JSON layer. ThreatCluster exports ATT&CK Navigator layers per cluster and per actor.
D3FEND — the defensive counterpart
MITRE D3FEND is the defensive sibling: a taxonomy of countermeasures mapped against ATT&CK techniques. If ATT&CK says "the attacker did X", D3FEND tells you "here are the defensive techniques that mitigate X". ThreatCluster surfaces D3FEND countermeasures alongside each cluster's attack flow.
Where it's used in the platform
Every cluster carries an attack flow mapped to ATT&CK techniques. Industry threat models on the Hunt page let you pick a sector and get a live ATT&CK matrix shaded with the techniques the actors targeting that sector actually use. Hunting queries export in KQL, SPL and Lucene, mapped one-to-one against the matrix.