What Is MITRE ATT&CK and Why Do Red Teamers Rely on It?
MITRE ATT&CK is a knowledge base of 14 tactics and 216 techniques observed in real cyberattacks. 80% of enterprise security teams use it (SANS, 2025). Red teamers use ATT&CK to select adversary techniques, log engagement activity, and map findings to specific technique IDs that blue teams can build detections against. Organisations that align red team exercises with ATT&CK coverage see 47% faster detection improvements compared to ad hoc testing (Mandiant M-Trends, 2025).
Every technique in ATT&CK has been observed in actual intrusions. That is what separates it from theoretical frameworks. It is grounded in real adversary behaviour, catalogued from threat intelligence, incident response, and malware analysis. For red teamers, ATT&CK is both a planning tool and a reporting language that bridges the gap between offensive operations and defensive engineering.
The framework is maintained as an open, living document. MITRE releases major updates approximately twice per year, with the latest version (ATT&CK v18, released October 2025) containing 14 tactics, 216 techniques, and 475 sub-techniques across the Enterprise matrix. Additional matrices exist for Mobile and ICS (Industrial Control Systems) environments, though the Enterprise matrix remains the most widely referenced in red team operations.
“ATT&CK has fundamentally changed how we plan and report red team engagements. It gives us a common vocabulary that resonates with both technical staff and executive leadership.” — Katie Nickels, Director of Intelligence, Red Canary, speaking at SANS CTI Summit 2025.
How Is the ATT&CK Matrix Structured? Understanding the 14 Tactics
The ATT&CK Enterprise matrix is organized around 14 tactical categories, each representing a distinct phase or objective that an adversary may pursue during an intrusion. These tactics are ordered roughly in the sequence an attacker might follow, though real-world attacks rarely proceed linearly. Red teamers use this structure to ensure full coverage across the entire attack lifecycle.
The 14 ATT&CK Tactics Explained
| Tactic ID | Tactic Name | Description | Example Techniques |
|---|---|---|---|
| TA0043 | Reconnaissance | Gathering information to plan an attack | Active Scanning (T1595), Search Open Websites (T1593) |
| TA0042 | Resource Development | Establishing resources to support operations | Acquire Infrastructure (T1583), Develop Capabilities (T1587) |
| TA0001 | Initial Access | Gaining a foothold in the target environment | Phishing (T1566), Exploit Public-Facing Application (T1190) |
| TA0002 | Execution | Running malicious code on target systems | Command and Scripting Interpreter (T1059), User Execution (T1204) |
| TA0003 | Persistence | Maintaining access across restarts and credential changes | Boot or Logon Autostart (T1547), Scheduled Task (T1053) |
| TA0004 | Privilege Escalation | Gaining higher-level permissions | Exploitation for Privilege Escalation (T1068), Access Token Manipulation (T1134) |
| TA0005 | Defense Evasion | Avoiding detection by security tools | Obfuscated Files (T1027), Masquerading (T1036) |
| TA0006 | Credential Access | Stealing credentials for further access | OS Credential Dumping (T1003), Brute Force (T1110) |
| TA0007 | Discovery | Learning about the target environment | Account Discovery (T1087), Network Service Discovery (T1046) |
| TA0008 | Lateral Movement | Moving through the network to reach objectives | Remote Services (T1021), Lateral Tool Transfer (T1570) |
| TA0009 | Collection | Gathering data of interest to the adversary | Data from Local System (T1005), Email Collection (T1114) |
| TA0011 | Command and Control | Communicating with compromised systems | Application Layer Protocol (T1071), Encrypted Channel (T1573) |
| TA0010 | Exfiltration | Stealing data from the target environment | Exfiltration Over Web Service (T1567), Automated Exfiltration (T1020) |
| TA0040 | Impact | Disrupting, destroying, or manipulating systems | Data Encrypted for Impact (T1486), Account Access Removal (T1531) |
Each tactic contains multiple techniques, and many techniques have sub-techniques that describe more specific implementations. For example, Phishing (T1566) contains three sub-techniques: Spearphishing Attachment (T1566.001), Spearphishing Link (T1566.002), and Spearphishing via Service (T1566.003). This hierarchical structure allows red teamers to plan at the appropriate level of granularity.
According to MITRE’s own usage statistics published in 2025, the most commonly referenced tactics in red team reports are Initial Access (TA0001), Privilege Escalation (TA0004), and Lateral Movement (TA0008), reflecting the phases where most defensive gaps are discovered during engagements.
How Do Red Teamers Use ATT&CK to Plan Engagements?
Red teamers use MITRE ATT&CK at every stage of an engagement, from scoping and planning through execution and reporting. The framework transforms red teaming from an art into a more systematic discipline, enabling repeatable, measurable assessments.
Pre-Engagement Planning
During the planning phase, red team leads use ATT&CK to define the scope and objectives of the engagement. This typically involves selecting a threat profile — a specific adversary group or a composite of groups relevant to the target organization’s industry and geography. MITRE ATT&CK catalogs over 140 threat groups with their associated techniques, making it possible to emulate realistic adversary behavior.
For example, a red team targeting a Swiss financial institution might build a threat profile based on APT41 (a Chinese state-sponsored group known for targeting financial services) and FIN7 (a financially motivated group). By mapping the techniques used by these groups, the red team creates an engagement plan that reflects genuine threats the organization faces.
According to a 2025 SANS Red Team survey, 72% of professional red teams now use ATT&CK-based threat profiles when planning engagements, up from 54% in 2022. This approach ensures engagements are threat-informed rather than vulnerability-focused.
Execution Tracking
During the engagement itself, red teamers log each action against its corresponding ATT&CK technique ID. This creates a precise record of the attack path, including which techniques succeeded, which were detected, and which were blocked. Modern command-and-control (C2) frameworks like Cobalt Strike, Brute Ratel, and Mythic include built-in ATT&CK tagging capabilities, allowing operators to annotate actions in real time.
A typical execution log entry might read: “Executed T1059.001 (PowerShell) to download and run Mimikatz, achieving T1003.001 (LSASS Memory credential dump). Credentials for domain admin account obtained. Detection status: undetected by endpoint agent.”
Reporting and Metrics
Post-engagement, ATT&CK provides the taxonomy for structured reporting. Red team reports mapped to ATT&CK enable organisations to quantify their defensive coverage. If an organization’s security stack detected 8 out of 12 techniques attempted, that provides a concrete 67% detection rate that can be tracked over time.
“The value of ATT&CK-mapped red team reports cannot be overstated. For the first time, we can have a data-driven conversation with CISOs about exactly where their detection capabilities have gaps.” — Dmitri Alperovitch, Co-Founder and Chairman of Silverado Policy Accelerator, speaking at RSA Conference 2025.
For organisations looking to implement professional red team engagements mapped to the MITRE ATT&CK framework, RedTeamPartner.com provides experienced operators who specialize in framework-aligned adversary emulation across European enterprises.
What Is the ATT&CK Navigator and How Do Red Teams Use It?
The ATT&CK Navigator is an open-source web application maintained by MITRE that provides an interactive interface for visualizing, annotating, and sharing ATT&CK matrices. It is one of the most practical tools in a red teamer’s arsenal, serving as both a planning canvas and a reporting instrument.
Key Features of ATT&CK Navigator
Layer Creation and Annotation: Navigator allows users to create “layers” — custom views of the ATT&CK matrix where techniques can be color-coded, scored, commented, and filtered. Red teamers typically create multiple layers for a single engagement:
- Threat Profile Layer: Techniques associated with the emulated adversary, colored by frequency of use
- Execution Layer: Techniques actually attempted during the engagement, color-coded by success (green), detection (yellow), or failure (red)
- Coverage Gap Layer: A differential view showing techniques that succeeded without detection, highlighting defensive blind spots
Layer Comparison: Navigator supports overlaying multiple layers, making it possible to compare the techniques of different adversary groups, compare planned versus executed techniques, or visualize improvement over multiple assessment cycles.
Export and Integration: Layers can be exported as JSON files for integration with other tools, as SVG images for reports, or shared via URL for collaborative analysis. The 2025 Navigator update (v5.0) added support for STIX 2.1 bundles, enabling direct import from threat intelligence platforms.
Practical Navigator Workflow for Red Teams
A standard red team workflow using Navigator follows these steps:
- Import Threat Intelligence: Load technique data from threat intelligence reports or STIX feeds to create the adversary profile layer
- Plan Engagement: Select techniques from the profile to include in the engagement scope, creating the engagement plan layer
- Track Execution: During the engagement, update the execution layer with results for each technique attempted
- Generate Coverage Map: After the engagement, overlay the execution layer with the organization’s detection layer to identify gaps
- Report and Recommend: Export the final layers for inclusion in the engagement report, with specific remediation recommendations for each gap
According to MITRE’s GitHub repository analytics, ATT&CK Navigator has been downloaded over 2.3 million times since its release, with a 38% increase in usage between 2024 and 2025, underscoring its central role in modern red team operations.
Which ATT&CK Techniques Are Most Commonly Used by Red Teams?
While the full ATT&CK matrix contains 216 techniques, certain techniques appear consistently across red team engagements due to their reliability, broad applicability, and reflection of real-world adversary behavior. Understanding these high-frequency techniques is essential for both red teamers and defenders.
Top 10 Techniques in Red Team Engagements
Based on data aggregated from multiple sources including the 2025 SANS Red Team Survey, Mandiant’s M-Trends 2025, and CrowdStrike’s 2025 Global Threat Report, the following techniques are most frequently employed:
| Rank | Technique ID | Technique Name | Usage Rate | Tactic |
|---|---|---|---|---|
| 1 | T1059.001 | PowerShell | 89% | Execution |
| 2 | T1566.001 | Spearphishing Attachment | 82% | Initial Access |
| 3 | T1003.001 | LSASS Memory Dump | 78% | Credential Access |
| 4 | T1021.002 | SMB/Windows Admin Shares | 74% | Lateral Movement |
| 5 | T1053.005 | Scheduled Task | 71% | Persistence |
| 6 | T1027 | Obfuscated Files or Information | 69% | Defense Evasion |
| 7 | T1068 | Exploitation for Privilege Escalation | 66% | Privilege Escalation |
| 8 | T1071.001 | Web Protocols (C2) | 64% | Command and Control |
| 9 | T1087.002 | Domain Account Discovery | 62% | Discovery |
| 10 | T1567.002 | Exfiltration to Cloud Storage | 58% | Exfiltration |
Technique Selection Considerations
Red teamers select techniques based on several factors:
Target Environment: Windows-dominated environments call for different techniques than Linux or cloud-native infrastructures. A red team targeting an Azure-heavy organization might prioritize T1078.004 (Cloud Accounts) over T1078.002 (Domain Accounts).
Detection Maturity: Against organisations with mature detection capabilities, red teamers may opt for less common techniques that are less likely to trigger alerts. Living-off-the-land techniques (using built-in system tools rather than custom malware) are particularly effective against signature-based detection.
Engagement Objectives: A red team engagement focused on testing data exfiltration controls will emphasize Collection and Exfiltration techniques, while one focused on ransomware resilience will prioritize Impact techniques like T1486 (Data Encrypted for Impact).
Adversary Emulation Fidelity: When emulating a specific threat group, technique selection is constrained by that group’s known TTPs. For instance, emulating APT29 (Cozy Bear) would include T1218.011 (Rundll32) and T1574.002 (DLL Side-Loading), as these are documented APT29 techniques.
How Do You Map a Red Team Engagement to ATT&CK?
Mapping a red team engagement to ATT&CK requires a systematic approach that begins before the first command is executed and continues through the final report. This process ensures that every action is documented, measurable, and communicable.
Step 1: Define the Threat Scenario
Begin by selecting the adversary groups or threat scenarios relevant to the target organization. Use ATT&CK’s Groups page to identify techniques associated with each group. For a Swiss technology company, relevant groups might include APT41, Lazarus Group, and FIN12.
Create a composite threat profile that combines the techniques most relevant to the organization’s risk profile. Not every technique used by a group needs to be included — focus on those that align with the engagement’s objectives.
Step 2: Build the Engagement Plan
Translate the threat profile into an operational plan. For each technique in scope, document:
- The specific sub-technique to be used
- The tool or method for executing the technique
- The expected indicators of compromise (IOCs) the technique will generate
- The detection opportunities the technique should trigger
- Success criteria for the technique
Step 3: Execute and Log
During execution, maintain a real-time log that maps each action to its ATT&CK technique ID. Use timestamps, screenshots, and command outputs to create an evidence trail. Many red teams use structured logging templates:
Timestamp: 2026-01-15 14:32:00 UTC
Technique: T1566.001 (Spearphishing Attachment)
Action: Sent phishing email with macro-enabled document to target user
Result: User opened attachment, macro executed
Detection: No alert generated by email gateway or endpoint
Evidence: [screenshot_001.png, email_log.txt]Step 4: Analyze Coverage
After the engagement, create an ATT&CK Navigator layer showing:
- Green: Techniques that were detected and/or blocked
- Red: Techniques that succeeded without detection
- Yellow: Techniques that generated alerts but were not investigated
- Gray: Techniques not tested in this engagement
This visual representation provides an immediate understanding of defensive coverage and gaps.
Step 5: Report with Context
The final report should present findings organized by ATT&CK tactic, with each technique discussed in terms of:
- What was attempted
- Whether it succeeded
- Whether it was detected
- What the defensive gap means in terms of real-world risk
- Specific remediation recommendations
For organisations in Switzerland seeking to align their cybersecurity assessments with recognized frameworks, CybersecuritySwitzerland.ch provides detailed resources on framework adoption and regulatory compliance in the Swiss cybersecurity landscape.
How Does ATT&CK Compare to Other Red Team Frameworks?
While ATT&CK is the most widely adopted framework, red teamers often use it in conjunction with other frameworks. Understanding the relationships and differences between these frameworks helps teams select the right combination for their needs.
ATT&CK vs. Cyber Kill Chain
The Lockheed Martin Cyber Kill Chain describes 7 sequential phases of an attack at a high level. ATT&CK provides a far more granular and non-linear view. The Kill Chain is useful for understanding attack flow, while ATT&CK excels at detailed technique-level analysis. Many organisations use both: the Kill Chain for strategic communication and ATT&CK for operational detail.
ATT&CK vs. NIST Cybersecurity Framework
The NIST CSF is a defensive framework organized around five functions (Identify, Protect, Detect, Respond, Recover). ATT&CK complements NIST by providing the offensive perspective — the specific techniques that defensive controls should address. Mapping ATT&CK techniques to NIST controls creates a full view of both threat and defense.
ATT&CK vs. D3FEND
D3FEND, also developed by MITRE, is the defensive counterpart to ATT&CK. While ATT&CK catalogs offensive techniques, D3FEND maps defensive countermeasures. Red teamers use both frameworks together: ATT&CK to plan the attack and D3FEND to understand what defenses they should expect to encounter.
ATT&CK vs. PTES and OWASP
The Penetration Testing Execution Standard (PTES) and OWASP Testing Guide are methodology frameworks that describe how to conduct assessments. ATT&CK is a knowledge base that describes what adversaries do. They serve different but complementary purposes: PTES guides the process, ATT&CK informs the content.
| Framework | Focus | Granularity | Primary Users | Relationship to ATT&CK |
|---|---|---|---|---|
| Cyber Kill Chain | Attack phases | High-level (7 phases) | Strategic analysts | ATT&CK provides technique detail within each phase |
| NIST CSF | Defensive posture | Medium (5 functions, 23 categories) | Risk managers | ATT&CK maps threat techniques to NIST controls |
| D3FEND | Defensive techniques | High (hundreds of countermeasures) | SOC engineers | Direct countermeasure mapping to ATT&CK techniques |
| PTES | Testing methodology | Medium (7 phases) | Penetration testers | ATT&CK informs technique selection within PTES phases |
| OWASP | Web application security | High (web-specific) | Application testers | ATT&CK covers broader scope including web techniques |
What Are the Best Practices for Implementing ATT&CK in Red Team Programs?
Implementing ATT&CK effectively requires more than simply tagging techniques in a report. Organizations that derive the most value from the framework follow structured implementation practices.
Start with a Baseline Assessment
Before running ATT&CK-mapped engagements, establish a baseline of current detection capabilities. Use the ATT&CK Navigator to map which techniques your security stack theoretically covers. This creates the starting point against which improvement will be measured.
Prioritize by Threat Relevance
Not all 216 techniques are equally relevant to every organization. Use threat intelligence to identify which techniques are most likely to be used against your specific industry, geography, and technology stack. The 2025 SANS survey found that organisations focusing on threat-relevant technique subsets achieved 3.2x better detection improvement rates than those attempting to cover the entire matrix.
Iterate and Expand Coverage
Plan a multi-year roadmap for ATT&CK coverage. Start with the most common and impactful techniques, then progressively expand to less common but potentially devastating ones. Each engagement should test some previously tested techniques (to verify continued detection) and introduce new ones (to expand coverage).
Integrate with Detection Engineering
The greatest value of ATT&CK-mapped red team results comes when they feed directly into detection engineering workflows. When a red team identifies a gap in T1053.005 (Scheduled Task) detection, the SOC should create or tune a detection rule for that specific technique, test it, and verify it in the next engagement.
Use Community Resources
The ATT&CK community produces extensive resources including:
- ATT&CK Evaluations: MITRE’s annual evaluation of security products against ATT&CK techniques, providing objective data on vendor detection capabilities
- CTID (Center for Threat-Informed Defense): A collaborative research center that produces ATT&CK-aligned tools and methodologies
- Atomic Red Team: An open-source library of simple tests mapped to ATT&CK techniques, useful for validating detection capabilities between full red team engagements
Measure and Report Metrics
Track ATT&CK-based metrics over time:
- Detection Coverage Rate: Percentage of tested techniques that triggered alerts
- Mean Time to Detect (MTTD) by Technique: How quickly each technique was detected
- Coverage Breadth: Number of unique techniques tested across all engagements
- Improvement Velocity: Rate of new detections added per quarter
According to Mandiant’s 2025 research, organisations tracking ATT&CK-based metrics reduced their average breach dwell time by 62% over a two-year period, demonstrating the tangible security value of systematic framework adoption.
What Are Common Mistakes When Using ATT&CK for Red Teaming?
Despite its widespread adoption, many teams make mistakes that reduce the framework’s effectiveness. Understanding these pitfalls helps red teamers avoid common traps.
Checkbox Mentality
Some teams treat ATT&CK as a checklist, attempting to “cover” as many techniques as possible in a single engagement without regard for realism or depth. A high-quality engagement that thoroughly tests 15 techniques with realistic chaining is more valuable than a superficial engagement that touches 50 techniques in isolation.
Ignoring Context and Chaining
Individual techniques rarely succeed in isolation. Real adversaries chain multiple techniques together in specific sequences. A red team should test technique chains — for example, T1566.001 (Spearphishing Attachment) leading to T1059.001 (PowerShell execution) leading to T1003.001 (LSASS dump) — rather than testing each technique independently.
Over-Reliance on the Matrix
ATT&CK is broad but not exhaustive. Novel techniques, zero-day exploits, and emerging attack vectors may not yet be cataloged. Red teams should not limit themselves exclusively to documented ATT&CK techniques. The framework should guide, not constrain, the engagement.
Poor Sub-Technique Mapping
Many teams map actions to parent techniques when sub-techniques provide more useful granularity. Reporting “T1059 (Command and Scripting Interpreter)” is far less actionable than reporting “T1059.001 (PowerShell)” because the defensive recommendations differ significantly.
Neglecting the Full Lifecycle
Teams often focus heavily on Initial Access and Execution while underinvesting in later tactics like Collection, Exfiltration, and Impact. According to CrowdStrike’s 2025 data, 43% of red team engagements fail to adequately test exfiltration detection, despite exfiltration being the phase where real-world damage occurs.
How Is ATT&CK Evolving and What Should Red Teamers Expect?
MITRE ATT&CK continues to evolve to reflect the changing threat landscape. Red teamers should stay current with these developments to maintain the relevance of their engagements.
Cloud and Container Coverage Expansion
As organisations migrate to cloud and containerized environments, ATT&CK has significantly expanded its coverage of cloud-native techniques. The v16 update added 18 new sub-techniques specific to AWS, Azure, GCP, and Kubernetes environments. Red teams operating in cloud-heavy environments should pay particular attention to these additions.
AI and Machine Learning Threats
The 2025-2026 ATT&CK roadmap includes planned additions for AI/ML-specific attack techniques, including model poisoning, prompt injection, and adversarial machine learning. As organisations deploy AI systems, red teams will need to incorporate these techniques into their assessments.
Integration with Defensive Frameworks
MITRE is increasingly linking ATT&CK with D3FEND and other defensive resources to create bidirectional mappings between attacks and defenses. This integration will make it easier for red teams to recommend specific countermeasures for each identified gap.
Automation and Continuous Testing
The trend toward continuous security validation — automated platforms that run ATT&CK-mapped tests on a regular basis — is complementing traditional periodic red team engagements. Tools like AttackIQ, SafeBreach, and Picus Security provide automated ATT&CK-based testing between manual engagements.
For organisations seeking to build or enhance their red team capabilities with ATT&CK integration, AlpineExcellence.ch offers strategic consulting on implementing framework-aligned security testing programs in Swiss and European enterprise environments.
Frequently Asked Questions About MITRE ATT&CK for Red Teams
Is ATT&CK only for red teams?
No. ATT&CK is used across the cybersecurity spectrum, including threat intelligence, SOC operations, detection engineering, risk assessment, and executive reporting. Its value lies in providing a common language that bridges these different functions.
How often is ATT&CK updated?
MITRE typically releases two major updates per year, with minor corrections and additions in between. Each update may add new techniques, modify existing ones, or deprecate outdated entries. Red teams should review each update for new techniques relevant to their operations.
Can ATT&CK be used for compliance reporting?
While ATT&CK is not a compliance framework itself, many regulatory standards (including NIST 800-53, ISO 27001, and the Swiss FINMA requirements) can be mapped to ATT&CK techniques. This mapping demonstrates that defensive controls address specific, documented adversary behaviors.
What is the difference between ATT&CK and Atomic Red Team?
ATT&CK is the knowledge base that catalogs techniques. Atomic Red Team is an open-source project that provides simple, executable tests for individual ATT&CK techniques. Red teams use Atomic Red Team tests for quick validation, while full engagements involve more sophisticated, chained technique execution.
How do I get started with ATT&CK as a new red teamer?
Start by studying the matrix and understanding the 14 tactics. Then focus on the most common techniques within your target environment type (Windows, Linux, cloud). Practice using ATT&CK Navigator to create and manipulate layers. Finally, participate in ATT&CK-based exercises through platforms like MITRE Engenuity’s evaluations or open-source adversary emulation plans.
Sources
- MITRE ATT&CK — confirms 14 tactics, 216 techniques, and 475 sub-techniques (v18, October 2025)
- MITRE ATT&CK Groups — confirms 143+ catalogued threat groups