Skip to content

Next edition July 6th, 2026

Defensive security

MITRE ATT&CK

MITRE ATT&CK is a free, globally used knowledge base of real-world adversary tactics and techniques, organized into 14 tactics that map the stages of a cyberattack from reconnaissance to impact. Defenders use it as a common language to describe, detect, and respond to how attackers actually operate.

Author
Unihackers Team
Reading time
3 min read
Last updated

MITRE ATT&CK is the closest thing cybersecurity has to a shared dictionary of attacker behavior. Instead of describing threats in vague terms, it catalogs the concrete tactics and techniques that real adversaries have used in real intrusions, then gives each one a stable ID. That structure lets a threat analyst in Madrid, a SOC engineer in Berlin, and an incident responder in Milan all describe the same attack the same way. You can browse the full matrix on the MITRE ATT&CK home.

The 14 Tactics

ATT&CK is organized around 14 tactics, which represent the stages of an intrusion in the order an attacker tends to move through them. They run from reconnaissance and resource development, through initial access, execution, persistence, privilege escalation, and defense evasion, into credential access, discovery, lateral movement, collection, command and control, exfiltration, and finally impact.

A tactic answers why an attacker does something. Inside each tactic sit many techniques that answer how. Persistence might be achieved with a web shell (T1505.003); defense evasion might use process injection (T1055) or obfuscated files (T1027); credential access often involves OS credential dumping (T1003). These IDs are the same everywhere, which is what makes the framework so durable.

A Shared Language for SOC and Threat Intel Work

The real power of ATT&CK is coordination. A threat hunting team forms a hypothesis ("an attacker would dump credentials, then move laterally over SMB"), maps it to T1003 and lateral movement techniques, and goes looking. SOC analysts tag detection rules with technique IDs to expose blind spots. Threat intel reports profile adversary groups by the techniques they prefer. Because everyone points at the same IDs, scattered alerts assemble into one readable story.

ATT&CK in the AI Era

ATT&CK is now being used to describe AI-enabled attacks, not just human ones. When Anthropic disrupted an espionage operation that abused Claude Code, its team mapped 13,873 distinct AI-driven actions onto the ATT&CK matrix to show exactly where the agent operated, from reconnaissance to credential access to exfiltration. We break down that case and what it means for defenders in how hackers use AI. The lesson is that the framework scales: whether the operator is a person or an autonomous agent, the tactics stay the same, and so does the value of a common language for naming them.

In the Bootcamp

How We Teach MITRE ATT&CK

In our Cybersecurity Bootcamp, you won't just learn about MITRE ATT&CK in theory. You'll practice with real tools in hands-on labs, guided by industry professionals who use these concepts daily.

Covered in:

Module 8: Advanced Security Operations

Related topics you'll master:Incident ResponseDFIRThreat HuntingVolatility
See How We Teach This

360+ hours of expert-led training • CompTIA Security+ included