MITRE ATT&CK

What MITRE ATT&CK is

MITRE ATT&CK is a knowledge base maintained by MITRE Corporation since 2013 that systematically describes how attackers operate in the real world. The framework distinguishes:

• Tactics — the intermediate goals of an attacker (reconnaissance, initial access, execution, persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement, collection, exfiltration, impact).
• Techniques — the means used to achieve a tactic (for example “Phishing — Spearphishing Link” for initial access).
• Procedures — the concrete implementations observed for specific threat groups.

Why it matters

A competent attacker does not stick to one tool — they follow a strategy. Cataloguing their behaviour into TTPs lets you:

• Build behavioural detection rules rather than signature-based ones.
• Evaluate defensive coverage (which techniques can we detect? which can’t we?).
• Communicate across teams (SOC, IR, threat intelligence) with a shared vocabulary.
• Compare security solutions on a shared reference (see MITRE ATT&CK evaluations against EDR products).

ATT&CK at Hexceos

Our Hexceos Sentinel XDR maps its detections to MITRE ATT&CK in real time. Our SOC uses the framework to structure threat hunting and to make incident reports legible at CODIR level.