Is MITRE ATT&CK free to use?

Yes. MITRE publishes the framework openly under a permissive license, allowing commercial and non-commercial use, including in vendor products and government guidance.

How is ATT&CK different from the Cyber Kill Chain?

Lockheed Martin's Kill Chain (2011) is a linear seven-stage model of an intrusion. ATT&CK is non-linear and far more granular, cataloging hundreds of specific techniques observed in real incidents rather than describing high-level phases.

Who contributes to ATT&CK?

MITRE curates the framework, but contributions come from a wide community of security researchers, vendors, and government agencies who submit observed techniques and references to public incident reports.

MITRE ATT&CK | Model Diplomat

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a curated knowledge base maintained by the MITRE Corporation, a U.S. federally funded research and development center. First released publicly in 2015, it documents how real-world threat actors behave during cyber intrusions, organized as a matrix of tactics (the adversary's goal at a stage of an attack) and techniques (the methods used to achieve that goal).

The framework is structured into several matrices, the most prominent being Enterprise (covering Windows, macOS, Linux, cloud, containers, and network infrastructure), Mobile (Android and iOS), and ICS (industrial control systems, released in 2020). Each technique entry includes a unique identifier (e.g., T1566 for Phishing), a description, detection guidance, mitigations, and references to documented use by specific adversary groups such as APT28, Lazarus Group, or FIN7.

ATT&CK has become a de facto common language for cyber threat intelligence, red teaming, and security operations. Defenders use it to map detection coverage gaps, threat hunters use it to structure hypotheses, and intelligence analysts use it to compare adversary tradecraft over time. Vendors increasingly tag detections and reports with ATT&CK technique IDs, enabling interoperability across tools.

For policy researchers and IR students, ATT&CK is relevant in several ways. It underpins national cybersecurity guidance, including advisories jointly issued by CISA, the FBI, NSA, and partner agencies in the Five Eyes, which routinely reference technique IDs when attributing activity to state-linked actors. It also informs sector-specific defense planning under frameworks like the NIST Cybersecurity Framework and is referenced in EU ENISA threat landscape reports.

Limitations are worth noting: ATT&CK describes post-compromise behavior more thoroughly than initial reconnaissance, it depends on publicly reported incidents (creating visibility bias toward Western-reported intrusions), and inclusion of a technique does not imply equal prevalence. MITRE updates the matrices roughly twice yearly and publishes them openly under a permissive license.

MITRE ATT&CK

Frequently asked questions