The MITRE ATT&CK Framework: A Penetration Tester's Guide

What ATT&CK actually is

MITRE ATT&CK is a public knowledge base of adversary tactics, techniques, and procedures (TTPs) observed in real-world intrusions. The framework is maintained by MITRE Corporation, updated quarterly, and structured as a matrix where columns are tactics (the adversary's reason — initial access, privilege escalation, defense evasion) and cells are techniques (the specific methods used to accomplish each tactic).

For a red team or pentester, ATT&CK is most useful as a structured vocabulary. It lets the engagement plan, log, and report against a shared model that the defending team also uses for detection engineering. That alignment is what makes findings actionable rather than informational.

The structure in three layers

Tactics (the why)

Fourteen tactics in the Enterprise matrix as of recent versions: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact. Each represents a phase of intent in an intrusion.

Techniques (the how)

Hundreds of techniques across the matrix, each describing a specific method. Many techniques have sub-techniques that drill into variants (T1078 Valid Accounts has sub-techniques for default accounts, domain accounts, local accounts, cloud accounts).

Procedures (the specific instance)

Procedures are how a particular threat actor uses a technique in a specific intrusion. ATT&CK documents observed procedures in the form of group profiles linked to techniques used.

Using ATT&CK to plan an engagement

Most red team engagements use ATT&CK at the planning stage in three ways:

• Threat actor selection. Pick the adversaries relevant to the target's industry. The threat-intelligence layer of ATT&CK lists groups documented in public reporting and links them to specific techniques.
• Baseline TTP set. Pull the techniques associated with selected groups as the baseline planning set. The engagement does not have to use only those techniques, but they form the realistic adversary profile.
• Objective mapping. For each engagement objective (initial access, foothold, lateral movement to a target system), list the techniques that would plausibly be used to reach it. The list becomes the testing plan.

Logging during execution

Each attempted technique should be logged with enough detail for post-engagement analysis:

• Technique ID and version. Cite the ATT&CK version used; techniques get refined across versions.
• Timestamp. Both the attempt window and any specific event timestamps.
• Source and target. Where the attempt originated and what it targeted.
• Outcome. One of: succeeded, blocked, detected, observed (and which combination — detection without blocking is its own outcome).
• Evidence. Raw artifacts that allow the defender to correlate to their telemetry.

Reporting against the framework

The engagement deliverable should include a coverage matrix: every attempted technique on the rows, with columns for what was logged in the defender's telemetry, what alerted, what was investigated, and what was contained. The matrix gives the defending team a prioritized remediation list mapped to the framework they already use.

A useful supplementary deliverable is a detection backlog: for each technique that was attempted but went unnoticed, what data sources, query logic, and detection patterns would have caught it. The detection backlog is often the highest-value output for a defending team trying to mature its program.

Techniques that show up repeatedly

From real engagements, the techniques that appear most often (and that most detection programs underweight):

• T1078 Valid Accounts. Compromised, defaulted, or shared credentials. Detection challenges because legitimate-looking activity is the technique.
• T1199 Trusted Relationship. Initial access via supply-chain or partner integration trust paths.
• T1606 Forge Web Credentials. SAML / Kerberos token forgery in identity-rich environments.
• T1098 Account Manipulation. Adversary-created service accounts or modified permissions for persistence.
• T1556 Modify Authentication Process. SSO and MFA-related defense evasion.
• T1567 Exfiltration Over Web Service. Cloud-storage and SaaS-enabled exfiltration that legitimate-looking traffic obscures.

These tend to be where detection programs have the most variability — and therefore where red team engagements produce the most useful findings.

ATT&CK Cloud and SaaS-specific matrices

The Enterprise matrix includes a Cloud sub-matrix covering AWS, Azure, GCP, Office 365, Google Workspace, and SaaS platforms. Cloud-specific techniques (e.g., T1530 Data from Cloud Storage Object) reflect the patterns that show up in cloud-native intrusions and are increasingly important for cloud-heavy organizations.