If you work in vulnerability management, you have almost certainly seen technique IDs like T1566 or T1078 attached to findings, threat reports, and detection rules. Those identifiers come from MITRE ATT&CK, one of the most widely used knowledge bases in security. ATT&CK gives the industry a shared vocabulary for describing how attackers actually behave once they are inside or probing a network.
This article is a plain-language definition. It explains what MITRE ATT&CK is, what tactics and techniques mean, how a technique ID is built, and why vulnerability teams increasingly tag their findings with ATT&CK references. It is a definition piece, not a how-to. If you want the step-by-step mechanics of mapping findings to techniques inside a platform, the practical guide to MITRE ATT&CK mapping in vulnerability management covers that workflow. Here, the goal is to make the framework itself easy to understand.
What MITRE ATT&CK Is
MITRE ATT&CK is a curated, publicly available knowledge base of adversary tactics and techniques based on real-world observations. The name is an acronym for Adversarial Tactics, Techniques, and Common Knowledge. It is maintained by MITRE, a not-for-profit organization, and published openly at attack.mitre.org.
The core idea is simple. Instead of describing attacks in vague terms, ATT&CK breaks adversary behavior into discrete, named building blocks. Each building block describes a specific thing an attacker tries to do and a specific way they do it. Because the catalog is built from documented intrusions and threat-intelligence reporting, it reflects behavior that has been seen in the wild rather than hypothetical attacks.
ATT&CK is organized into separate matrices for different technology domains. The Enterprise matrix covers Windows, macOS, Linux, cloud, containers, and network infrastructure. There are also matrices for mobile and for industrial control systems. For most vulnerability management teams, the Enterprise matrix is the relevant one, so it is the focus throughout this article.
It helps to be clear about what ATT&CK is not. It is not a piece of software you install. It is not a scoring system that rates how dangerous a vulnerability is. It is a reference model, a common language that tools, analysts, and reports can all point to so that everyone is describing the same behavior the same way.
Tactics, Techniques, and Sub-Techniques Defined
The structure of ATT&CK rests on three layers. Understanding the difference between them is the single most useful thing for a newcomer to grasp.
A tactic is the adversary’s goal, the why behind an action. It answers the question, what is the attacker trying to achieve at this moment. Examples of tactics include Initial Access, Persistence, Privilege Escalation, and Defense Evasion. Tactics form the columns of the ATT&CK matrix and represent the broad phases an attacker moves through.
A technique is the how, the specific method an attacker uses to accomplish a tactic. For example, Phishing is a technique an attacker might use to achieve the Initial Access tactic. A technique is more concrete than a tactic but still general enough to cover many real attacks. Techniques are the individual cells inside each tactic column.
A sub-technique is a more specific variation of a technique. Phishing, for example, breaks down into sub-techniques such as Spearphishing Attachment and Spearphishing Link. Sub-techniques let teams describe behavior at a finer grain when they need that precision, while the parent technique remains available when a broad label is enough.
The relationship is hierarchical. A tactic contains many techniques, and a technique may contain several sub-techniques. In PMAP’s ATT&CK reference data, every sub-technique stores a parent_id that points back to its parent technique. That parent link is what makes hierarchical navigator views possible, where you can collapse or expand a technique to see the more specific variants beneath it.
How a Technique ID Is Structured
Every technique and sub-technique has a stable identifier, and the format is consistent enough that you can read meaning directly from the string.
A top-level technique uses the form T followed by four digits, such as T1566 for Phishing. A sub-technique appends a dot and three more digits to its parent’s ID. So T1566.001 is Spearphishing Attachment, a sub-technique of T1566 Phishing. The part before the dot always tells you the parent.
This structure is more than a naming convention. In PMAP’s reference table, each technique row carries an is_subtechnique flag that is true whenever the ID takes the Txxxx.yyy shape, and the parent_id field records the parent for any sub-technique. Because the IDs are stable, they make excellent cross-references. A finding, a detection rule, a threat report, and a vendor advisory can all cite T1566.001 and mean exactly the same thing. That stability is a large part of why ATT&CK has become a shared language across so many tools.
The ATT&CK Enterprise Matrix at a Glance
The Enterprise matrix is the headline view of ATT&CK. Picture a grid where the columns are tactics and the cells under each column are the techniques that serve that tactic. Reading left to right roughly follows the arc of an intrusion, from getting in to achieving the final objective.
The Enterprise tactics span the full lifecycle of an attack. They include Reconnaissance and Resource Development at the early end, then Initial Access, Execution, Persistence, Privilege Escalation, and Defense Evasion, continuing through Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. Each tactic groups together the techniques that share that goal.
PMAP seeds its reference table from a curated subset of the ATT&CK Enterprise v14 catalog, which contains roughly 180 techniques and sub-techniques spread across 12 tactics. The exact technique count grows over time as MITRE publishes new versions of the framework, so a precise number is best taken from the official source. The shape, however, stays consistent. A manageable set of tactics, each holding a larger set of techniques, with sub-techniques nested underneath.
One practical note about the matrix is that it is not meant to be read as a strict sequence. Attackers do not march through every tactic in order, and a single intrusion might touch only a handful of cells. The matrix is a map of possibilities, not a fixed route.
Why Some Techniques Span Multiple Tactics
A common point of confusion is that the same technique can appear under more than one tactic. This is intentional and reflects how attacks really work.
Consider Valid Accounts, technique T1078. An attacker who has stolen legitimate credentials can use them in several different ways depending on their goal at that moment. They might use those credentials to get in, which serves Initial Access. They might use them to stay in, which serves Persistence. They might use them to gain higher privileges, serving Privilege Escalation, or to blend in and avoid detection, serving Defense Evasion. The behavior is the same. The goal it serves changes with context.
ATT&CK handles this by listing such techniques under every tactic they can serve. In PMAP’s reference model, a technique that spans multiple tactics is stored as a single row that carries arrays of tactic_ids and tactic_names rather than a single value. A filter for any one of those tactics will still surface the technique. So when you filter the catalog for Persistence, T1078 Valid Accounts shows up, and it also shows up when you filter for Initial Access. This keeps the reference data honest about the fact that one method can serve several adversary goals.
ATT&CK vs CVE: Two Different Lenses
Vulnerability teams live in a world of CVEs, so it is worth being precise about how ATT&CK relates to them. They are not competitors. They describe different things, and they are most useful together.
A CVE, a Common Vulnerabilities and Exposures identifier, names a specific flaw in a specific product. CVE-2021-44228, the Log4Shell entry, points to one concrete weakness in one piece of software. A CVE answers the question, what is broken.
A MITRE ATT&CK technique names a behavior an adversary uses, independent of any single product. T1190 Exploit Public-Facing Application describes the method of attacking an internet-exposed service to gain a foothold. It answers the question, what is the attacker doing.
The connection is that an attacker often abuses a specific CVE in order to carry out a specific ATT&CK technique. Exploiting the Log4Shell flaw, identified by its CVE, is one way to perform the Exploit Public-Facing Application technique, identified by its ATT&CK ID. CVE tells you which door is unlocked. ATT&CK tells you what the intruder does once they walk through it. Both lenses matter. One describes the weakness, the other describes the behavior that weakness enables.
For a refresher on how CVE sits alongside other identifiers like CWE and CVSS, the CVSS scoring explainer covers the scoring side of the same ecosystem.
Why Vulnerability Teams Map Findings to ATT&CK
If ATT&CK describes adversary behavior, why would a vulnerability team, whose job is to fix flaws, care about it? The answer is prioritization with context.
A raw list of vulnerabilities tells you what is broken but not how an attacker would chain those weaknesses into a real intrusion. By tagging findings with the ATT&CK techniques they enable, a team adds a threat-informed layer on top of the technical severity. Two findings might both carry a high CVSS score, but the one that enables Initial Access or Privilege Escalation often deserves attention first, because it sits at a point in the attack chain where an adversary gains real ground.
Mapping findings to ATT&CK also makes coverage visible. When findings carry technique tags, a team can ask questions that a flat vulnerability list cannot answer. Which adversary tactics is our current exposure concentrated in. Where do we have clusters of techniques that point to a likely attack path. Are we accumulating findings under tactics that our detections are weak against. This is the essence of threat-informed defense, aligning what you fix with how attackers actually operate.
It also improves communication. Telling a board that you have 4,000 open vulnerabilities means little. Telling them that a meaningful share of your critical findings enable Initial Access and Lateral Movement connects the technical work to a story leadership already understands, the story of how a breach unfolds.
How Findings Carry ATT&CK Techniques in Practice
At a definition level, the mechanism is straightforward. A finding stores a list of the ATT&CK technique IDs associated with it.
In PMAP, every finding has a mitre_technique_ids field that holds an array of technique ID strings, for example ["T1190", "T1566.001"]. Each value references an entry in the central ATT&CK reference table, the same seeded catalog described earlier. Those IDs get onto a finding in two ways. An analyst can add them directly using a technique selector in the finding form, searching by ID or name. Alternatively, when a vulnerability template is applied to a finding, any technique IDs defined on that template are backfilled onto the finding automatically if the finding does not already carry its own. That backfill behavior means that well-mapped templates can spread consistent ATT&CK tagging across many findings without manual effort on each one.
This is the boundary where definition ends and mechanics begin. The selector behavior, how heatmaps are generated, and how mapping is applied across an existing backlog are workflow topics. The practical MITRE ATT&CK mapping guide walks through how the mapping actually happens inside the platform.
Reading an ATT&CK Coverage Heatmap
One of the most recognizable artifacts in the ATT&CK ecosystem is the coverage heatmap, often produced with the MITRE ATT&CK Navigator. It is worth knowing how to read one even before you build your own.
A heatmap takes the familiar matrix layout, tactics across the top and techniques in the cells beneath, and shades each cell according to some value. The value depends on what you are visualizing. It might be the number of findings mapped to that technique, the presence or absence of a detection, or the priority a team has assigned. Darker or warmer cells draw the eye to where the value concentrates.
For a vulnerability team, a heatmap built from finding data is a fast way to see where exposure clusters. If a column lights up heavily, your open findings are concentrated in that tactic, which tells you something about where an attacker would find the easiest opportunities. PMAP supports this kind of view by grouping techniques by their tactic IDs, so findings can be rolled up into a tactic-by-technique picture rather than read one row at a time. The heatmap does not make decisions for you. It makes patterns visible so that you can.
Common Misconceptions About ATT&CK
Because ATT&CK is so widely referenced, a few misunderstandings have spread along with it. Clearing them up sharpens how you use the framework.
The first misconception is that ATT&CK is a maturity score. It is not. Lighting up many cells on a Navigator layer does not mean your program is mature, and lighting up few does not mean it is weak. Coverage of techniques is a description of your current state, not a grade. A high count of mapped findings can actually indicate concentrated exposure rather than strong defense.
The second misconception is that ATT&CK is a checklist to complete. The matrix is not a list of items to tick off until you are done. Attackers do not use every technique, and no organization needs equal coverage everywhere. ATT&CK is a reference model for describing and reasoning about behavior, not a compliance checklist.
The third misconception is that ATT&CK replaces vulnerability scoring. It does not. ATT&CK describes behavior, while systems like CVSS describe the severity of a specific flaw. The two answer different questions and work best side by side. A finding can carry both a CVSS score, telling you how severe the weakness is, and ATT&CK techniques, telling you what an adversary could do with it.
The final misconception worth naming is that mapping has to be exhaustive to be useful. It does not. Even partial, consistent tagging of your most important findings adds real prioritization value. Perfect coverage is not the bar. Useful, repeatable context is.
Why This Matters for a Vulnerability Program
Pulling the threads together, MITRE ATT&CK gives vulnerability management something a flat list of CVEs cannot, a way to connect technical weaknesses to adversary behavior. That connection is what turns a backlog into a set of priorities that reflect how attacks actually unfold.
When findings carry ATT&CK techniques, a program gains a shared vocabulary across analysts, leadership, and the tools in its stack. It gains a way to visualize where exposure concentrates. It gains a threat-informed angle on prioritization that complements, rather than replaces, severity scoring. For teams building toward enrichment that genuinely helps triage, ATT&CK is one of the highest-value reference frameworks to adopt. The broader picture of how this fits into intelligence and enrichment is covered in the vulnerability intelligence and enrichment guide.
ATT&CK is, at heart, a common language. Its value comes not from any single technique ID but from the fact that the whole industry can point at the same map and describe the same behavior the same way. For a vulnerability team, learning to read that map is a small investment that pays off every time a finding needs to be understood in the context of a real attack.
See how PMAP maps findings to ATT&CK techniques automatically in the VulnDB Smart Match datasheet.
Frequently Asked Questions
What is MITRE ATT&CK in simple terms?
MITRE ATT&CK is a free, publicly available knowledge base that describes how attackers behave, broken into named tactics and techniques based on real-world observations. Think of it as a shared dictionary for adversary behavior. Instead of describing an attack in vague language, security teams point to specific technique IDs so everyone means the same thing. It is maintained by MITRE and published at attack.mitre.org.
What is the difference between a tactic and a technique?
A tactic is the attacker’s goal, the why. A technique is the specific method used to reach that goal, the how. For example, Initial Access is a tactic, the goal of getting into a network. Phishing is a technique, one way to achieve that goal. A single tactic contains many techniques, and many techniques can break down further into more specific sub-techniques.
What is a MITRE technique ID like T1566?
A MITRE technique ID is a stable identifier for a specific technique. It uses the form T plus four digits, such as T1566 for Phishing. Sub-techniques add a dot and three more digits, so T1566.001 is Spearphishing Attachment, a more specific variation under T1566. The part before the dot always identifies the parent technique. These IDs are stable, which is why tools, reports, and findings can all reference them reliably.
Is MITRE ATT&CK the same as CVE?
No. A CVE identifies a specific flaw in a specific product, answering the question of what is broken. A MITRE ATT&CK technique describes a behavior an attacker uses, answering the question of what the attacker is doing. They are complementary. An attacker often exploits a particular CVE in order to carry out a particular ATT&CK technique, so teams use both together rather than choosing between them.
Why do vulnerability teams use MITRE ATT&CK?
Vulnerability teams use ATT&CK to add threat context to their findings. Tagging a finding with the techniques it enables shows how an attacker could use that weakness, which helps prioritize beyond raw severity scores. It also makes coverage visible through heatmaps and gives teams a shared language to explain risk to leadership in terms of how real attacks unfold rather than as a flat vulnerability count.
Does mapping findings to ATT&CK have to be complete to be useful?
No. Even partial, consistent mapping of your most important findings adds real prioritization value. ATT&CK is a reference model, not a checklist to fully complete, so the goal is useful and repeatable context rather than exhaustive coverage. Many teams start by mapping their critical findings and let template-based backfill spread consistent tags across the rest over time.
Is the ATT&CK matrix meant to be read in order?
Not strictly. The tactics are arranged roughly in the order an intrusion tends to progress, from getting in to achieving an objective, but attackers do not march through every tactic in sequence. A real intrusion might touch only a few cells, and some techniques serve multiple tactics depending on context. The matrix is a map of possibilities, not a fixed route an attacker must follow.
