What is the MITRE ATT&CK framework?
MITRE ATT&CK is a curated knowledge base that catalogs adversary tactics, techniques, and procedures (TTPs) observed in real-world cyberattacks. Security teams use it as a common language to describe threats, map detection coverage, and prioritize defensive investments based on how attackers actually operate.
MITRE, a nonprofit organization, released the framework in 2013 based on research from the Fort Meade Experiment, where researchers simulated attacker and defender behaviors to improve breach response. The framework now spans multiple technology domains including Windows, macOS, Linux, networks, containers, mobile, ICS, and cloud environments.
Among other matrices that MITRE offers, the MITRE ATT&CK cloud matrix is unique because, as its name implies, it specifically focuses on cloud-centric security threats. This includes threats across:
IaaS
SaaS
PaaS services from cloud providers (like GCP, Azure, and AWS)
Find the Gaps in Your ATT&CK Coverage
Get a demo to see how Wiz maps your detections and security controls against the MITRE ATT&CK cloud matrix, so you know exactly where you're exposed.
Top use cases for the MITRE ATT&CK framework
Security teams operationalize MITRE ATT&CK in four primary ways: threat modeling to simulate attacks before they happen, gap analysis to identify detection blind spots, adversary emulation to test defenses against real-world TTPs, and incident response to accelerate investigations.
Initiate threat modeling
Threat modeling with ATT&CK lets you simulate attack scenarios against your cloud infrastructure before adversaries do. You identify which techniques are most likely to target your environment, then test whether your current controls would detect or block them.
Start by selecting a high-value cloud workload, then map relevant ATT&CK tactics to that asset. Run adversary emulation exercises and document detection gaps that need remediation.
You can also include:
Asset and data flow mapping to identify your cloud assets, like virtual machines (VMs) and containers, and map out data flows and activity
Control mapping to catalog existing security controls
MITRE ATT&CK Navigator to view assets and controls against techniques and tactics
Conduct a gap analysis
Gap analysis maps your existing security controls against ATT&CK techniques to reveal where detection coverage is missing. For example, you might discover that your environment has strong coverage for Initial Access techniques but lacks visibility into Credential Access or Lateral Movement.
Wiz supports this process by continuously assessing your cloud environment against the MITRE ATT&CK Cloud Matrix, surfacing which techniques lack detection coverage and helping you prioritize remediation based on actual risk.
Improve red teaming protocols and practice adversary emulation
According to Greg Young, vice president of cybersecurity at Trend Micro, "tests [can inform] companies' own security ops centers and their own red teaming behavior—looking at it and saying, 'Well, what are adversaries using today?'"
Whether you're dealing with a simulation or a real-world attack, the MITRE ATT&CK framework provides a clear roadmap and structured approach to detecting and responding to threats. To get started, conduct red teaming exercises for a specific threat actor profile. You should also conduct adversary emulation to simulate real-world attack scenarios for a specific cloud workload.
You can improve your protocols in the following ways:
Choose a MITRE ATT&CK threat profile for your red teaming exercises to evaluate responses.
Perform adversary emulation exercises throughout your cloud workloads to simulate attacks and test your defenses.
Enhance incident response
Your security operations team can leverage the MITRE ATT&CK framework to study the most effective tactics and techniques for security incidents. This allows you to perform more effective investigations and threat remediation—and, as a result, will speed up your response time and process and lower attacks' impact.
When you conduct your next incident review, analyze the attacker's behavior and use ATT&CK to find missed detection opportunities so you can improve your cloud security posture. You can do so by following these steps:
Map attacker behaviors from incidents to MITRE ATT&CK tactics to spot missed detections.
Embed ATT&CK frameworks into incident response plans.
Leverage automated tools with ATT&CK mapping to speed up detection, response, and remediation.
What are the benefits of implementing MITRE ATT&CK?
By leveraging the MITRE ATT&CK framework, companies can:
Standardized threat communication: Teams across SOC, IR, and threat intel use the same taxonomy to tag, search, and correlate threats, eliminating translation overhead between tools and teams.
Behavior-based detection engineering: Detections map directly to attacker behaviors like credential access or defense evasion rather than generic indicators, reducing false positives and improving signal quality.
Visible coverage gaps: Security leaders can immediately see which cloud services, APIs, or workload types lack detection coverage and prioritize investment accordingly.
Realistic adversary emulation: Blue and purple team exercises simulate actual adversary movement patterns rather than theoretical attack chains, producing actionable findings.
The Cloud Threat Landscape
A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques.
Explore
Understanding MITRE ATT&CK matrices
ATT&CK organizes adversary behavior into a hierarchy of tactics, techniques, and procedures. Tactics represent the attacker's objective (like gaining initial access or escalating privileges). Techniques describe the methods and procedures used to achieve that objective. Procedures document the specific tools and implementation details observed in the wild.
Three matrices address different operational environments:
Enterprise: Covers traditional IT environments including Windows, macOS, Linux, cloud platforms (IaaS, SaaS, Azure AD, Google Workspace), containers, and network devices
Mobile: Addresses threats targeting iOS and Android devices
ICS: Focuses on industrial control systems and operational technology networks
Most cloud security teams work primarily with the Enterprise matrix, which includes dedicated technique coverage for cloud-specific attack patterns.
The Enterprise matrix has seven platform- and operating system–specific categories that focus on:
Cloud and SaaS environments like SaaS, IaaS, Azure AD, Office 365, and Google Workspace
Operating systems like Windows, macOS, and Linux
Network and container environments like network devices and container technologies
PRE-ATT&CK techniques like preparedness activities before initiating access
What tactics does MITRE ATT&CK list?
The following is a breakdown of the 14 attack tactics, from recon to impact, in the Enterprise matrix:
| Tactic | Description |
|---|---|
| Reconnaissance | Collecting data about a potential victim |
| Resource development | Gathering resources for a potential attack |
| Initial access | Breaching a network for the first time |
| Execution | Injecting malicious code into the victim’s network and other adversary-controlled code |
| Persistence | Gaining a foothold in the victim’s IT environment |
| Privilege escalation | Securing higher access privileges |
| Defense evasion | Sidestepping security mechanisms |
| Credential access | Stealing credentials from legitimate accounts |
| Discovery | Exploring various components of a victim’s network |
| Lateral movement | Moving across a victim’s IT environment |
| Collection | Collecting sensitive enterprise data |
| Command and control | Communicating with compromised systems, like hijacked incidents |
| Exfiltration | Stealing sensitive data from enterprises |
| Impact | Damaging enterprise IT environments |
What are the techniques in MITRE ATT&CK?
There are too many MITRE ATT&CK techniques and sub-techniques to explore in a single post—the Enterprise matrix alone features 203 techniques and 453 sub-techniques.
Below are a few examples of techniques for each of the 14 Enterprise tactics:
| Tactic | Example technique | Detection |
|---|---|---|
| Reconnaissance | Active Scanning (T1595) | Monitor for unusual inbound traffic targeting exposed cloud services (like S3, EC2, or Load Balancers). |
| Resource Development | Acquire Infrastructure (T1583) | Track domain registration, new external IPs, and rogue cloud accounts impersonating your org. |
| Initial Access | Valid Accounts (T1078) | Look for logins from unfamiliar geolocations or impossible travel times using identity and access management (IAM) credentials. |
| Execution | User Execution (T1204) | Detect suspicious command execution or script activity in containers and VMs that external users trigger. |
| Persistence | Create Cloud Account (T1136.003) | Monitor new IAM user or role creation outside of expected provisioning pipelines. |
| Privilege Escalation | Abuse Elevation Control (T1548) | Flag unauthorized use of sudo or admin privileges within cloud workloads or CI/CD pipelines. |
| Defense Evasion | Impair Defenses (T1562) | Detect disabled cloud logging services (like CloudTrail, Azure Monitor or GCP Logging). |
| Credential Access | Steal Application Access Token (T1528) | Alert on suspicious access token usage across services or anomalous API calls using tokens. |
| Discovery | Cloud Service Discovery (T1526) | Look for enumeration activity targeting APIs, metadata endpoints, or cloud asset inventories. |
| Lateral Movement | Remote Services (T1021) | Track unexpected lateral SSH or API access across VPCs, accounts, or projects. |
| Collection | Data from Cloud Storage (T1530) | Monitor access to sensitive buckets or blobs—especially from temporary credentials or external IPs. |
| Command & Control (C2) | Application Layer Protocol (T1071) | Detect the use of common protocols (like HTTPS) in unusual patterns (such as timing, volume, or destinations). |
| Exfiltration | Exfiltration Over Web Service (T1567) | Track abnormal data movement to external SaaS or cloud storage services from internal workloads. |
| Impact | Data Destruction (T1485) | Detect mass deletion activity in production storage (like S3 or Azure Blobs) or critical databases. |
How is MITRE ATT&CK different from Cyber Attack Chain?
The Cyber Kill Chain, published by Lockheed Martin in 2011, models attacks as a linear sequence of seven phases from reconnaissance through actions on objectives. MITRE ATT&CK takes a different approach: it maps techniques without assuming a fixed order, recognizing that real attacks often skip phases, loop back, or execute multiple tactics simultaneously.
For detection engineering, this distinction matters. Kill Chain helps you understand attack progression conceptually, but ATT&CK gives you the technique-level granularity needed to build and map specific detections.
| MITRE ATTACK | Cyber Attack Chain |
|---|---|
| Features 14 Enterprise tactics, 12 Mobile tactics, and 12 ICS tactics | Features seven tactics: reconnaissance, weaponization, delivery, exploitation, installation, C2, and actions on objectives |
| Doesn’t establish or presuppose that cyberattacks follow a particular sequence | States that all attacks feature the same sequence of tactics |
| Doesn’t focus on linear sequences but does emphasize hierarchies of tactics, techniques, and procedures | Linearly anatomizes cyberattacks but doesn’t offer hierarchical breakdowns |
| Focuses on how cyber adversaries facilitate attacks, why they do so, and with what tools | Lacks techniques, subtechniques, and procedures and instead focuses on a step-by-step breakdown of adversarial behavior |
| Provides a source for enterprises to establish protective measures across the cyberattack lifecycle | Is more useful in the initial stages of a threat detection process |
| Features regular updates and improvements from numerous cybersecurity experts | Doesn’t feature many iterative improvements or community-led contributions |
| Provides a toolkit for users to design remediation and mitigation playbooks | Doesn’t offer any in-depth mitigation strategies that businesses can apply to ward off cyberattacks |
How Wiz and MITRE ATT&CK can defend your cloud environments
Wiz integrates MITRE ATT&CK directly into cloud detection and response workflows. When an alert fires, Wiz maps it to the relevant ATT&CK technique, showing analysts exactly which tactic is in play and what the attacker likely intended. This context accelerates triage because responders immediately understand where the activity fits in the attack lifecycle.
For proactive defense, Wiz continuously assesses your environment against the MITRE ATT&CK Cloud Matrix, surfacing which techniques lack detection coverage. Security teams can then prioritize detection engineering efforts based on which gaps pose the greatest risk to their specific cloud environment.
Wiz Defend extends this capability with cross-layer correlation, connecting cloud control plane events with runtime signals to provide the full attack story. The result is faster mean time to investigate and confidence that you're addressing the threats that matter most.
Ready to see how ATT&CK mapping works in practice? Get a demo to explore Wiz's cloud threat detection capabilities.
Find the Gaps in Your ATT&CK Coverage
Get a demo to see how Wiz maps your detections and security controls against the MITRE ATT&CK cloud matrix, so you know exactly where you're exposed.