What is the MITRE ATTACK framework?
The MITRE ATT&CK framework is a living knowledge base of cyberattack tactics and techniques based on real-world adversary behavior. It’s the product of MITRE’s Fort Meade Experiment, which involved researchers simulating threat actors’ and defenders’ behaviors to analyze and optimize data breach responses. These findings, along with subsequent work, have helped organizations improve their threat responses and prevention.
MITRE, a nonprofit organization, released MITRE ATT&CK in 2013. The framework now covers:
PRE-ATT&CK
Windows
macOS
Linux
Networks
Containers
Mobile, ICS, and the cloud
Among other matrices that MITRE offers, the MITRE ATT&CK cloud matrix is unique because, as its name implies, it specifically focuses on cloud-centric security threats. This includes threats across:
IaaS
SaaS
PaaS services from cloud providers (like GCP, Azure, and AWS)
Since the 2024 global average cost per data breach is $4.88M USD, threat modeling using MITRE ATT&CK is an invaluable resource for any public or private organization that’s in the crosshairs of cyber adversaries. Its data comes from diverse sources, including public threat intelligence, cyber incident reports, and other research initiatives by leading cybersecurity professionals.
Below are top use cases for MITRE ATT&CK, its benefits, and tactics to help you apply it to your organization. Plus, find out how to use the right platform to implement and manage multiple compliance frameworks across your cloud environments.
Take the Cloud Security Self-Assessment
Get a quick gauge of cloudsec posture to assess your security posture across 9 focus areas and see where you can do better.
Begin assessment
Top use cases for the MITRE ATT&CK framework
Here are some key ways you can implement MITRE ATT&CK today:
Initiate threat modeling
Your team can leverage the MITRE ATT&CK framework to simulate attack scenarios against your cloud infrastructure. This will allow you to find vulnerabilities and patch them before they become actual breaches.
To implement threat modeling, choose a high-value cloud workload to focus on. That way, you can run adversary emulation with mapped ATT&CK tactics and document any gaps you may need to fix.
You can also include:
Asset and data flow mapping to identify your cloud assets, like virtual machines (VMs) and containers, and map out data flows and activity
Control mapping to catalog existing security controls
MITRE ATT&CK Navigator to view assets and controls against techniques and tactics
Conduct a gap analysis
You can also map out your existing security controls against the MITRE ATT&CK framework to find missing security best practices throughout your coverage. This helps you prioritize the most critical weaknesses and choose the right tools and protocols to improve your security.
To assess and improve your cloud security, you can also adopt Wiz for compliance. This platform provides continuous assessments and reporting on your frameworks so you can ensure that you’re meeting cloud security standards.
Improve red teaming protocols and practice adversary emulation
According to Greg Young, vice president of cybersecurity at Trend Micro, “tests [can inform] companies’ own security ops centers and their own red teaming behavior—looking at it and saying, ‘Well, what are adversaries using today?’”
Whether you’re dealing with a simulation or a real-world attack, the MITRE ATT&CK framework provides a clear roadmap and structured approach to detecting and responding to threats. To get started, conduct red teaming exercises for a specific threat actor profile. You should also conduct adversary emulation to simulate real-world attack scenarios for a specific cloud workload.
You can improve your protocols in the following ways:
Choose a MITRE ATT&CK threat profile for your red teaming exercises to evaluate responses.
Perform adversary emulation exercises throughout your cloud workloads to simulate attacks and test your defenses.
Enhance incident response
Your security operations team can leverage the MITRE ATT&CK framework to study the most effective tactics and techniques for security incidents. This allows you to perform more effective investigations and threat remediation—and, as a result, will speed up your response time and process and lower attacks’ impact.
When you conduct your next incident review, analyze the attacker’s behavior and use ATT&CK to find missed detection opportunities so you can improve your cloud security posture. You can do so by following these steps:
Map attacker behaviors from incidents to MITRE ATT&CK tactics to spot missed detections.
Embed ATT&CK frameworks into incident response plans.
Leverage automated tools with ATT&CK mapping to speed up detection, response, and remediation.
What are the benefits of implementing MITRE ATTACK?
By leveraging the MITRE ATT&CK framework, companies can:
Standardize threat intel: Use a common taxonomy that lets security teams tag, search, and correlate threats across tools.
Improve detection engineering: Map detections to attacker behaviors (like credential access or defense evasion).
Enable gap analysis: Identify which cloud services (such as storage or APIs) lack detection coverage.
Support proactive defense: Inform blue and purple teaming exercises to simulate real adversary movements in cloud environments.
The Cloud Threat Landscape
A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques.
Explore
Understanding MITRE ATT&CK matrices
The MITRE ATTACK framework features three primary matrices that MITRE has organized around specific tactics, techniques, and procedures (TTPs):
Tactics describe overall attacker objectives.
Techniques include the methods that adversaries use to meet those objectives.
Procedures are the apparatus, tools, and actions that attackers use to conduct cyberattacks. (Note: While procedures are present within the framework, they aren’t formally part of the matrices themselves.)
Here’s a breakdown of the three matrices:
Enterprise: Focuses on enterprise network security and IT environments
Mobile: Emphasizes mobile-related cyber threats
ICS: Covers protecting industrial control systems and networks
The Enterprise matrix has seven platform- and operating system–specific categories that focus on:
Cloud and SaaS environments like SaaS, IaaS, Azure AD, Office 365, and Google Workspace
Operating systems like Windows, macOS, and Linux
Network and container environments like network devices and container technologies
PRE-ATT&CK techniques like preparedness activities before initiating access
What tactics does MITRE ATTACK list?
The following is a breakdown of the 14 attack tactics, from recon to impact, in the Enterprise matrix:
| Tactic | Description |
|---|---|
| Reconnaissance | Collecting data about a potential victim |
| Resource development | Gathering resources for a potential attack |
| Initial access | Breaching a network for the first time |
| Execution | Injecting malicious code into the victim’s network and other adversary-controlled code |
| Persistence | Gaining a foothold in the victim’s IT environment |
| Privilege escalation | Securing higher access privileges |
| Defense evasion | Sidestepping security mechanisms |
| Credential access | Stealing credentials from legitimate accounts |
| Discovery | Exploring various components of a victim’s network |
| Lateral movement | Moving across a victim’s IT environment |
| Collection | Collecting sensitive enterprise data |
| Command and control | Communicating with compromised systems, like hijacked incidents |
| Exfiltration | Stealing sensitive data from enterprises |
| Impact | Damaging enterprise IT environments |
What are the techniques in MITRE ATTACK?
There are too many MITRE ATT&CK techniques and sub-techniques to explore in a single post—the Enterprise matrix alone features 203 techniques and 453 sub-techniques.
Below are a few examples of techniques for each of the 14 Enterprise tactics:
| Tactic | Example technique | Detection |
|---|---|---|
| Reconnaissance | Active Scanning (T1595) | Monitor for unusual inbound traffic targeting exposed cloud services (like S3, EC2, or Load Balancers). |
| Resource Development | Acquire Infrastructure (T1583) | Track domain registration, new external IPs, and rogue cloud accounts impersonating your org. |
| Initial Access | Valid Accounts (T1078) | Look for logins from unfamiliar geolocations or impossible travel times using identity and access management (IAM) credentials. |
| Execution | User Execution (T1204) | Detect suspicious command execution or script activity in containers and VMs that external users trigger. |
| Persistence | Create Cloud Account (T1136.003) | Monitor new IAM user or role creation outside of expected provisioning pipelines. |
| Privilege Escalation | Abuse Elevation Control (T1548) | Flag unauthorized use of sudo or admin privileges within cloud workloads or CI/CD pipelines. |
| Defense Evasion | Impair Defenses (T1562) | Detect disabled cloud logging services (like CloudTrail, Azure Monitor or GCP Logging). |
| Credential Access | Steal Application Access Token (T1528) | Alert on suspicious access token usage across services or anomalous API calls using tokens. |
| Discovery | Cloud Service Discovery (T1526) | Look for enumeration activity targeting APIs, metadata endpoints, or cloud asset inventories. |
| Lateral Movement | Remote Services (T1021) | Track unexpected lateral SSH or API access across VPCs, accounts, or projects. |
| Collection | Data from Cloud Storage (T1530) | Monitor access to sensitive buckets or blobs—especially from temporary credentials or external IPs. |
| Command & Control (C2) | Application Layer Protocol (T1071) | Detect the use of common protocols (like HTTPS) in unusual patterns (such as timing, volume, or destinations). |
| Exfiltration | Exfiltration Over Web Service (T1567) | Track abnormal data movement to external SaaS or cloud storage services from internal workloads. |
| Impact | Data Destruction (T1485) | Detect mass deletion activity in production storage (like S3 or Azure Blobs) or critical databases. |
How is MITRE ATTACK different from Cyber Attack Chain?
Like MITRE ATTACK, the Cyber Attack Chain (Cyber Kill Chain®) is a cybersecurity framework that can help businesses and their security teams protect themselves from cyberattacks. Lockheed Martin published the Cyber Attack Chain in 2011.
While both MITRE ATT&CK and the Cyber Kill Chain aim to describe attacker behavior, ATT&CK is broader, more detailed, and more effective for practical detection. Here’s how they differ:
| MITRE ATTACK | Cyber Attack Chain |
|---|---|
| Features 14 Enterprise tactics, 12 Mobile tactics, and 12 ICS tactics | Features seven tactics: reconnaissance, weaponization, delivery, exploitation, installation, C2, and actions on objectives |
| Doesn’t establish or presuppose that cyberattacks follow a particular sequence | States that all attacks feature the same sequence of tactics |
| Doesn’t focus on linear sequences but does emphasize hierarchies of tactics, techniques, and procedures | Linearly anatomizes cyberattacks but doesn’t offer hierarchical breakdowns |
| Focuses on how cyber adversaries facilitate attacks, why they do so, and with what tools | Lacks techniques, subtechniques, and procedures and instead focuses on a step-by-step breakdown of adversarial behavior |
| Provides a source for enterprises to establish protective measures across the cyberattack lifecycle | Is more useful in the initial stages of a threat detection process |
| Features regular updates and improvements from numerous cybersecurity experts | Doesn’t feature many iterative improvements or community-led contributions |
| Provides a toolkit for users to design remediation and mitigation playbooks | Doesn’t offer any in-depth mitigation strategies that businesses can apply to ward off cyberattacks |
How Wiz and MITRE ATT&CK can defend your cloud environments
Wiz integrates the MITRE ATT&CK framework into its CNAPP by mapping detections, alerts, and attack paths directly to ATT&CK techniques. This enables security teams to:
Prioritize threats based on mapped TTPs
Accelerate triage by showing which tactics are in play
Run simulations using real adversary behaviors
Visualize detection coverage gaps across your environment
While Wiz’s CNAPP is an industry leader in detection and response, Wiz Defend also provides correlation across cloud and runtime layers with unmatched context, making it easier for rapid triage and response.
Another huge benefit is that Wiz weaves MITRE ATT&CK into its capabilities by mapping its rule set to MITRE tactics and techniques within its Cloud Threat Landscape.
Ready to learn more about how to tackle emerging threats? Check out Wiz’s Quickstart Template for Cloud Incident Response today.
See Your Cloud Activities Come to Life
Schedule a demo to learn how Wiz can detect and analyze threats in context so that you can prioritize, investigate, and respond quickly to the right risks.
