Key insight

MITRE ATT&CK is a free, shared reference of real attacker behavior, organized into tactics (the why) and techniques (the specific how), each with a lookup number. It solves the ordinary, expensive problem of two teams describing the same attack with different names — and AI agents are quickly gaining their own dedicated section within it.

Imagine two hospitals, each keeping their own private, invented names for every illness they treat, with no shared medical dictionary between them. A patient transferred from one to the other would arrive with a diagnosis nobody at the new hospital actually recognizes. MITRE ATT&CK exists to prevent exactly that problem in computer security, and this article explains how.

1 · The ordinary problem a shared reference solves

MITRE is a United States non-profit research organization, and ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge, a large, free, publicly available reference it maintains. Without a shared reference like this, one security team might call a particular attacker behavior by one invented name, while another team, watching the exact same behavior happen, calls it something entirely different. That makes it hard for anyone to compare notes, share findings across companies, or learn from someone else’s hard-won experience.

2 · Tactics and techniques: the why and the how

ATT&CK organizes real, observed attacker behavior into two connected layers. A tactic is the goal an attacker is trying to achieve at a given stage, phrased as the “why”: gaining initial access, moving laterally, escalating privilege. A technique is the specific “how”: the actual, real-world method attackers have been observed using to achieve that tactic, each one given a unique reference identifier anyone can look up.

One tactic connected to several specific techniques that achieve it A violet box labelled tactic: initial access, the why, connects with arrows to three teal boxes labelled specific techniques: phishing attachment, valid stolen credentials, and public-facing application flaw, each the how. Tactic: initialaccess (why) Phishing attachment Stolen credentials Public app flaw
Figure 1. One why, several observed hows — each with a lookup number the whole security community shares.

3 · A worked example: naming one real technique

An incident responder investigating a breach finds that an attacker gained entry through a convincing email attachment. Rather than writing “bad email thing happened” in their report, they cite the specific ATT&CK technique identifier for phishing with a malicious attachment. A completely different security team, reading that report months later, immediately knows the exact method involved, can look up the same identifier in their own tools, and can check whether their own defenses would have caught it, all without a single follow-up phone call to ask what actually happened.

4 · Why AI agents are gaining their own dedicated section

Attacks against an AI agent, software that decides on its own which tools to call based on instructions written in ordinary language, do not fit cleanly into categories written for traditional computer systems. Hidden instructions inside content the agent processes, or subtly manipulated training data, are genuinely new kinds of techniques. Having agent-specific techniques named and numbered the same way traditional ones already are lets the whole security community study, defend against, and discuss these new risks using one shared, precise vocabulary, instead of every team inventing its own private terminology for the exact same emerging problem.

5 · Using ATT&CK on purpose

6 · A simple test you can run this week

Try this before an incident forces the question

1. Pick one recent security concern you discussed internally.
2. Try to find its matching ATT&CK technique identifier.
3. If you can, use it in your own notes going forward.
4. If you cannot find one, that gap itself is worth documenting.

7 · Glossary — every short-form term, spelled out

MITRE
A United States non-profit research organization that maintains several widely used, freely available security references.
ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)
A large, free reference organizing real, observed attacker behavior into tactics and techniques with shared lookup identifiers.
Tactic
The goal an attacker is trying to achieve at a given stage, the "why."
Technique
A specific, observed method attackers use to achieve a tactic, the "how," each with a unique reference identifier.
AI agent
Software that decides, on its own, which tools to call and which actions to take, based on instructions written in ordinary language.
Key takeaways

ATT&CK is a free, shared reference solving the problem of teams describing the same attack differently.
Tactics are the why; techniques are the specific how, each with a lookup identifier.
Citing techniques by identifier makes incident reports comparable across teams and over time.
AI agents are gaining their own dedicated section, since their attacks do not fit traditional categories.

References

  1. MITRE ATT&CK, official framework, The MITRE Corporation. attack.mitre.org
  2. MITRE ATLAS, Adversarial Threat Landscape for Artificial-Intelligence Systems, The MITRE Corporation. atlas.mitre.org