Key insight
MITRE ATT&CK is a free, shared reference of real attacker behavior, organized into tactics (the why) and techniques (the specific how), each with a lookup number. It solves the ordinary, expensive problem of two teams describing the same attack with different names — and AI agents are quickly gaining their own dedicated section within it.
Imagine two hospitals, each keeping their own private, invented names for every illness they treat, with no shared medical dictionary between them. A patient transferred from one to the other would arrive with a diagnosis nobody at the new hospital actually recognizes. MITRE ATT&CK exists to prevent exactly that problem in computer security, and this article explains how.
1 · The ordinary problem a shared reference solves
MITRE is a United States non-profit research organization, and ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge, a large, free, publicly available reference it maintains. Without a shared reference like this, one security team might call a particular attacker behavior by one invented name, while another team, watching the exact same behavior happen, calls it something entirely different. That makes it hard for anyone to compare notes, share findings across companies, or learn from someone else’s hard-won experience.
2 · Tactics and techniques: the why and the how
ATT&CK organizes real, observed attacker behavior into two connected layers. A tactic is the goal an attacker is trying to achieve at a given stage, phrased as the “why”: gaining initial access, moving laterally, escalating privilege. A technique is the specific “how”: the actual, real-world method attackers have been observed using to achieve that tactic, each one given a unique reference identifier anyone can look up.
3 · A worked example: naming one real technique
An incident responder investigating a breach finds that an attacker gained entry through a convincing email attachment. Rather than writing “bad email thing happened” in their report, they cite the specific ATT&CK technique identifier for phishing with a malicious attachment. A completely different security team, reading that report months later, immediately knows the exact method involved, can look up the same identifier in their own tools, and can check whether their own defenses would have caught it, all without a single follow-up phone call to ask what actually happened.
4 · Why AI agents are gaining their own dedicated section
Attacks against an AI agent, software that decides on its own which tools to call based on instructions written in ordinary language, do not fit cleanly into categories written for traditional computer systems. Hidden instructions inside content the agent processes, or subtly manipulated training data, are genuinely new kinds of techniques. Having agent-specific techniques named and numbered the same way traditional ones already are lets the whole security community study, defend against, and discuss these new risks using one shared, precise vocabulary, instead of every team inventing its own private terminology for the exact same emerging problem.
5 · Using ATT&CK on purpose
- Reference techniques by identifier, not invented names. This makes reports comparable across teams and over time.
- Map your own defenses against the list. For each technique relevant to you, ask honestly whether you would catch it today.
- Watch the agent-specific additions. This part of the framework is actively growing as new AI-specific techniques get formally documented.
6 · A simple test you can run this week
1. Pick one recent security concern you discussed internally.
2. Try to find its matching ATT&CK technique identifier.
3. If you can, use it in your own notes going forward.
4. If you cannot find one, that gap itself is worth documenting.
7 · Glossary — every short-form term, spelled out
- MITRE
- A United States non-profit research organization that maintains several widely used, freely available security references.
- ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)
- A large, free reference organizing real, observed attacker behavior into tactics and techniques with shared lookup identifiers.
- Tactic
- The goal an attacker is trying to achieve at a given stage, the "why."
- Technique
- A specific, observed method attackers use to achieve a tactic, the "how," each with a unique reference identifier.
- AI agent
- Software that decides, on its own, which tools to call and which actions to take, based on instructions written in ordinary language.
ATT&CK is a free, shared reference solving the problem of teams describing the same attack differently.
Tactics are the why; techniques are the specific how, each with a lookup identifier.
Citing techniques by identifier makes incident reports comparable across teams and over time.
AI agents are gaining their own dedicated section, since their attacks do not fit traditional categories.
References
- MITRE ATT&CK, official framework, The MITRE Corporation. attack.mitre.org
- MITRE ATLAS, Adversarial Threat Landscape for Artificial-Intelligence Systems, The MITRE Corporation. atlas.mitre.org