What is MITRE ATT&CK?

ATT&CK organizes adversary behavior into tactics (the adversary's goals, initial access, persistence, exfiltration) and techniques (the specific methods used to achieve each goal). Each technique has a unique identifier (T1078 for "Valid Accounts", T1566 for "Phishing", etc.) and detailed documentation. SOCs map detection rules, threat hunts, and incident response playbooks to ATT&CK techniques to measure coverage and communicate about adversary behavior consistently.

Command Zero tags investigation questions and case findings to specific MITRE techniques. Analysts can investigate by technique ("what evidence do we have for T1078 lateral movement?") and case reports include the ATT&CK mapping. The Casebook organizes investigations by technique, making it easy to study how specific adversary behaviors have surfaced across the customer base. MITRE alignment is built into Command Zero's investigation and reporting model.