By The Core Concept: MITRE’s ATT&CK is a structured adversarial knowledge base — 14 tactics, 200+ techniques, 400+ sub-techniques — that gives security teams a real-world map of how attackers operate across every infrastructure type.
The Guest: Steve Winterfeld, Advisory CISO at Akamai
The Bottom Line:
• CISOs who concentrate defenses only at entry and exit points leave the middle of the attack chain exposed — ATT&CK reveals those gaps and gives teams a maturity benchmark, training framework, and red team methodology in one place
Speaking with TFiR, Steve Winterfeld, Advisory CISO at Akamai, defined the current state of adversarial threat frameworks and explained how MITRE ATT&CK gives enterprise security teams a structured, real-world model of attacker behavior they can map directly to their defenses.
WHAT IS MITRE AND WHY IT MATTERS
MITRE is a federally funded research and development center serving the U.S. government with a focus on critical infrastructure, aviation, defense, and healthcare. Within cybersecurity, MITRE manages the CVE (Common Vulnerabilities and Exposures) system — the industry-standard naming and tracking system for newly discovered vulnerabilities — and the Common Weakness Enumeration (CWE). Its most operationally significant contribution for practicing security leaders is its suite of adversarial threat frameworks, led by ATT&CK.
WHAT IS MITRE ATT&CK
ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It is structured as a matrix of 14 adversarial tactics — from initial reconnaissance through data exfiltration — with over 200 techniques and more than 400 sub-techniques documented beneath them. Each technique reflects real-world attacker behavior observed across actual incidents.
“It’s basically a list of 14 tactics that make up a methodology for attack — and across those 14 original steps, there are 200 techniques and over 400 sub-techniques.”
The framework is not one-size-fits-all. Separate ATT&CK matrices exist for enterprise environments (Windows, Mac, Linux, cloud, containers, hypervisors), mobile platforms (iOS and Android), and industrial control systems and SCADA devices — reflecting the reality that attack techniques vary significantly by infrastructure type. Vendors can also submit their defensive tools for formal ATT&CK evaluation by MITRE, and practitioners can earn the MITRE ATT&CK Defender (MAD) certification.
HOW CISOs USE ATT&CK IN PRACTICE
Winterfeld outlined two primary use cases for the ATT&CK framework in enterprise security operations.
The first is program maturity assessment. By mapping existing security tools to the 14 ATT&CK tactics, CISOs can identify whether their defenses are concentrated at the entry and exit points of the attack chain — or distributed across all stages. A program with five tools on prevention and two on exfiltration has significant gaps in the middle, leaving lateral movement, internal discovery, and execution stages unmonitored.
“If somebody gets past that first layer, it makes more sense to have tools at each step so you have multiple chances to stop them.”
The second is security training. ATT&CK provides structured, real-world content for multiple teams: SOC analysts can train to recognize indicators associated with specific threat groups; red teams and pen testers can simulate real criminal group attack chains; developers can be shown exactly how attackers exploit code they write; and tabletop exercise scenarios can be pulled directly from the framework with minimal effort.
BROADER CONTEXT: MITRE’S FULL FRAMEWORK ECOSYSTEM
ATT&CK is part of a broader MITRE ecosystem that includes ATLAS for AI/LLM-specific threats, CRAFT for cyber resiliency engineering aligned to NIST SP 800-160, FIGHT for 5G threat modeling, Caldera for automated red team assessments, and ADAPT for financial sector payment technology threats.
Watch the full TFiR interview with Steve Winterfeld here.
