Investigator Use
MITRE ATT&CK is the definitive reference framework for adversary tactics, techniques, and procedures used in cyber intrusions. Maintained by the MITRE Corporation, ATT&CK documents the specific behaviors attackers use during campaigns — from initial access and execution through persistence, privilege escalation, lateral movement, and impact — mapped against real-world threat groups and malware families.
What OSINT investigators and threat analysts use ATT&CK for: attributing observed behaviors to known threat actor groups, understanding the full attack lifecycle during incident response, building detection logic based on documented techniques, and researching specific threat groups and their preferred tooling.
What ATT&CK exposes: detailed technique and sub-technique descriptions with real-world examples, procedure examples showing how specific APT groups and malware families implement each technique, detection guidance mapped to data sources, mitigation recommendations, and relationships between techniques across the kill chain.
The ATT&CK Navigator tool allows analysts to overlay multiple threat groups on the same matrix to compare TTPs, identify coverage gaps in detection, and build threat models. For OSINT investigations involving a suspected threat actor, researching their known TTPs in ATT&CK narrows the range of techniques to look for in log data and threat intel reports.
Threat group profiling: ATT&CK maintains profiles for dozens of named APT groups including their country of origin, targeted sectors, known malware, and the specific techniques observed in attributed campaigns. When investigating an incident with suspected nation-state involvement, these profiles provide critical context and attribution leads.
Software entries: in addition to techniques and groups, ATT&CK documents specific malware and tools with their capabilities mapped to techniques. Knowing that a specific piece of malware uses certain persistence techniques helps investigators search for related indicators in other systems.
In a workflow: use ATT&CK in the analysis phase rather than the collection phase. After gathering IOCs and behavioral evidence, map observed activities to ATT&CK techniques to build a structured picture of the intrusion. Use the resulting technique list to query threat intel platforms like MISP or Pulsedive for related IOCs and threat reports.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
CVE
Cyber Threat OSINT
CVE provides standardized vulnerability identifiers and references used in security research, triage, and threat intelligence workflows.
CVE Details
Cyber Threat OSINT
CVE Details aggregates vulnerability records, CVSS scores, and affected software lists for security analysis and patch prioritization.
Default Passwords
Cyber Threat OSINT
Find default passwords and credentials for routers, printers, servers, and network devices for authorized security auditing.
Exploit DB
Cyber Threat OSINT
The Exploit Database archives public exploits and proof-of-concept code for known vulnerabilities, used in penetration testing and research.
Honey DB
Cyber Threat OSINT
HoneyDB aggregates honeypot sensor data to identify malicious IP addresses, attacker tactics, and emerging threat patterns.
Hybrid analysis
Cyber Threat OSINT
Hybrid Analysis provides free malware sandboxing with Falcon Sandbox technology to analyze suspicious files and URLs for threat intelligence.