Plain-English definitions for ATT&CK terms, tactics, techniques, telemetry concepts, and security-team use cases.
In MITRE ATT&CK, a tactic describes the adversary’s tactical objective, such as gaining initial access, executing code, collecting data, or causing impact. Tactics help defenders understand why a technique is being used and how it fits into an intrusion sequence.
A technique in MITRE ATT&CK describes how adversaries achieve a tactical objective. Techniques are the practical behaviors defenders map to detections, telemetry, mitigations, and response playbooks.
A sub-technique is a more specific variation of an ATT&CK technique. It gives defenders additional precision when a broad behavior, such as command execution, has important platform or tradecraft-specific forms.
TTP stands for tactics, techniques, and procedures. In ATT&CK-aligned work, it connects the adversary objective, the behavior used to achieve it, and the concrete implementation observed in an environment or report.
An ATT&CK data source describes a category of information that can support detection, such as process, file, network, cloud, or identity telemetry. Data sources help teams identify what evidence is needed to observe a behavior.
A data component is a more specific type of observable event or property within an ATT&CK data source. For example, process creation is a component of process telemetry.
An ATT&CK mitigation is a defensive action or control that can reduce the likelihood or impact of one or more techniques. It is not a guarantee of coverage and should be validated against actual environments.
An ATT&CK matrix organizes tactics and techniques for a domain such as Enterprise, Mobile, or ICS. It gives teams a structured view of adversary behavior across an intrusion lifecycle.
Initial Access is an ATT&CK tactic describing techniques adversaries use to gain entry into a target environment. It includes behaviors such as phishing, exploiting public-facing applications, and supply-chain compromise.
Credential Access is an ATT&CK tactic focused on stealing account names, passwords, tokens, keys, or other secrets. It is central to many intrusions because valid credentials can bypass perimeter assumptions.
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.
