MITRE ATT&CK

Most cyber conversations today reference “MITRE ATT&CK,” but very few insurance professionals know what it actually is — or why it matters for underwriting, claims, and risk evaluation.

Where the name comes from:
MITRE (which is not an acronym, according to its founders) is the not‑for‑profit research organization that created the framework.
ATT&CK is an acronym for Adversarial Tactics, Techniques & Common Knowledge — a structured way of describing how attackers actually operate. MITRE began developing ATT&CK in 2013 as part of a research project to document real adversary behaviors observed in enterprise environments.

Here’s the simple version.
MITRE ATT&CK is the industry’s shared encyclopedia of attacker behavior.

It catalogs how attackers operate — the tactics they use, the techniques they rely on, and the patterns defenders should be able to detect.

Instead of vague descriptions like “malware activity” or “credential theft,” ATT&CK gives teams a common language:

T1055 — Process Injection
T1003 — Credential Dumping
T1021 — Lateral Movement

These codes show up in cyber applications, control assessments, SOC reports, and vendor claims. When a company says they “map to MITRE ATT&CK,” they’re saying:

“We understand the behaviors attackers use, and we’ve aligned our detection strategy to them.”

Why this matters for insurance:
ATT&CK helps reveal the gap between paper controls and actual detection capability. A company may claim coverage for a technique, but if the underlying logs aren’t configured, the detection won’t fire. That gap is where losses occur.

The takeaway:
MITRE ATT&CK isn’t a tool — it’s a shared language.
And understanding that language helps insurance professionals evaluate cyber maturity with far more clarity.

Next Episode:
1A. Multi‑Factor Authentication (MFA) →

Browse the Series:
View all Cyber in Plain English episodes →

Cyber Orientation Hub:
Explore the full Cyber Orientation hub →