MedTech Terms
    The authoritative reference
    All terms
    CybersecurityAI / ML in DevicesConnected & Cyber-Physical DevicesClinical EvidenceATT&CK

    MITRE ATT&CK

    Knowledge base of real-world adversary tactics, techniques, and procedures organized into a matrix used to model threats and assess defenses.

    Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed June 20, 2026

    Definition

    MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible framework that catalogs observed adversary behavior across the full attack lifecycle. It is organized as a matrix of tactics (the attacker's goal, e.g., Initial Access, Execution, Persistence, Lateral Movement, Exfiltration) and the specific techniques and sub-techniques attackers use to achieve each. ATT&CK is maintained by MITRE under government and community funding and is updated quarterly. Separate matrices exist for Enterprise, Mobile, ICS (Industrial Control Systems), and the mappings are widely used by SOCs, threat intel teams, red teams, and increasingly by medical device security teams.
    What the regulation says
    FDA's 2023 Premarket Cybersecurity guidance recommends manufacturers use a structured threat-modeling approach and cites ATT&CK alongside STRIDE as accepted references. The Health Sector Coordinating Council Joint Security Plan (HSCC JSP) recommends ATT&CK mapping in its threat modeling chapter. AAMI TIR57 references ATT&CK as a knowledge source for identifying credible threats.

    What this means in practice

    For medical device manufacturers, ATT&CK is the lingua franca that connects threat modeling to detection engineering and incident response. When you write a threat model (STRIDE-based or otherwise) the next step is mapping each identified threat to specific ATT&CK techniques so your security controls, monitoring rules, and pen-test scope can be measured against real adversary behavior. ICS ATT&CK is particularly relevant for connected hospital devices that share characteristics with operational technology environments.
    Common pitfalls
    • Mapping threats to ATT&CK tactics only (the column headers) instead of specific techniques and sub-techniques, the granularity is the point.
    • Treating ATT&CK as a checklist of controls rather than a reference of attacker behavior, defensive frameworks like D3FEND or NIST CSF cover controls.
    • Ignoring ICS ATT&CK for hospital-deployed devices; many techniques in that matrix apply to networked imaging, lab analyzers, and infusion fleets.

    Frequently asked questions

    Lockheed Martin's Kill Chain is a seven-step linear model. ATT&CK is non-linear, far more granular (hundreds of techniques), and based on observed real-world behavior rather than a conceptual model.

    Primary references

    3 sources
    Link health: 3 verified· last checked 2026-06-20
    1. 1
      MITRE ATT&CK
      Verified
      MITREattack.mitre.org
    2. 2
      ATT&CK for ICS
      Verified
      MITREattack.mitre.org
    3. 3
      Getting Started with ATT&CK
      Verified
      MITREmitre.org

    Inline markers like [1] jump to the matching reference above.