The following tools allow users to explore, access, visualize, and query ATT&CK in different ways.
The ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices. It can be used to visualize defensive coverage, red/blue team planning, the frequency of detected techniques, and more.
The ATT&CK Workbench is an application allowing users to explore, create, annotate, and share extensions of the ATT&CK knowledge base.
Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). The ATT&CK dataset is available in STIX 2.0 and STIX 2.1. Other presentations of this dataset, including the ATT&CK Navigator and this website, are built from the STIX data.
STIX is a machine-readable format providing access to the ATT&CK knowledge base. It is the most granular representation of the ATT&CK data, and all other representations are derived from the STIX dataset.
The ATT&CK STIX representation is most easily manipulated in Python using the stix2 library. However, because STIX is represented in JSON, other programming languages can easily interact with the raw content.
Consider using ATT&CK in STIX if you:
The ATT&CK STIX data can also be accessed via the official ATT&CK TAXII™ server. Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging CTI over HTTPS. The ATT&CK TAXII server provides API access to the ATT&CK STIX knowledge base.
The ATT&CK Data Model provides a standardized way to represent ATT&CK data using Zod schemas. It enables developers to parse, validate, and utilize the ATT&CK knowledge base efficiently in various formats.
These spreadsheets are built from the STIX dataset and provide a more human-accessible view into the knowledge base while also supporting rudimentary querying/filtering capabilities.
The Excel representation of the ATT&CK dataset below includes both master spreadsheets, containing all object types, and individual spreadsheets for each object type. The individual type spreadsheets break out relationships (e.g procedure examples connecting groups to techniques) into separate sheets by relationship type, while the master spreadsheet includes all relationship types in a single sheet.
A citations sheet can be used to look up the in-text citations which appear in some fields. For domains that include multiple matrices, such as Mobile ATT&CK, each matrix gets its own named sheet. Unlike the STIX dataset, objects that have been revoked or deprecated are not included in the spreadsheets.
Consider using ATT&CK in Excel if you:
Excel Spreadsheets representing the ATT&CK dataset:
This folder within the pip module contains an additional module for converting ATT&CK STIX data to Excel spreadsheets. It also provides a means to access ATT&CK data as Pandas DataFrames for data analysis.