Check out the results from our first round of ATT&CK Evaluations at!

Related Efforts


Common Attack Pattern Enumeration and Classification (CAPEC™) is an effort to provide a publicly available catalog of common attack patterns classified in an intuitive manner, along with a comprehensive schema for describing related attacks and sharing information about those attacks. Understanding adversary behavior is increasingly important in cybersecurity. Two approaches exist for organizing knowledge about adversary behavior – CAPEC and ATT&CK, each focused on a specific set of use-cases. Please visit the CAPEC and ATT&CK Comparison page that explains the similarities, differences, and relationship between CAPEC and ATT&CK and the role of each in cybersecurity.

The ATT&CK and CAPEC efforts are collaborating to map related details between ATT&CK techniques and CAPEC attack patterns. CAPEC has incorporated an initial mapping of ATT&CK techniques in version 2.8[1] and related ATT&CK techniques have CAPEC ID references.


Malware Attribute Enumeration and Characterization (MAEC™) is a collaborative community-driven effort to define and develop a standardized language for sharing structured information about malware based upon attributes such as behaviors, artifacts, and attack patterns. The characterization of malware using abstract patterns offers a wide range of benefits over the usage of physical signatures. It allows for the accurate encoding of how malware operates and the specific actions that it performs. Such information can not only be used for malware detection but also for assessing the end-goal the malware is pursuing and the corresponding threat that it represents. Focusing on the attributes and behaviors of malware facilitates detection and analysis of emerging, sophisticated malware threats that circumvent the traditional signature-based and heuristic approaches. Characterizing malware in a standard way supports collaboration across organizations and the identification of common behavior, functionality, and code bases across instances of malware.

There exists alignment and overlap between some of the post-access techniques covered by ATT&CK and the capability and behavior abstractions that are part of MAEC’s standardized characterization of malware behavior. While ATT&CK takes a general approach, remaining agnostic to specific tools adversaries may use, there is still value in relating back to standardized methods of describing certain attributes of malware wherever applicable.

External Links


[1] "CAPEC List Version 2.8 Now Available" The MITRE Corporation