LIVE NEWSROOM · --:-- · May 24, 2026
A LIBRARY FOR SECURITY RESEARCHERS

TOOLS  /  MITRE ATT&CK

MITRE ATT&CK Technique Lookup

Look up any MITRE Enterprise ATT&CK technique by ID — tactics, platforms, detection guidance, data sources, and mitigations. Backed by the official MITRE CTI STIX feed (cached 7 days).

    What it does

    The MITRE ATT&CK matrix is the most widely adopted framework for describing real-world adversary behavior. Each technique (e.g. T1059.001 — PowerShell) is mapped to one or more tactics (the why), platforms (where it works), data sources for detection (what logs to watch), and mitigations (what controls disrupt it). Our lookup queries the official MITRE CTI STIX feed and renders the technique with all those fields in one card — useful for SOC playbook annotation, detection-engineering prioritization, or red-team report writing.

    Advertisement

    How to use it

    1. Enter any ATT&CK Enterprise technique ID in TXXXX or TXXXX.XXX format (e.g. T1059, T1003.001, T1486).
    2. The card shows: tactic(s), platforms, description, data sources, detection guidance, and mitigations.
    3. Click "View on attack.mitre.org" for the full canonical page including procedure examples and sub-techniques.
    4. For mapping detections, focus on the "Data sources for detection" list — those tell you which log feeds carry the signal.

    Common use cases

    Detection engineering Before writing a new rule, look up the technique you’re trying to detect — the data-source list tells you what logs you need.
    Red team report writing Map each step of your simulated kill chain to ATT&CK IDs so the blue team can correlate to their detections.
    Threat intel ingestion When a vendor report says "the actor used T1027 and T1218.011" you can look those up here without leaving your browser.
    Tabletop exercises Pull technique cards for the scenario being run; share with participants as ground-truth references.
    Advertisement

    Frequently asked questions

    Why aren’t mobile / ICS techniques here? +
    We currently query the Enterprise matrix only. The Mobile and ICS matrices have different STIX bundles; we’ll add them once we see usage demand.
    How fresh is the data? +
    We cache MITRE’s STIX feed for 7 days. MITRE typically updates twice a year (April and October).
    What are "sub-techniques"? +
    Refinements of a parent technique. T1059 (Command and Scripting Interpreter) has T1059.001 (PowerShell), T1059.003 (Windows cmd), etc. Most modern detections key off sub-technique level.
    Why no procedure examples? +
    To keep the response compact. Click through to attack.mitre.org for the full procedure list per technique.

    Related tools

    Related coverage on Ciphers Security

    You may also like

    Free for everyone, no signup required. Tool runs at /tools/mitre-attack/ — bookmark or share.

    Scroll to Top