Glossary

What Is MITRE ATT&CK?

MITRE ATT&CK is a public knowledge base of adversary tactics and techniques observed in real attacks, organised into a matrix. It gives defenders a shared vocabulary (technique IDs like T1059) for describing how an actor operates, from initial access to exfiltration.

How Whisper models it

ACTOR—USES_TECHNIQUE→ATTACK_PATTERN

Named actors and ATT&CK techniques are both nodes; a USES_TECHNIQUE edge links an adversary to every technique it is known to use.

Techniques of an actorOpen in Console →
MATCH (ac:ACTOR {name:"Volt Typhoon"})-[:USES_TECHNIQUE]->(t:ATTACK_PATTERN) RETURN t.name LIMIT 12

Tactics, techniques, and the matrix

ATT&CK organises adversary behaviour into tactics (the why — the attacker's goal at a stage, like Persistence or Exfiltration) and techniques (the how — the specific method used to achieve it). Each technique has a stable ID, so two analysts on opposite sides of the world can describe the same behaviour the same way.

Why a shared vocabulary helps

Before ATT&CK, every vendor described attacks differently. A shared catalogue means detections, threat reports, and red-team plans all map to the same reference, so coverage gaps become visible and intelligence becomes comparable across sources.

From technique to infrastructure

ATT&CK tells you how an actor operates; it does not, by itself, tell you where. The value comes from joining a named actor's techniques to the live infrastructure it uses — turning a behavioural profile into concrete hunting leads.

Recipes that use this

Runnable queries where this concept does the work.

Map a named actor to its ATT&CK techniques

Ask the graph directly which MITRE ATT&CK techniques a named adversary uses — the actor-layer traversal no fixed-verb tool ships.

SharePostLinkedInEmail