Which statement best describes the MITRE ATT&CK framework?

• A. The MITRE ATT&CK framework is a knowledge base of attacker tactics, techniques, and procedures; used to model adversary behavior, map detections, and guide defense and hunting.
• B. It is a risk scoring model for third-party vendors.
• C. It is a hardware tool for network taps.
• D. It is a software suite for incident response automation.

Answer: (A)

MITRE ATT&CK is a knowledge base of attacker tactics, techniques, and procedures, grounded in real-world observations. It organizes how adversaries move through a network—from initial access to impact—into tactics (the high-level goals) and techniques (the concrete actions used to achieve them). This structure lets defenders map their detections to specific attacker actions, identify coverage gaps, and guide threat hunting and red-teaming efforts. Because it reflects how attackers operate in practice, it supports threat modeling, detection engineering, and security planning in a practical, falsifiable way.

It isn’t a risk-scoring model for vendors, a hardware device, or a software suite for incident-response automation. Those descriptions point to different kinds of tools or frameworks, not the MITRE ATT&CK knowledge base.