MITRE has released version 18 of its ATT&CK framework, introducing one of the most comprehensive updates in recent years. The October 2025 update enhances the globally recognized cybersecurity knowledge base with new techniques, detection logic, and broader coverage across enterprise, mobile, and industrial control system (ICS) environments.
The most notable improvement in ATT&CK v18 is its expanded defensive content. MITRE has introduced two new detection-related components, Detection Strategies and Analytics. Detection Strategies outline high-level approaches for identifying specific adversary behaviors, while Analytics provide platform-specific logic for detecting attacks in real-world systems. This evolution reflects MITRE’s ongoing effort to bridge the gap between theory and applied defense.
In the Enterprise domain, version 18 adds techniques that mirror modern digital infrastructures, such as CI/CD pipelines, Kubernetes clusters, and cloud databases. It also introduces coverage for ransomware preparation activities and attacker behaviors that monitor threat intelligence sources to track their own exposure.
The Cyber Threat Intelligence (CTI) section has also been expanded, incorporating new groups, campaigns, and software entries related to supply chain compromises, cloud identity exploitation, and attacks on virtualization and edge systems. These additions aim to give defenders deeper context around evolving attack patterns and threat actor toolsets.
For mobile threats, ATT&CK v18 adds entries for adversaries abusing the “linked devices” feature in Signal and WhatsApp, and reinstates the previously deprecated “abuse accessibility features” technique, a reflection of its continued exploitation in the wild.
In the ICS category, MITRE has added new assets including distributed control system (DCS) controllers, firewalls, and switches, alongside updated descriptions of existing assets. These changes enhance visibility into how adversaries target critical infrastructure components.
Alongside the framework update, MITRE announced the creation of the ATT&CK Advisory Council, a formal body that brings together representatives from government, academia, vendors, and end-user organizations to guide the framework’s future development.
With these changes, ATT&CK v18 not only strengthens its defensive capabilities but also modernizes its coverage to reflect how today’s hybrid, cloud-native, and interconnected systems are being targeted.
