MITRE Reveals “Detection Overhaul” In ATT&CK v18

MITRE has announced a new version of its ATT&CK framework, which includes significant updates to Detections, Enterprise, Mobile, and ICS.

Published on Oct 30, 2025

Written by Caitlin Harris

Share

MITRE Reveals “Detection Overhaul” In ATT&CK v18

MITRE has announced an update to its ATT&CK framework, a knowledge base that tracks adversary Tactics, Techniques, and Procedures (TTPs) based on real-world observations.

The new release (v18) updates techniques groups, campaigns and software for Enterprise, Mobile, and Industrial Control Systems (ICS), with the biggest changes being in the defensive part of the framework, MITRE says.

In particular, MITRE has replaced Detections with two new objects: Detection Strategies, which outlines approaches for detecting specific adversary techniques, and Analytics, which provides users with platform-specific threat detection logic.

“Detection strategy has always been a core part of ATT&CK, but the way we captured that guidance didn’t always reflect how defenders, including us, work in practice,” explains Lex Crumpton, Principal Cybersecurity Engineer at MITRE and Defensive Lead of MITRE ATT&CK.

“This update will transform ATT&CK detection guidance into a detection strategy-focused system, with modular, behavior-first blueprints that better address adversary behavior, platform diversity, and scalable detection.”

In addition to these Detection updates, MITRE has outlined significant changes within ATT&CK’s Enterprise, Mobile, and ICS sections.

Within Enterprise, MITRE has added techniques involving modern infrastructure, CI/CD pipelines, cloud databases, and Kubernetes, as well as ransomware preparation behaviors.

Within Mobile, MITRE has added coverage for adversaries abusing the linked devices feature in Signal and WhatsApp, as well as re-introducing the “abuse accessibility features” technique.

Within ICS, MITRE has added new distributed control system controllers, firewalls, and switches, and updated the descriptions of existing assets.

In line with its unveiling of the new ATT&CK version, MITRE also announced the launch of an ATT&CK Advisory Council, which will provide a structured channel for the MITRE user community to provide strategic input and feedback.

“Our commitment is to ensure that ATT&CK continues to be a public resource that serves defenders first, and this Council is one of the ways that we’re formalizing that commitment,” says Amy Robertson, Principal Cyber Threat Intelligence Engineer at MITRE and MITRE ATT&CK Deputy Lead.

Explore More

CISA Warns Of Actively Exploited LANSCOPE Endpoint Manager Vulnerability

Attackers have been observed exploiting a new critical RCE vulnerability in Motex’s LANSCOPE Endpoint Manager, CISA warns.

Caitlin Harris Last updated on Apr 22, 2026

Read Now

Written By

Caitlin Harris Deputy Head Of Content

Caitlin Harris is the Deputy Head of Content at Expert Insights. As an experienced content writer and editor, Caitlin helps cybersecurity leaders to cut through the noise in the cybersecurity space with expert analysis and insightful recommendations.

Prior to Expert Insights, Caitlin worked at QA Ltd, where she produced award-winning technical training materials, and she has also produced journalistic content over the course of her career.

Caitlin has 8 years of experience in the cybersecurity and technology space, helping technical teams, CISOs, and security professionals find clarity on complex, mission critical topics like security awareness training, backup and recovery, and endpoint protection.

Caitlin also hosts the Expert Insights Podcast and co-writes the weekly newsletter, Decrypted.