MITRE announced the release of version 18 of its ATT&CK framework, introducing changes to the framework. The October 2025 update delivers improvements across multiple sections, including techniques, groups, campaigns, and software. According to MITRE, the most notable changes focus on strengthening the framework’s defensive capabilities.
Among the key additions are two new detection-focused objects: Detection Strategies and Analytics that shift guidance from single-sentence notes to structured, behavior-focused strategies.
In the Enterprise matrix, MITRE has expanded coverage to include techniques targeting modern infrastructure such as CI/CD pipelines, Kubernetes environments, and cloud databases.
In the Cyber Threat Intelligence (CTI) domain, new adversary groups and campaigns have been cataloged, along with software associated with supply chain attacks, cloud identity exploitation, and attacks on virtualization and edge systems.
“CTI features new groups, campaigns, and software tied to cascading supply chain compromises, cloud identity abuse, and attacks on edge and virtualization systems, and includes expanded content on the Democratic People’s Republic of Korea (DPRK) and People’s Republic of China (PRC) operations,” according to a Medium blog post.
The Mobile section now includes coverage for threat actors abusing the “linked devices” functionality in Signal and WhatsApp. Additionally, the “abuse accessibility features” technique has been reinstated after being deprecated in ATT&CK v7.
For Industrial Control Systems (ICS), the update introduces new assets, including distributed control system controllers, firewalls, and switches, and refines existing asset descriptions to improve clarity and accuracy.
MITRE also announced the establishment of the ATT&CK Advisory Council, a new body designed to gather feedback from cybersecurity experts across government, academia, and the private sector. The council will serve as a formal advisory channel for shaping future ATT&CK releases.
