Home > About CAPEC > ATT&CK Comparison  

About CAPEC

Understanding adversary behavior is increasingly important in cybersecurity. Two approaches exist for organizing knowledge about adversary behavior – CAPEC and ATT&CK, each focused on a specific set of use-cases. This page explains the similarities, differences, and relationship between CAPEC and ATT&CK and the role of each in cybersecurity.

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC is focused on application security and describes the common attributes and techniques employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. (e.g., SQL Injection, XSS, Session Fixation, Clickjacking)

  • Focus on application security
  • Enumerates exploits against vulnerable systems
  • Includes social engineering / supply chain
  • Associated with Common Weakness Enumeration (CWE)

Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)

ATT&CK is focused on network defense and describes the operational phases in an adversary’s lifecycle, pre and post-exploit (e.g., Persistence, Lateral Movement, Exfiltration), and details the specific tactics, techniques, and procedures (TTPs) that advanced persistent threats (APT) use to execute their objectives while targeting, compromising, and operating inside a network.

  • Focus on network defense
  • Based on threat intelligence and red team research
  • Provides contextual understanding of malicious behavior
  • Supports testing and analysis of defense options

How they are related ...

Many attack patterns enumerated by CAPEC are employed by adversaries through specific techniques described by ATT&CK. This enables contextual understanding of the attack patterns within an adversary’s operational lifecycle. CAPEC attack patterns and related ATT&CK techniques are cross referenced when appropriate between the two efforts.

When to use ...

Use CAPEC for:

  • Application threat modeling
  • Developer training and education
  • Penetration testing

Use ATT&CK for:

  • Comparing computer network defense capabilities
  • Defending against the Advanced Persistent Threat
  • Hunting for new threats
  • Enhancing threat intelligence
  • Adversary emulation exercises


More information is available — Please select a different filter.
Page Last Updated or Reviewed: March 08, 2018