Path icon Learning Paths

Red Team Tools

  • Number of Courses67 courses
  • Duration25 hours

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Further details on the MITRE ATT&CK® framework can be found at

Our red team operations tooling courses map to the MITRE ATT&CK® matrix tactics, techniques, and procedures. Each course focuses on the use of a specific industry-standard, generally open source, tool to carry out adversary emulation. Knowing what a tool is and how it can perform a specific task, will ultimately lend to your ability as an organization or an individual to detect and defend against specific attack vectors.

The ATT&CK section outlines tools used to achieve the following outcomes:

  • Reconnaissance
  • Resource Development
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Exfiltration
  • Impact

Courses in this path


The first course in this series discusses leveraging the MITRE ATT&CK framework in combination with open source tools to emulate adversary attacks.

ATT&CK - Resource Development (TA0042)

Resource development consists of techniques in which adversaries create, purchase, or compromise/steal resources that can be used to support targeted operations.

ATT&CK - Initial Access (TA0001)

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spear phishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

ATT&CK - Execution (TA0002)

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often coupled with techniques from other tactics to achieve broader goals, like stealing data.

ATT&CK - Persistence (TA0003)

ATT&CK - Privilege Escalation (TA0004)

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives.

ATT&CK - Defense Evasion (TA0005)

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware.

ATT&CK - Credential Access (TA0006)

Credential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.

ATT&CK - Discovery (TA0007)

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective.

ATT&CK - Lateral Movement (TA0008)

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain.

ATT&CK - Collection (TA0009)

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives.

ATT&CK - Command and Control (TA0011)

ATT&CK - Exfiltration (TA0010)

Exfiltration consists of techniques that adversaries may use to steal data from your network. Once data has been obtained, adversaries will often times package it to avoid detection as it is removed.

ATT&CK - Impact (TA0040)

Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Adversaries are trying to manipulate, interrupt, or destroy your systems and data.

Join our learners and upskill
in leading technologies