Multi-Source Analysis of Top MITRE ATT&CK Techniques

The MITRE ATT&CK® matrix is the industry’s most valuable dictionary for adversary behavior, but the industry’s threat reports are often like a “tower of Babel,” with different vendors reporting widely different trends. This Cyentia-led meta-study analyzes 22 distinct public sources of ATT&CK statistics to find the consensus among them. The report rewards the reader by distilling these disparate vantage points into a single, unified ranking of the most frequent attack techniques and their most effective mitigations.

A critical finding of this study is the prevalence of reporting “blind spots.” One-third of all ATT&CK techniques were never mentioned by any of the 22 sources during the study window, and 85% of sub-techniques were completely invisible. This lack of specificity limits the actionability of threat intelligence, forcing defenders to rely on broader technique categories. The report provides the data needed for security teams to understand which parts of the matrix are well-monitored and where visibility remains a theory rather than a reality.

The research also identifies the most “versatile” attack techniques—those that adversaries use across different stages of the kill chain. “Valid Accounts” (T1078) emerges as a dominant force, appearing in four different tactics and serving as a primary vector for initial access and lateral movement. By mapping these high-frequency techniques to specific mitigations, such as privileged account management and behavior prevention, the study offers a “jumpstart” for building a threat-informed defense.

Key Findings

• The 36% Visibility Gap: Over one-third (36%) of all MITRE ATT&CK techniques were not reported by any of the 22 major industry sources analyzed.
• Sub-Technique Invisibility: 85% of ATT&CK sub-techniques were never reported by any source, severely limiting the specificity of available threat intel.
• Managed Service Advantage: Managed service and incident response providers report two to three times as many unique techniques as telemetry or OSINT-only sources.
• “Valid Accounts” Dominance: Valid Accounts (T1078) is the most frequently observed and reported technique used by adversaries for both initial access and lateral movement.
• Initial Access Leaders: Following valid accounts, “Exploit Public-Facing Application” (T1190) and “Phishing” (T1566) are the primary entry vectors leading to multi-party incidents.
• Top 3 Frequent Techniques: Across all source types, the most frequently used techniques are Account Discovery (T1087), Command and Scripting Interpreter (T1059), and System Owner/User Discovery (T1033).