Get in Sync with ATT&CK and CTID

By Tiffany Bergeron and Allison Robbins • November 15, 2025

Cybersecurity is built on MITRE ATT&CK®. Threat-informed organizations map security control frameworks to ATT&CK techniques (e.g., the NIST 800-53 Controls to ATT&CK Mappings). Intelligence analysts, threat hunters, and incident responders communicate amongst themselves in the words and pictures of ATT&CK (e.g., Attack Flow). These tools that operationalize the ATT&CK framework are typically tethered to the version of ATT&CK that was current at the time of development. But adversaries keep innovating and MITRE responds by updating the ATT&CK knowledge base twice per year. As new versions of ATT&CK come out, once-fresh applications become out-of-date with stale data.

In partnership with the Center for Internet Security, Citigroup, HCA Healthcare, JPMorgan Chase Bank N.A., Lloyds Banking Group, Microsoft Corporation, and Verizon Business, we have upgraded our resources that keep you up-to-date with ATT&CK. Even with the significant updates to the ATT&CK framework in version 18, these tools will show you exactly what changed between versions to keep your threat-informed defense current.

ATT&CK Sync Website

Use ATT&CK Sync to understand exactly what has changed between versions of ATT&CK. The web interface allows you to select the version you are currently using and the version you want to upgrade to, and then view a detailed changelog to guide your updates.

What’s New

ATT&CK Sync

Use ATT&CK Sync to update your solutions to new versions of ATT&CK efficiently and effectively. ATT&CK Sync is up to date with the major changes announced for version 18, listing all Detection Strategies and Analytics. Threat-informed organizations stay on top of ATT&CK releases to maintain timely and relevant defense.

ATT&CK Sync updates existing workflows to newer versions of ATT&CK. We use it too in our R&D program. Our Mappings Editor is a practical example of how.

Mappings Editor

If you need to produce or update your own security control mappings to ATT&CK, Mappings Editor is a tool to do just that. We use the Mappings Editor to produce our repository of security capabilities mapped to the ATT&CK knowledge base, centralized for you in Mappings Explorer. Mappings Editor streamlines the creation of mapping files. It brings you away from spreadsheets to a web-based interface that we engineered to accelerate the mapping process.

We have made the Mappings Editor available as a public beta with usage documentation – including step-by-step instructions for updating mappings in the Editor – via the project’s GitHub repository and the live Mappings Editor site.

The Mappings Editor now has built-in ATT&CK Sync functionality. You can now easily answer the important question “how does this new version affect my existing ATT&CK mappings?”. This means that you can upload your existing mappings and see which mappings include ATT&CK objects that have changes across versions of ATT&CK, including the recently released v18.

To use the new ATT&CK Sync in Mappings Editor:

• Select the ATT&CK version you want to update to.
• The Editor will flag each mapping that contains an ATT&CK object that has changed in the selected ATT&CK version.
• Then use Mappings Editor to customize your display, such as showing only mappings with version-related changes.
• See what changed in the Editor’s new Problem Pane. The Editor can show changes to:
  • Technique ID
  • Name
  • Description
  • Mitigations

Once you’ve synced the existing mapping with the changes affecting the mapped ATT&CK object, update the status of the mapping and move on to the next.

Mappings Editor ATT&CK Sync Features

The new ATT&CK Sync capabilities in Mappings Editor help you quickly identify, review, and update mappings affected by changes across ATT&CK versions, keeping your threat-informed defense current. By combining the detailed version-to-version changelogs from ATT&CK Sync with the streamlined mapping workflows in Mappings Editor, defenders can reduce the time and effort required to keep their mappings in sync with ATT&CK.

Get Involved

We welcome your feedback and contributions to continue to advance ATT&CK Sync and the Mappings Editor. You are also welcome to submit issues for any technical questions/concerns via the Mappings Editor GitHub repository or contact ctid@mitre.org directly for more general inquiries.

© 2025 The MITRE Corporation. Approved for Public Release. ALL RIGHTS RESERVED. Document number 25-3013.

---