MITRE has announced the release of version 18 of its globally recognized ATT&CK framework, introducing substantial updates across multiple categories, including enterprise, mobile, industrial control systems (ICS), and cyber threat intelligence (CTI).

According to MITRE, the October 2025 update focuses on enhancing the framework’s defensive capabilities while expanding coverage of modern attack surfaces. The new version adds critical insights into adversary behaviors, detection methodologies, and emerging technologies shaping today’s cyber threat landscape.

One of the most notable changes in ATT&CK v18 is the introduction of two new detection-related objects — Detection Strategies and Analytics. Detection Strategies define overarching methods for identifying specific attacker techniques, while Analytics provide platform-specific detection logic that security teams can operationalize within their environments. These additions mark a major evolution in how ATT&CK supports defenders in translating threat intelligence into actionable detection content.

In the Enterprise section, MITRE has expanded coverage to include adversary behaviors targeting CI/CD pipelines, Kubernetes environments, and cloud databases, reflecting the growing complexity of hybrid infrastructures. The update also documents ransomware preparation activities and cases where attackers monitor threat intelligence feeds to track defensive discussions about their own campaigns — a tactic increasingly seen in sophisticated operations.

The Cyber Threat Intelligence (CTI) domain of ATT&CK v18 incorporates new adversary groups, campaigns, and software, with an emphasis on supply chain compromises, cloud identity exploitation, and attacks on virtualization and edge systems. These additions aim to better align ATT&CK with the realities of modern threat intelligence reporting.

In the Mobile section, MITRE has added coverage for adversaries abusing the “linked devices” feature in secure messaging apps like Signal and WhatsApp, a growing attack vector in mobile espionage. Additionally, the long-deprecated “abuse accessibility features” technique has been reinstated after a thorough review of its continued relevance in mobile device exploitation.

For the Industrial Control Systems (ICS) matrix, MITRE has introduced new asset types — including distributed control system (DCS) controllers, firewalls, and switches — and updated descriptions of existing assets to improve contextual accuracy. These changes strengthen the framework’s application in critical infrastructure protection and operational technology (OT) security.

In addition to the framework enhancements, MITRE announced the formation of the ATT&CK Advisory Council, a new body designed to formalize collaboration with end users, vendors, government entities, and academia. The council will provide strategic guidance and feedback to ensure ATT&CK continues to evolve in alignment with real-world challenges faced by defenders.

With these updates, ATT&CK v18 represents one of the most defense-focused releases in the framework’s history — equipping organizations with deeper insights and practical tools to detect, analyze, and respond to evolving adversary tactics.