Tactics Overview
Adversary tactical goals - the "why" behind techniques.
| Tactic ID | MITRE ATT&CK ID | Name | Description |
|---|---|---|---|
| PT0001 | TA0043 | Reconnaissance | The adversary is trying to gather information they can use to plan entry, movement, and operations. Reconnaissance consists of techniques for observing facilities, people, and security routines before and during an engagement. This includes site surveillance, open-source research, mapping layouts, identifying cameras and alarm sensors, and learning guard patterns, entry points, and visitor procedures that support later tactics. |
| PT0002 | TA0042 | Resource Development | The adversary is trying to establish resources they can use to support physical operations. Resource Development consists of techniques for obtaining or fabricating items used during an engagement, such as uniforms, badges, pretext materials, tools, vehicles, or copied credentials. These resources support Initial Access, Stealth, and other phases of a physical intrusion. |
| PT0003 | TA0001 | Initial Access | The adversary is trying to get into the targeted facility or controlled area. Initial Access consists of techniques that use entry vectors to gain a foothold in a physical environment. Examples include tailgating, social engineering at access points, abuse of valid or default credentials, and bypassing or defeating perimeter controls. |
| PT0004 | TA0003 | Persistence | The adversary is trying to maintain their presence or ability to re-enter. Persistence consists of techniques that keep access available across visits or extended time on site. Examples include hiding on premises, planting devices, retaining cloned badges or keys, and establishing recurring entry using compromised trust or credentials. |
| PT0005 | TA0004 | Privilege Escalation | The adversary is trying to gain higher levels of physical access. Privilege Escalation consists of techniques for moving from lower-trust areas or roles into restricted zones, unescorted access, or sensitive spaces. Examples include abusing escort procedures, exploiting misconfigured access groups, and leveraging stolen or forged credentials with broader permissions. |
| PT0006 | TA0006 | Credential Access | The adversary is trying to steal or duplicate physical access credentials. Credential Access consists of techniques for obtaining badges, keys, PINs, biometrics, or other tokens used to authenticate at doors and checkpoints. Captured credentials often enable Initial Access, Privilege Escalation, and Lateral Movement. |
| PT0007 | TA0008 | Lateral Movement | The adversary is trying to move through the facility or campus. Lateral Movement consists of techniques for crossing zones, floors, buildings, or air-gapped areas after initial entry. Examples include using internal doors, elevators, loading docks, and inter-building connectors while avoiding or defeating intermediate access controls. |
| PT0008 | TA0005 | Stealth | The adversary is trying to hide their activity and appear legitimate. Stealth consists of techniques that reduce the chance of detection by blending with normal traffic, staff behavior, or visitor activity. Examples include appropriate dress, timing, pretext, and route selection without disabling security systems. |
| PT0009 | TA0112 | Defense Impairment | The adversary is trying to degrade or defeat security controls. Defense Impairment consists of techniques that interfere with guards, alarms, cameras, sensors, or response procedures so defenders detect or respond less effectively. Examples include tampering with devices, creating false alarms, and blocking lines of sight or communication. |
| PT0010 | TA0009 | Collection | The adversary is trying to gather information or physical items of interest. Collection consists of techniques for capturing data, documents, media, or assets relevant to the engagement objective. Examples include photography, copying materials, and removing items from secure areas when permitted by access gained in earlier phases. |
| PT0011 | TA0010 | Exfiltration | The adversary is trying to leave the premises with people, assets, or intelligence. Exfiltration consists of techniques for exiting facilities or controlled areas without detention or attribution. This includes departing through normal egress points, loading areas, or emergency routes while carrying collected materials or maintaining cover. |
| PT0012 | TA0040 | Impact | The adversary is trying to manipulate, interrupt, or destroy operations or assets. Impact consists of techniques that disrupt availability, safety, or integrity of assets and facilities. Examples include sabotage, tampering with equipment, physical damage, or actions taken to distract from or cover other objectives. |