Introduction
MITRE ATT&CK v18, released in October 2025, introduces a major change in detection guidance. Two new objects, Detection Strategies and Analytics, replace the old single-sentence detection notes with structured, behavior-focused logic.
In previous versions, detection tips were just short text inside each technique. Detection Strategies describe what behavior to look for, and Analytics show how to detect it on specific platforms. Each Analytic then guides you to relevant Log Sources and Data Components.
What This Means for Defenders
This modular structure reflects how attacks develop not as individual warning messages, but as a chain of observable behaviors. Defenders can now track detection logic across different levels, systems, and data sources. The new detection model provides a clearer link between techniques, behaviors, and the necessary telemetry to identify them.
Let’s look at the Detection Strategy DET0088 “Backup Software Discovery via CLI, Registry, and Process Inspection”. This update connects techniques to the Detection Strategy, T1518.002 – Software Discovery: Backup Software Discovery. This technique describes how ransomware operators search for backup tools before launching attacks. (Remember this?)
The strategy also points to platform-specific analytics, linked to Log Sources and data components. Let’s look at our detection strategy and the Analytics AN0240, which describes what to look for in Windows operating systems.
And more
The ATT&CK Workbench has also been updated to support Detection Strategies and Analytics, allowing you to explore and map these new relationships directly upon upgrading. Check the MITRE ATT&CK v18 release notes for a full changelog to explore the new content.
Where is the script?
As you know me, I wanted to explore those objects without browsing the website, so I wrote a small Python script that runs entirely offline.
The setup is minimal:
- pip install stix2
- clone the repo (git clone https://github.com/mitre-attack/attack-stix-data)
- point the script at the local enterprise-attack.json
- run it (see examples below)
The result is structured detection guidance straight from the ATT&CK dataset, which is usable offline for quick triage, hunting, or drafting detection logic.
After setup, the script can be used to directly explore the latest ATT&CK data. You can start by looking up a technique such as T1518.002 to see its detection strategy and linked analytics. If analytics are present, you can limit the output to a specific platform, for example, Windows, to view only relevant detection content:
./mitre_explore_cli.py -t T1518.002 --os WindowsThis displays the name of the technique, the groups that utilize it, and its detection strategy with analytics, including brief descriptions, log sources, and tunable fields.
You can also query groups like APT38 to see which techniques they use and then drill down into any of those techniques for detailed detection data:
./mitre_explore_cli.py --group "APT38"
Finally, if you don’t know the exact technique ID, you can run a simple keyword search to find related techniques, detection strategies, or analytics:
./mitre_explore_cli.py --q "Backup Software"
Enjoy, and as always: Feedback welcome.