MITRE Releases ATT&CK v18: Major Overhaul to Detection, Mobile and ICS Coverage

The release of MITRE ATT&CK version 18 represents one of the most significant changes in the framework’s history. It places a stronger focus on practical detection engineering and cross-platform visibility. For Australian organisations, this update is a chance to align detection, SOC operations, and OT/ICS defence more closely with real adversary behaviour. The update requires careful remapping of rules, analytics, and playbooks, but the reward is more effective detection across enterprise, mobile, cloud, and industrial environments.

Key Updates

ATT&CK v18 replaces the old “Detections” and “Data Sources” structure with two new elements: Detection Strategies and Analytics. Detection Strategies describe how an attacker’s behaviour can be identified in practice. Analytics provide platform-specific detection logic for different systems such as Windows, Linux, cloud, or OT platforms.

The framework now includes major content expansions across three domains. In the Enterprise domain, there are new techniques for CI/CD pipelines, Kubernetes, and cloud databases, as well as ransomware preparation behaviours and threat-intelligence monitoring. The Mobile domain now covers linked device abuse across messaging apps such as Signal and WhatsApp, and reinstates the “Abuse Accessibility Features” technique. The ICS domain introduces new asset types including DCS controllers, firewalls, and switches, along with updated technique definitions that reflect industrial environments.

MITRE has also introduced an Advisory Council that gives end-users, vendors, government, and academia a formal voice in future framework updates. In total, version 18 includes around 691 Detection Strategies and more than 1,700 Analytics entries.

Market Context

As attack surfaces expand across mobile, OT, and cloud, traditional detection methods have struggled to keep pace. ATT&CK has become the backbone of modern detection engineering. Version 18 arrives at a time when many Australian organisations are trying to integrate EDR, NDR, and cloud telemetry into unified security operations. For businesses covered by critical infrastructure regulations, this update helps bring IT, OT, and mobile security closer together under one consistent model.

Importance

SOC teams, detection engineers, and risk managers should treat ATT&CK v18 as an operational reset. The framework no longer stops at listing adversary techniques. It now provides direct pathways from behaviour to telemetry to analytic logic. This makes it far easier to build high-fidelity detections that reflect real threats rather than theoretical ones.

For vendors, service providers, and managed detection partners, adopting version 18 early offers a commercial advantage. Mapping service coverage to the new framework demonstrates measurable detection maturity and can differentiate managed services in competitive tenders.

Implementation Recommendations

1. Audit your current detection coverage
Begin with an inventory of all SIEM rules, EDR/NDR analytics, and OT/ICS detections. Map each rule to relevant techniques in ATT&CK v18, using the new Detection Strategy (DET) and Analytics (AN) identifiers. Identify where your current detections no longer align. Prioritise gaps in mobile, cloud, and ICS coverage.
Useful resources include the MITRE ATT&CK update page, the Detection Strategies list on attack.mitre.org, and the Australian Cyber Security Centre’s guidance on SOC maturity and detection effectiveness.

2. Re-engineer detection logic
Refactor detection rules to match the new Analytics model. Each analytic in version 18 describes how to detect a specific behaviour on a specific platform. Retire generic, noisy, or outdated rules and replace them with behaviour-focused logic. Use vendor-neutral formats such as SIGMA to create portable detection rules.
Good references include Picus Security’s and Cymulate’s implementation blogs, open-source SIGMA repositories, and MITRE’s Analytics documentation.

3. Update your threat models and architecture
Review your organisation’s current threat models and ensure they include new v18 techniques for cloud, CI/CD, and mobile linked devices. Update your architectural diagrams to show telemetry coverage across these assets. Use workshops that bring together IT, OT, and security teams to identify which new techniques apply to your environment.
Helpful sources include MITRE’s version 18 release notes, the ACSC’s Essential Eight Maturity Model, and NIST SP 800-82 for industrial control systems.

4. Strengthen telemetry and cross-domain visibility
Ensure that your detection stack includes complete telemetry from endpoints, networks, mobile devices, cloud platforms, and OT systems. Map each telemetry source to the relevant Analytics objects in ATT&CK v18. Integrate mobile device management logs and ICS network telemetry into your SIEM or data lake. Use dashboards that correlate data across IT and OT boundaries.
Reference the MITRE Data Components documentation and Australian guidance on OT/ICS monitoring for technical mapping.

5. Engage with the ATT&CK community and advisory council
Join the new ATT&CK Advisory Council and community channels to share lessons learned. Download open-source rule sets mapped to v18 and adapt them for your organisation. Participate in threat-sharing forums within Australia such as ACSC partnerships or ISACA chapters. Contributing to the community ensures that Australian use cases are represented and keeps your detection engineering team up to date.

6. Validate detections and measure effectiveness
Run purple-team exercises to confirm that your new analytics trigger when adversary behaviours are simulated. Track detection coverage metrics such as the percentage of high-risk techniques covered, mean time to detect, and false positive rates. Use this data to demonstrate measurable improvement to leadership.
Use frameworks such as the MITRE Engenuity ATT&CK Evaluations, vendor purple-team playbooks, and ACSC SOC maturity guidance to plan validation cycles.

Australian Sector Considerations

Organisations in critical infrastructure sectors should prioritise this update during FY2026. ATT&CK v18 brings ICS and OT environments into closer alignment with enterprise detection practices, making it easier to unify visibility and response. For mid-sized enterprises, version 18 provides a blueprint to professionalise detection engineering without the need for expensive proprietary tools.

Mobile risk is another growing factor. The new techniques added for linked device abuse underline the importance of extending detection coverage to mobile endpoints, particularly in hybrid work environments.

MITRE ATT&CK v18 is not simply a version change. It represents a shift from describing threats to enabling measurable, behaviour-based detection. For Australian defenders, the update offers the structure needed to modernise detection engineering and unify visibility across enterprise, mobile, and industrial systems. Teams that act early will improve their detection accuracy, reduce noise, and strengthen resilience for the year ahead.

CyberPulse Advanced Security Assessments cover Mitre Attack Mapping: Contact us to explore options.

Useful Links

MITRE ATT&CK v18 Update Overview: https://attack.mitre.org/resources/updates/updates-october-2025/
Picus Security: https://www.picussecurity.com/resource/blog/whats-new-in-mitre-attack-v18
ACSC: https://www.cyber.gov.au

Penetration Testing Services: https://www.cyberpulse.com.au/penetration-testing-services-australia/
CyberPulse GRC and Advisory Services: https://www.cyberpulse.com.au/compliance-audit-advisory-services-australia/

Penetration Testing Services in Australia: https://www.cyberpulse.com.au/2025/09/04/penetration-testing-services-overview-2025-blog/