ATT&CK for Containers

Project Summary

Published : May 3, 2021

This project investigated the viability of adding container-related techniques into MITRE ATT&CK, leading to the development of an ATT&CK for Containers matrix. This work covers both orchestration-level (e.g., Kubernetes) and container-level (e.g., Docker) adversary behaviors in a single Containers platform which has been incorporated in version 9 of ATT&CK. The project team worked with contributors from around the world to identify and refine both existing ATT&CK techniques as well as completely new container-specific ones.

The ATT&CK for Containers matrix contains:

  • 21 techniques
  • 11 sub-techniques
  • 8 new container-specific techniques
  • 3 new container-specific malware entries


Defenders lack visibility into adversary behaviors in and against container technologies leaving their organizations exposed to emerging threats.


Expand MITRE ATT&CK to describe adversary behaviors in and against container technologies including Docker and Kubernetes.


Brings focus to adversary behaviors in an emergent domain leveraging the well-understood and widely adopted ATT&CK methodology.

funding Research Participants

Share This Project

Stay Informed

Stay informed about new releases of R&D projects and other exciting updates from the Center for Threat-Informed Defense.