On February 25, 2026, MITRE quietly dropped one of the most consequential governance decisions in the history of the ATT&CK framework. After more than a decade of near-unilateral stewardship, the organization stood up a formal advisory council — a room of the industry's most credentialed voices — to help steer where the world's most widely adopted adversary knowledge base goes from here. The cybersecurity press gave it a paragraph or two. It deserves a lot more than that.
The formation of the MITRE ATT&CK Advisory Council is not simply a PR move or a ceremonial nod to the community that has spent years feeding the framework with real-world intelligence. It is a structural acknowledgment that ATT&CK has grown so large, so embedded, and so critical to global cyber defense operations that no single organization — not even the one that built it — should be driving its future alone. Understanding why that matters requires understanding where ATT&CK actually came from, and the peculiar, unlikely way it became the backbone of how the cybersecurity world speaks about adversary behavior.
ATT&CK Started as a Spreadsheet in a Classified Lab
If you use ATT&CK in your SOC, your red team exercises, your threat hunting workflows, or your vendor evaluations, there is a decent chance you have never heard of the Fort Meade eXperiment, or FMX. You should know about it, because that is where ATT&CK was born.
In 2013, MITRE researchers were contracted to help a sponsor organization — working out of a facility in Fort Meade, Maryland — improve its ability to detect adversaries who had already breached the enterprise perimeter. The prevailing security mindset of the time was indicator-focused: you hunted for malicious IP addresses, known file hashes, suspicious registry keys. The problem with that approach is that nation-state adversaries and sophisticated criminal groups rotate infrastructure constantly. Chase an indicator, and you are always one step behind. The FMX team wanted to understand adversary behavior at a deeper level — not what tools attackers used, but how they moved, what they were trying to accomplish, and how they adapted when defenders pushed back.
To do that, MITRE ran adversary emulation tests on a live production network, mimicking the tactics documented in historic attacks. Blake Strom, who had come to MITRE from the NSA, led the effort. As the team catalogued observed attacker behaviors, they started mapping those behaviors to their corresponding goals. The documentation began, as so much foundational security work does, as a spreadsheet. The spreadsheet grew. It got a name. It became a wiki. And in May 2015, it became a public resource.
Jon Baker of MITRE's Center for Threat-Informed Defense recalled the moment the FMX team realized their behavioral catalog would be broadly useful to others as a genuine "aha" moment — a turning point that shifted the work from an internal research tool to a community resource. — (AttackIQ, 2022)
That first public release contained 9 tactics and 96 techniques, all scoped to Windows enterprise environments. It was, by modern standards, a narrow document. But the underlying philosophy was radical for its time: instead of focusing on who the attacker was or what malware they deployed, ATT&CK focused on what they did. That behavioral lens — Tactics, Techniques, and Procedures, or TTPs — gave defenders a way to think about threats that survived infrastructure changes, malware rebrands, and even adversary retooling. It shifted the entire paradigm of how the industry classified and communicated threat activity.
ATT&CK launched in 2015 with 9 tactics and 96 techniques focused on Windows. It now spans Enterprise, Mobile, and ICS domains, with hundreds of techniques, sub-techniques, groups, software entries, and campaigns — and a 2022 independent survey found that more than 80% of North American organizations consider it "critical" or "very important" to their security operations. Source: MITRE.org, Feb. 25, 2026.
Over the following decade, the framework expanded relentlessly. Coverage grew to include Mac and Linux in 2017, cloud environments in 2019, and industrial control systems in 2020. ATT&CK for Mobile launched in 2017. Sub-techniques were introduced to add granularity beneath the top-level technique layer. The community contributed threat intelligence that fed new group and campaign profiles. Vendors built detection products around ATT&CK mappings. CISA and the FBI embedded the framework into official advisories. Fortune 500 security teams built their entire detection engineering programs around it. ATT&CK had become, without anyone formally declaring it, the common language of cyber defense — and it all still technically lived inside one nonprofit research organization with no formal outside governance structure. Until now.
What the Advisory Council Actually Does
MITRE announced the Advisory Council's formation on February 25, 2026, framing it as an independent body created to support the long-term sustainability, integrity, and global impact of the ATT&CK program. On paper, the mandate is broad. Members will advise MITRE on long-term strategy, content and roadmap development, methodology and quality standards, community engagement, and program sustainability. The council will also track and surface emerging risks, opportunities, and trends across the cybersecurity landscape as they become relevant to how the framework should evolve.
What the council does not do is govern. This distinction matters. MITRE has been careful to say publicly that the Advisory Council offers guidance and advice but does not have governing authority over ATT&CK. MITRE will consider the council's recommendations, but final decisions over the framework's direction remain with the organization. That structure is not unusual for a nonprofit stewardship body — it mirrors how many open standards organizations balance community input with institutional accountability. But it also means the council's power is fundamentally reputational. Its value depends entirely on whether MITRE actually listens, and whether the members are senior enough that their recommendations carry real weight inside the organization.
Charles Clancy, SVP and CTO at MITRE, described the council's purpose as ensuring ATT&CK keeps evolving through direct input from working practitioners — keeping the framework trusted, actionable, and globally relevant. — (MITRE.org, Feb. 25, 2026)
The council is also explicitly designed to complement, not replace, two existing MITRE community structures: the CTID Advisory Council, which governs the Center for Threat-Informed Defense, and the Evals Vendor Forum, which shapes how ATT&CK Evaluations are conducted. Those bodies handle narrower, more operationally specific domains. The new ATT&CK Advisory Council operates at the framework-strategy level — the highest-order questions about where ATT&CK goes, what it should cover, and how it should serve the global community of defenders who depend on it. Advisors will serve staggered terms to ensure continuity as the council evolves.
Who Is in the Room — and Why These Names Matter
The composition of the inaugural council is worth examining closely, because it tells you something about what MITRE is worried about and what kinds of gaps they are trying to fill. The full roster of twelve members covers every domain where ATT&CK's relevance is now under pressure.
MITRE itself is represented internally by two seats: Adam Pennington, the current ATT&CK Lead who has been the operational steward of the framework's day-to-day evolution, and Charles Clancy, MITRE's SVP and CTO, who brings executive institutional weight. Pennington's presence in particular signals that the council is not intended to operate at arm's length from the team doing the actual content work — the ATT&CK lead is in the room, which creates a direct feedback loop between advisory input and what actually ends up in the next release.
From the government sector, Jonathan "Jono" Spring represents CISA in the role of Senior Technical Advisor for Security at Scale. CISA is arguably ATT&CK's most prominent government user — the agency has embedded ATT&CK mappings into a significant number of its public advisories, particularly those attributing nation-state activity — so having a CISA voice in the room as adversary TTPs evolve is a direct operational link between the framework's content and how it gets deployed in national defense contexts.
From academia, Gene Spafford of Purdue University brings a perspective that is almost uniquely long. Spafford is Distinguished Professor of Computer Science and Emeritus Executive Director of Purdue's Center for Education and Research in Information Assurance and Security (CERIAS). He has been one of the foundational figures in computer security since the 1980s — his work responding to the Morris Worm in 1988 is taught in security history courses to this day. Having someone with that institutional memory on a council that is thinking about ATT&CK's long-term sustainability and integrity is not an accident. It signals that MITRE wants a check on short-term thinking.
From the industry side, Joel Spurlock of CrowdStrike brings the VP of Data Science perspective of one of the world's largest endpoint detection and response vendors — a company whose entire business model depends on translating ATT&CK technique coverage into detections at scale. Krysta Horocofsky of Recorded Future brings the threat intelligence angle, specifically the operational challenge of keeping framework classifications current as adversary TTPs evolve faster than any static release cycle can track.
Krysta Horocofsky, Senior Manager for New and Emerging Threats at Recorded Future, noted that ATT&CK is core to how Recorded Future's users classify adversary behavior, assess security gaps, and communicate with the global community — calling the council's launch a signal of MITRE's commitment to keeping pace with evolving TTPs and defender needs. (MITRE.org, Feb. 25, 2026)
The hyperscaler tier is represented by Freddy Dezeure, Deputy CISO for Europe at Microsoft, and Kimberly Goody, Head of Intelligence Production and Analysis at Google. Their inclusion matters for reasons beyond brand recognition. Microsoft and Google collectively see telemetry across a staggering share of global enterprise infrastructure — and both organizations have invested heavily in ATT&CK-aligned detection content at a scale that most security vendors cannot match. Dezeure brings a European operational perspective at a time when NIS2 compliance and DORA implementation are driving a major wave of ATT&CK adoption across EU critical infrastructure sectors. Goody brings the threat intelligence production lens from one of the industry's most active threat research organizations. Notably, this is also a moment of some tension: Microsoft withdrew from the 2025 ATT&CK Evaluations cycle, citing resource constraints, even while affirming continued collaboration on the framework itself. Dezeure's seat on the advisory council is one visible form of that ongoing commitment. (SecurityWeek, Dec. 2025)
Two members represent a dimension of the council that has received almost no attention in the mainstream coverage: the critical infrastructure and regulated industry verticals. Eric Hutchins, Executive Director of Cybersecurity Operations at JPMorgan Chase, brings the financial services perspective — one of the world's most targeted sectors, and one that has among the most sophisticated internal threat intelligence programs of any non-government organization. Brian Mohr, Director of Threat Informed Defense at HCA Healthcare, brings the healthcare sector viewpoint at a moment when hospital systems have become among the most aggressively targeted environments for ransomware and business email compromise. The presence of both a major financial institution and a major healthcare network in the founding roster signals that MITRE is thinking seriously about ATT&CK's role beyond the traditional enterprise IT and government defense context.
Eric Stride, Chief Security Officer at Huntress, rounds out the industry representation with a perspective that is easy to overlook but strategically essential: the small-to-medium business end of the market. Huntress serves the MSP and SMB space — organizations that typically lack the dedicated threat intelligence teams that characterize the other members' employers. ATT&CK's original public-interest spirit was rooted in making adversary knowledge accessible to everyone, not just Fortune 500 SOC teams. Stride's seat is a reminder that the council's work should serve the whole spectrum of defenders, not just the organizations with the largest security headcount.
And then there is Richard Struse of Tidal Cyber, whose appointment generated the PR Newswire announcement that surfaced this story for many observers. Struse is arguably the most interesting appointment on the council precisely because of his biography. Before co-founding Tidal Cyber, he served as co-founder and Director of MITRE's Center for Threat-Informed Defense. But before that — and this is the detail that matters — he created STIX and TAXII in his role as Chief Advanced Technology Officer at the U.S. Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC). The Structured Threat Information eXchange and Trusted Automated eXchange of Intelligence Information standards became the architectural backbone for machine-readable threat intelligence sharing across government, critical infrastructure, and the private sector. Those standards are, in a real sense, the plumbing that ATT&CK's data flows through. In October 2014, Secretary of Homeland Security Jeh Johnson presented Struse with the Secretary's Award for Excellence for that work. He then moved to MITRE to build the Center for Threat-Informed Defense, then left to build Tidal Cyber — a commercial platform that operationalizes ATT&CK at the procedure level. He is now back in an advisory role, bringing an arc that spans government intelligence sharing infrastructure, nonprofit framework stewardship, and private-sector operationalization all in one resume.
Struse cited ATT&CK's public-interest spirit as central to its decade-plus value to security teams worldwide, adding that he looks forward to working with council members and MITRE "to continue to advance ATT&CK as a trusted resource for all." — Richard Struse, CTO and Co-Founder, Tidal Cyber (MITRE.org, Feb. 25, 2026)
Taken as a whole, the twelve-member roster reflects a deliberate triangulation: operational practitioners who live inside enterprise defenses every day (Hutchins, Mohr, Stride), hyperscale telemetry and threat intelligence producers (Dezeure, Goody, Horocofsky, Spurlock), academic and long-view institutional memory (Spafford), government-to-framework integration (Spring), procedure-level operationalization (Struse), and direct framework stewardship (Pennington, Clancy). That is not a random cross-section. It is a structured answer to a specific set of problems.
The inaugural council is heavily weighted toward North American and European organizations. APAC defenders — particularly those in sectors heavily targeted by China-nexus and DPRK-nexus actors, who represent some of the most aggressive and technically sophisticated adversaries in the current threat landscape — are not visibly represented. This is a gap worth naming. ATT&CK's adoption is global; its governance should eventually reflect that. A future expansion of the council that includes practitioners from Japan, South Korea, Australia, or Singapore would materially strengthen its claim to representing the worldwide community of defenders.
The Real Reason This Council Exists Now
MITRE's official language around the council emphasizes sustainability, community input, and long-term stewardship. All of that is accurate. But reading between the lines, the timing tells a more specific story about the pressures the framework is under in 2026.
First, there is the AI problem. Adversaries are moving faster than any biannual release cycle can document. CrowdStrike's 2026 Global Threat Report found an 89% rise in AI-enabled attacks in 2025, with breakout times — the window between initial access and lateral movement — averaging just 29 minutes, with the fastest clocked at 27 seconds. In one documented intrusion, data exfiltration began within four minutes of initial access. As Adam Meyers, CrowdStrike's Head of Counter Adversary Operations, put it: "AI is compressing the time between intent and execution." When attackers are operating at machine speed, the gap between "this technique exists in the wild" and "this technique is documented and detectable in ATT&CK" becomes a critical liability. The council will be tasked in part with advising on how the framework's content and release cadence should respond to that acceleration.
There is a fourth pressure driving the council's formation that received essentially zero attention in the mainstream coverage: the question of what happens to ATT&CK if MITRE's federal funding landscape shifts. MITRE is a nonprofit federally funded research and development center (FFRDC) whose government contracts are its operational lifeblood. ATT&CK itself began as a government-contracted research project. In an environment where federal discretionary spending and FFRDC contract portfolios are under active scrutiny, any organization whose primary funder is the U.S. government has a governance question it needs to answer: what is the continuity plan if that funding base contracts? The advisory council — a distributed, multi-sector body with institutional representatives from private industry, academia, and government — is a structural hedge against single-source institutional dependency. It does not eliminate that risk, but it signals that MITRE is thinking about sustainability in terms that go beyond the next contract cycle. The community should be asking this question directly. The council's existence is, in part, an answer to it.
Research from Picus Labs analyzing more than 1.1 million malicious files in 2025 found that 80% of observed ATT&CK techniques were now dedicated to evasion and persistence — up dramatically from prior years — with a 38% decline in data encryption attacks replaced by a surge in techniques designed for long-term stealth and espionage. The framework must keep pace with that inversion. Source: Security Boulevard, Feb. 2026.
Second, there is the scope creep problem — which is not a criticism, but a fact of ATT&CK's success. The framework now covers Enterprise IT, Mobile, and ICS/OT environments. MITRE has spun up companion frameworks including ATLAS for AI/ML threat modeling and AADAPT for cryptocurrency and digital financial systems. In early 2026, MITRE also launched the Embedded Systems Threat Matrix in collaboration with the U.S. Air Force's Cyber Resiliency Office for Weapon Systems. Each of these expansions carries methodological implications for the core framework — questions about consistency, cross-domain technique mapping, and how the foundational ATT&CK philosophy applies to radically different technology environments. A council with voices from across those environments is better positioned to surface those tensions early than any internal team working in isolation.
Third — and this is the angle that nobody in the mainstream coverage seems to be discussing — there is the question of what happens to ATT&CK's perceived neutrality as the commercial ecosystem around it grows. Dozens of vendors now build products explicitly marketed around ATT&CK coverage scores, ATT&CK-aligned detection libraries, and ATT&CK-based risk assessments. That commercial weight creates subtle pressure: vendors have incentives to push for technique classifications that benefit their detection capabilities, and to resist changes that might make existing products look less complete. An independent advisory council with staggered terms and diverse sector representation is a structural safeguard against that kind of capture. The fact that MITRE has explicitly kept governing authority in-house while creating an external advisory layer suggests they have thought carefully about this problem.
In the v18 release notes, ATT&CK program lead Amy Robertson described the council as the formalization of something already happening informally — that ATT&CK has always been community-driven, shaped by real-world experience and defender needs, and that MITRE had long considered a more formal channel for translating that input directly into the framework's direction. The council gives structure, accountability, and names to that process. (Industrial Cyber, Oct. 2025)
What Good Governance Actually Looks Like: Solutions Worth Watching
Most coverage of the advisory council stops at the "governance matters" conclusion. But the harder and more interesting question is: what does good council output actually look like in practice? The generic proposals — "engage the community more," "update content faster," "improve global coverage" — are necessary but insufficient. Here are the problems that actually warrant structural solutions, and what those solutions might look like if the council takes them seriously.
The procedure-level gap. ATT&CK documents techniques — the "how" of adversary behavior. But techniques are abstractions. A technique like T1059 (Command and Scripting Interpreter) covers an enormous range of actual attacker actions that look very different in practice across different threat groups, environments, and toolsets. The procedures — the specific, observable, step-by-step actions that concretely instantiate a technique — are where detection actually happens. This is precisely the problem Struse's Tidal Cyber platform is built to solve, and it is not a coincidence that the procedure-level operationalization gap is well understood by someone now sitting on the advisory council. The council could push MITRE to invest more explicitly in sub-procedure documentation within ATT&CK itself: not replacing the technique taxonomy, but building out the layer beneath it that gives detection engineers and threat hunters the specificity they need to write signatures that work against real actors rather than abstract behavioral categories. The Detection Strategies and Analytics objects introduced in v18 point in this direction. The council could accelerate that trajectory by making procedure-level specificity an explicit content priority for v19 and beyond.
The release cadence problem. ATT&CK currently releases on a roughly biannual schedule. When breakout times average 29 minutes and China-nexus actors are weaponizing vulnerabilities within two days of disclosure, a six-month documentation lag is not a minor inconvenience — it is a structural liability. The council could meaningfully push for a tiered release architecture: a continuous "living" feed for technique alerts and emerging TTP documentation (analogous to what CISA does with Known Exploited Vulnerabilities), with the biannual cadence reserved for validated, consensus-reviewed content that meets the full ATT&CK methodology standard. This would serve the community's urgent operational needs without compromising the framework's methodological rigor — a tension the council is uniquely positioned to mediate because it includes both intelligence production practitioners and long-term stewardship voices.
The coverage verification problem. Dozens of vendors market their products using ATT&CK coverage scores, but there is no standardized methodology for what "coverage" means. Does a product that detects an artifact of a technique count the same as one that detects the behavioral pattern at the action level? The council has the credibility to push for a coverage verification standard — ideally one that distinguishes detection confidence levels and is aligned with the Detection Strategies and Analytics objects introduced in v18. Without that standard, ATT&CK coverage scores will continue to be marketing instruments rather than meaningful security measures, which corrodes the framework's neutrality.
The ICS/OT integration problem. ATT&CK for ICS launched in 2020, but operational technology environments present unique challenges that the Enterprise framework's methodology was not originally designed to handle: air-gapped networks, proprietary protocols, assets with decades-long lifespans, and threat actors whose goals are disruption and physical consequence rather than data exfiltration. Brian Mohr's healthcare background and the ICS assets added in v18 point toward this domain, but the council should push for something more systematic: a dedicated ICS practitioner expansion of the council itself, or a formal consultation process with sector-specific ISAC communities before each release cycle. The IT/OT convergence that is reshaping industrial environments cannot be adequately governed by a council that doesn't include ICS defenders as core voices.
The AI-generated technique documentation problem. Adversaries are now using AI to accelerate their operations, and defenders are using AI to accelerate threat intelligence production. Both dynamics create noise in the ATT&CK pipeline. AI-generated threat intelligence reports may contain technique attributions that are plausible but not grounded in verified observations. The council should advise on methodology standards for AI-assisted content contributions — specifically, what evidence threshold a technique submission must meet when the supporting research was AI-assisted, and how MITRE should handle technique proposals that arrive at high volume from automated analysis pipelines. This is an entirely new category of quality control challenge that the framework has never faced before.
The measurement problem. How will anyone know if the council is actually working? The staggered term structure is a promising design choice, but there is no public accountability mechanism. The council could recommend — and MITRE could commit to — an annual public transparency report documenting which recommendations were made, which were adopted, and which were declined (with reasoning). That would give the community a basis for assessing whether the council is functioning as a genuine advisory body or as a legitimizing veneer. The framework's credibility depends on that distinction being answerable.
ATT&CK v18, v19, and What Comes Next
The Advisory Council announcement arrived alongside the release of ATT&CK v18, and that timing is not coincidental. Version 18 is itself a signal of the framework's direction. The two most significant additions are Detection Strategies and Analytics — two new object types that shift ATT&CK's defensive content from brief, general notes toward structured, behavior-focused detection guidance. Detection Strategies define high-level approaches for catching specific attacker techniques. Analytics provide platform-specific logic for actually building those detections in a SOC environment. Together, they represent ATT&CK moving explicitly into the detection engineering space, not just the threat classification space.
Version 18 also added Enterprise techniques covering modern infrastructure threats including Kubernetes clusters, CI/CD pipelines, and cloud databases — environments that nation-state actors and ransomware operators are increasingly targeting as organizations shift workloads out of traditional data centers. On the ICS side, three new asset objects were introduced: Distributed Control System Controllers, Firewalls, and Switches, along with a new "Related Assets" field to handle the industry-specific terminology differences that have long complicated consistent ICS threat documentation.
Amy Robertson, ATT&CK Program Lead, outlined the v19 roadmap in the v18 release notes: work is underway to align detections with the new detection strategies model, refresh CTI content, and expand Asset coverage across more sectors and system types. — (Industrial Cyber, Oct. 2025)
The v19 roadmap, as Robertson has described it publicly, will continue expanding the Detection Strategies model into Mobile and ICS domains, refresh CTI content with new software profiles, group entries, and cross-domain campaigns, and broaden Asset coverage into additional industrial sectors. The advisory council's first real test will be whether it can accelerate that work by surfacing community needs earlier in the development cycle — and whether its members can translate operational experience from CISA, CrowdStrike, Recorded Future, Google, Microsoft, JPMorgan Chase, HCA Healthcare, Huntress, and Tidal Cyber into concrete content recommendations rather than abstract strategic guidance.
The broader trajectory points toward ATT&CK becoming less of a static reference document and more of a living detection infrastructure — one that informs not just how you describe a threat, but how you actually build the analytic logic to catch it. That is an ambitious evolution, and it is precisely the kind of directional shift that benefits from a council of practitioners pushing back, refining, and pressure-testing the approach before it gets baked into enterprise security programs worldwide.
Key Takeaways
- ATT&CK's governance just matured: After more than a decade as a community-driven but essentially MITRE-controlled resource, the framework now has a formal independent advisory structure. This is a meaningful institutional change, not a ceremonial one. The advisory role carries no governing authority, but the caliber of the inaugural twelve members means their recommendations will carry real weight.
- The timing is driven by real pressure: AI-accelerated attack speeds, an 89% rise in AI-enabled threat activity, the expansion into ICS/OT and embedded systems, the growing commercial ecosystem around ATT&CK coverage scores, and — least discussed but critically important — the institutional funding vulnerability inherent in MITRE's FFRDC status all create governance challenges that informal community input cannot adequately address. The council is MITRE's structural response to those compounding pressures.
- The member selection reveals strategic priorities: Government (CISA), academia (Purdue/CERIAS), hyperscale telemetry (Microsoft, Google), EDR at scale (CrowdStrike), threat intelligence (Recorded Future), critical infrastructure verticals (JPMorgan Chase, HCA Healthcare), the SMB market (Huntress), the intelligence-sharing standards architect who built STIX/TAXII at DHS before founding the Center for Threat-Informed Defense (Struse), and MITRE's own ATT&CK lead and CTO — this is not a random cross-section. It is a structured answer to a specific set of gaps.
- v18's detection engineering pivot is the real story: The Detection Strategies and Analytics objects represent ATT&CK moving from threat classification into active detection infrastructure. Combined with advisory council guidance, the framework is positioning itself as the backbone of detection engineering, not just a vocabulary for threat intelligence sharing.
- The real governance tests are structural, not ceremonial: The council's value depends on MITRE adopting a tiered release cadence to close the documentation lag, establishing a coverage verification standard to curb misleading vendor claims, committing to a public transparency report so the community can assess whether advisory input actually shapes content decisions, and addressing the procedure-level gap that separates technique classification from operational detection specificity.
- The institutional funding question deserves a direct answer: As an FFRDC whose origins and operating budget are deeply tied to federal contracting, MITRE's long-term stewardship of ATT&CK carries institutional risk that the broader community rarely discusses openly. The advisory council's multi-sector composition is a structural hedge against single-source dependency. The community should be asking MITRE directly what the continuity plan looks like if its funding base shifts — and the council should be the body that receives and pressure-tests that answer.
- Watch how MITRE uses the council's input: The council's ultimate value will be measured not by who is on it, but by how consistently MITRE incorporates its recommendations into actual framework decisions. The staggered term structure is a promising sign that this is designed for longevity, not optics — but the proof is in the content updates that follow.
ATT&CK started as a spreadsheet in a classified lab because a small team of researchers had an "aha" moment about how to think about adversary behavior differently. It became the global standard for cyber defense not because any organization mandated it, but because practitioners everywhere recognized that it described reality more accurately than anything else they had. The Advisory Council is MITRE acknowledging that a resource of that scale and that consequence deserves governance that matches its importance. After more than ten years, it is overdue — and given what is coming at defenders in 2026 and beyond, the timing may be exactly right.