This paper addresses critical limitations of the MITRE ATT&CK framework—namely, poor real-world adaptability, weak cross-framework interoperability, and limited domain generalizability. Conducting the largest systematic review and empirical study to date (417 publications), we analyze TTP usage patterns, align ATT&CK with complementary frameworks (Cyber Kill Chain, NIST SP 800-53, STRIDE), and construct ATT&CK knowledge graph mappings. Our analysis reveals, for the first time, empirically grounded frequency distributions and effectiveness boundaries of high-utility TTPs. We propose a novel NLP- and ML-integrated ATT&CK enhancement paradigm enabling dynamic threat detection and response. Furthermore, we conduct the first large-scale empirical evaluation of ATT&CK’s applicability in critical domains—including industrial control systems and healthcare—identifying concrete adaptation bottlenecks and proposing actionable, deployable framework enhancements.

The MITRE ATT&CK framework is a widely adopted tool for enhancing cybersecurity, supporting threat intelligence, incident response, attack modeling, and vulnerability prioritization. This paper synthesizes research on its application across these domains by analyzing 417 peer-reviewed publications. We identify commonly used adversarial tactics, techniques, and procedures (TTPs) and examine the integration of natural language processing (NLP) and machine learning (ML) with ATT&CK to improve threat detection and response. Additionally, we explore the interoperability of ATT&CK with other frameworks, such as the Cyber Kill Chain, NIST guidelines, and STRIDE, highlighting its versatility. The paper further evaluates the framework from multiple perspectives, including its effectiveness, validation methods, and sector-specific challenges, particularly in industrial control systems (ICS) and healthcare. We conclude by discussing current limitations and proposing future research directions to enhance the applicability of ATT&CK in dynamic cybersecurity environments.