MITRE ATT&CK Coverage Mapper
Detection Coverage per Tactic
Recon
Resource Dev
Init Access
Execution
Persistence
Priv Esc
Def Evasion
Cred Access
Discovery
Lat Movement
Collection
C2
Exfiltration
Impact
Deployed Security Tools
Overall Coverage Score0%
Full Coverage0
Partial Coverage0
No Coverage14
Coverage per Tactic
Benchmark Comparison
0%
Your Score
25%
Industry Low
48%
Industry Avg
72%
Industry High
Critical. Minimal detection coverage. Immediate investment in security tooling and monitoring is needed.
Coverage Heatmap
Reconnaissance
0%
Resource Development
0%
Initial Access
0%
Execution
0%
Persistence
0%
Privilege Escalation
0%
Defense Evasion
0%
Credential Access
0%
Discovery
0%
Lateral Movement
0%
Collection
0%
Command and Control
0%
Exfiltration
0%
Impact
0%
Kill Chain Coverage
Pre-Attack0%
Recon, Resource Dev
Initial Compromise0%
Init Access, Execution
Establish Foothold0%
Persistence, Priv Esc, Def Evasion
Internal Recon & Movement0%
Cred Access, Discovery, Lat Movement
Mission Execution0%
Collection, C2, Exfiltration, Impact
Coverage Improvement Roadmap
Tools not yet deployed, ranked by potential coverage improvement:
| Tool↕ | Coverage Gain↕ | Tactics Improved |
|---|---|---|
| SIEM | 93% | Recon, Init Access, Execution, Persistence, Priv Esc, Def Evasion, Cred Access, Discovery, Lat Movement, Collection, C2, Exfiltration, Impact |
| EDR | 43% | Execution, Persistence, Priv Esc, Def Evasion, Cred Access, Discovery |
| CASB | 29% | Init Access, Collection, Exfiltration, Def Evasion |
| IAM | 29% | Init Access, Persistence, Priv Esc, Cred Access |
| NDR | 29% | Recon, Lat Movement, C2, Exfiltration |
| WAF | 21% | Recon, Init Access, Impact |
| DLP | 21% | Collection, Exfiltration, Impact |
Detection Rule Suggestions
| Tactic↕ | Technique ID↕ | Technique | Data Source | Detection Logic | Tool↕ |
|---|---|---|---|---|---|
| Reconnaissance | T1595 | Active Scanning | Network flow logs | Monitor for port scanning patterns and high-frequency connection attempts from single sources | NDR |
| Reconnaissance | T1598 | Phishing for Information | Email gateway logs | Detect emails with credential harvesting links or suspicious attachments from unknown senders | SIEM |
| Resource Development | T1586 | Compromise Accounts | IAM audit logs | Alert on logins from compromised credential databases, impossible travel, or new device fingerprints | IAM |
| Initial Access | T1566 | Phishing | Email headers, URL reputation | Flag emails with mismatched sender domains, suspicious URLs, or known malicious attachment hashes | SIEM |
| Initial Access | T1190 | Exploit Public-Facing App | WAF logs, IDS alerts | Detect exploit attempts against public-facing applications (SQLi, XSS, RCE patterns) | WAF |
| Initial Access | T1133 | External Remote Services | VPN/RDP access logs | Alert on remote access from unusual geolocations or outside business hours | IAM |
| Initial Access | T1078 | Valid Accounts | Authentication logs | Detect credential stuffing, password spraying, or use of default/shared accounts | IAM |
| Execution | T1059 | Command and Scripting Interpreter | Process creation logs | Monitor for cmd.exe, powershell.exe, wscript.exe spawned by unusual parent processes | EDR |
| Execution | T1204 | User Execution | Endpoint telemetry | Detect file execution from email attachments, browser downloads in temp directories | EDR |
| Persistence | T1547 | Boot/Logon Autostart | Registry monitoring | Alert on modifications to Run/RunOnce keys, startup folders, or scheduled tasks | EDR |
Page 1 of 4
Priority Techniques to Cover
T1595: Active Scanning(Reconnaissance)
noneT1598: Phishing for Information(Reconnaissance)
noneT1586: Compromise Accounts(Resource Development)
noneT1566: Phishing(Initial Access)
noneT1190: Exploit Public-Facing App(Initial Access)
noneT1133: External Remote Services(Initial Access)
noneT1078: Valid Accounts(Initial Access)
noneT1059: Command and Scripting Interpreter(Execution)
noneT1204: User Execution(Execution)
noneT1547: Boot/Logon Autostart(Persistence)
noneT1053.2: Scheduled Task(Persistence)
noneT1136: Create Account(Persistence)
noneT1068: Exploitation for Privilege Escalation(Privilege Escalation)
noneT1548: Abuse Elevation Control(Privilege Escalation)
noneT1078.2: Valid Accounts: Domain(Privilege Escalation)
none