MITRE ATT&CK Coverage Mapper
Detection Coverage per Tactic
Deployed Security Tools
Coverage per Tactic
Benchmark Comparison
Critical. Minimal detection coverage. Immediate investment in security tooling and monitoring is needed.
Coverage Heatmap
Kill Chain Coverage
Coverage Improvement Roadmap
Tools not yet deployed, ranked by potential coverage improvement:
| Tool↕ | Coverage Gain↕ | Tactics Improved |
|---|---|---|
| SIEM | 93% | Recon, Init Access, Execution, Persistence, Priv Esc, Def Evasion, Cred Access, Discovery, Lat Movement, Collection, C2, Exfiltration, Impact |
| EDR | 43% | Execution, Persistence, Priv Esc, Def Evasion, Cred Access, Discovery |
| CASB | 29% | Init Access, Collection, Exfiltration, Def Evasion |
| IAM | 29% | Init Access, Persistence, Priv Esc, Cred Access |
| NDR | 29% | Recon, Lat Movement, C2, Exfiltration |
| WAF | 21% | Recon, Init Access, Impact |
| DLP | 21% | Collection, Exfiltration, Impact |
Detection Rule Suggestions
| Tactic↕ | Technique ID↕ | Technique | Data Source | Detection Logic | Tool↕ |
|---|---|---|---|---|---|
| Reconnaissance | T1595 | Active Scanning | Network flow logs | Monitor for port scanning patterns and high-frequency connection attempts from single sources | NDR |
| Reconnaissance | T1598 | Phishing for Information | Email gateway logs | Detect emails with credential harvesting links or suspicious attachments from unknown senders | SIEM |
| Resource Development | T1586 | Compromise Accounts | IAM audit logs | Alert on logins from compromised credential databases, impossible travel, or new device fingerprints | IAM |
| Initial Access | T1566 | Phishing | Email headers, URL reputation | Flag emails with mismatched sender domains, suspicious URLs, or known malicious attachment hashes | SIEM |
| Initial Access | T1190 | Exploit Public-Facing App | WAF logs, IDS alerts | Detect exploit attempts against public-facing applications (SQLi, XSS, RCE patterns) | WAF |
| Initial Access | T1133 | External Remote Services | VPN/RDP access logs | Alert on remote access from unusual geolocations or outside business hours | IAM |
| Initial Access | T1078 | Valid Accounts | Authentication logs | Detect credential stuffing, password spraying, or use of default/shared accounts | IAM |
| Execution | T1059 | Command and Scripting Interpreter | Process creation logs | Monitor for cmd.exe, powershell.exe, wscript.exe spawned by unusual parent processes | EDR |
| Execution | T1204 | User Execution | Endpoint telemetry | Detect file execution from email attachments, browser downloads in temp directories | EDR |
| Persistence | T1547 | Boot/Logon Autostart | Registry monitoring | Alert on modifications to Run/RunOnce keys, startup folders, or scheduled tasks | EDR |
Priority Techniques to Cover
The MITRE ATT&CK framework catalogs how real adversaries operate, and mapping your detection coverage against it reveals exactly where you are blind. This mapper scores your coverage across the 14 ATT&CK enterprise tactics — from Reconnaissance through Impact — producing an overall posture score, a kill-chain view, and a prioritized list of high-value techniques you are not yet detecting.
Formula
Overall = Σ(tacticScore) / 14, tacticScore ∈ {0, 50, 100}
- tacticScore
- Per-tactic coverage score: full = 100, partial = 50, none = 0
- 14
- The number of MITRE ATT&CK enterprise tactics scored
- Overall
- The mean coverage score across all tactics, rounded to 0-100
How it works
- For each of the 14 tactics, mark your detection coverage as none, partial, or full based on the visibility your tools and logging provide.
- Each tactic is scored (full = 100, partial = 50, none = 0) and averaged into an overall 0-100 coverage score, with counts of full, partial, and gap tactics.
- The tool groups tactics into five kill-chain phases, lists high-priority techniques inside any tactic that is not fully covered, and suggests which security tools (EDR, SIEM, NDR, and others) would close the largest gaps.
Worked example
An organization has full coverage of 4 tactics, partial coverage of 6 tactics, and no coverage of the remaining 4 tactics.
- Sum the tactic scores: (4 × 100) + (6 × 50) + (4 × 0) = 400 + 300 + 0 = 700.
- Divide by the 14 tactics: 700 ÷ 14 = 50.
- Round to a whole number for the overall coverage score.
An overall ATT&CK coverage score of 50 — just above the industry average of 48 — with the 4 uncovered tactics flagged as gaps and their high-priority techniques surfaced first.
Frequently asked questions
- What are the MITRE ATT&CK tactics?
- Tactics are the adversary's goals across an attack — Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. This tool scores all 14.
- What does partial versus full coverage mean?
- Full coverage means you reliably detect the key techniques within a tactic across your environment. Partial means you detect some techniques or some assets but have blind spots. None means you have no meaningful detection for that tactic.
- How does my score compare to other organizations?
- The tool benchmarks against typical enterprise coverage: a low of about 25, an average near 48, and a strong program around 72. Scores above 60 are above average; under 40 indicates major gaps that warrant immediate investment.
- Which tools close the most coverage gaps?
- It depends on your gaps, but SIEM provides the broadest cross-tactic visibility, EDR is strongest for execution-through-discovery on endpoints, and NDR helps with lateral movement and command-and-control. The mapper ranks undeployed tools by how much coverage each would add.