Most SOC teams claim MITRE ATT&CK coverage they don't actually have. Not because they're lying — because there's a real difference between "we have a rule that touches this technique" and "we can reliably detect this technique in our environment with acceptable false positive rates."
Coverage mapping done properly tells you what you actually have, what you think you have but don't, and what matters most to build next. Here's how to do it without a dedicated tool or a six-month project.
The Three Coverage Levels That Actually Matter
Before you map anything, agree on what "coverage" means. Vague coverage claims are worse than no claims because they create false confidence. Use three levels:
Building Your Coverage Map: Step by Step
- Export your current detection rules — from Sentinel (Analytics rules), CrowdStrike (custom detections), or Splunk (saved searches/alerts). Get a flat list of rule names and descriptions.
- Open ATT&CK Navigator — free tool at attack.mitre.org/resources/navigator. Create a new layer for your environment.
- Map each rule to a technique ID — not technique name, technique ID (T1059.001, T1078, etc.). One rule can map to multiple techniques. Be conservative — if the rule only partially covers the technique, mark it L2.
- Color code by coverage level — green for L3, yellow for L2, red or blank for L1. This becomes your leadership reporting artifact.
- Cross-reference against your threat intel — what techniques are the threat actors targeting your sector actually using right now? Any L1 gap that overlaps with an active campaign is your highest priority build.
If you're unsure whether a rule deserves L3 or L2, check the last 30 days of alert history. If it fired zero times and your environment should theoretically have triggered it, it's L2 at best — something in the detection logic isn't matching your environment's actual data.
The Techniques You're Almost Certainly Missing
Based on coverage gaps that appear consistently across enterprise SOCs, these are the techniques most likely to show L1 gaps even in mature programs:
T1078 — Valid Accounts
Attackers using legitimate credentials look exactly like legitimate users. Detection requires behavioral baselines — time-of-day patterns, location patterns, access scope — not just event-based rules. Most orgs have the events but not the behavioral layer. This is the most dangerous L1 gap in most environments because it's the technique used in almost every significant breach.
T1562.001 — Impair Defenses: Disable or Modify Tools
Attackers disabling your EDR or clearing event logs. You need to be alerted on this. A detection engineering shop that doesn't have coverage here is in a very dangerous position — an attacker who can turn off your visibility without triggering an alert owns the environment.
T1136 — Create Account
New local admin accounts created on endpoints, especially outside of provisioning windows or in bulk. Frequently present in ransomware pre-deployment activity and almost always an L2 gap — visible in 4720 events but not alerted on.
T1021.002 — SMB/Windows Admin Shares
Lateral movement via SMB is one of the most common techniques in ransomware deployment chains and one of the most consistently uncovered in enterprise environments. CrowdStrike detects some of this behaviorally, but Sentinel and Splunk environments without Sysmon or explicit SMB logging have significant visibility gaps here.
Prioritizing What to Build Next
With a completed coverage map, prioritize the build backlog using three factors:
- Threat relevance: Is this technique in active use by actors targeting your sector? Weight this heavily — a gap in a rarely-used technique matters less than a gap in a technique used in last month's sector breach.
- Kill chain position: Gaps in execution and persistence are more dangerous than gaps in reconnaissance and resource development. Prioritize mid-chain techniques where early detection matters most.
- Data availability: L1 gaps where the data exists (L2 upgrades) are faster wins than L1 gaps that require a new log source. Build the L2→L3 upgrades first, then tackle the data gaps separately.
Report coverage as "X techniques at L3 confidence out of Y techniques relevant to our threat profile" — not as a percentage of the full ATT&CK matrix. The full matrix has 200+ techniques; most orgs are only realistically targeted on 40-60. Denominator matters.
Every Tuesday issue ships with the detection rule, the MITRE ATT&CK technique ID and sub-technique mapping, the data sources required, and the investigation steps an analyst needs to close the alert. Tracking your coverage gets easier when every new rule comes pre-mapped.
Join — $14.99/mo IR Runbook Bundle — $49