Most SOC teams claim MITRE ATT&CK coverage they don't actually have. Not because they're lying — because there's a real difference between "we have a rule that touches this technique" and "we can reliably detect this technique in our environment with acceptable false positive rates."

Coverage mapping done properly tells you what you actually have, what you think you have but don't, and what matters most to build next. Here's how to do it without a dedicated tool or a six-month project.

The Three Coverage Levels That Actually Matter

Before you map anything, agree on what "coverage" means. Vague coverage claims are worse than no claims because they create false confidence. Use three levels:

L3
High confidence
Alert + Investigate
You have a rule that fires when this technique is used. It's been tested, tuned, and has a documented false positive rate below 10%. An analyst will see it and investigate. This is the only level you should report to leadership as covered.
L2
Partial
Visible but not alerted
The data exists in your SIEM and a query would find it, but there's no automated alert. You'd catch it during a hunt or if you were specifically looking. Not covered — logged but not detected.
L1
Gap
No coverage
Either the data doesn't exist (log source not ingested), the rule doesn't exist, or the rule exists but fires so noisily it's been suppressed into uselessness. Be honest about this one — a suppressed rule counts as L1.

Building Your Coverage Map: Step by Step

  1. Export your current detection rules — from Sentinel (Analytics rules), CrowdStrike (custom detections), or Splunk (saved searches/alerts). Get a flat list of rule names and descriptions.
  2. Open ATT&CK Navigator — free tool at attack.mitre.org/resources/navigator. Create a new layer for your environment.
  3. Map each rule to a technique ID — not technique name, technique ID (T1059.001, T1078, etc.). One rule can map to multiple techniques. Be conservative — if the rule only partially covers the technique, mark it L2.
  4. Color code by coverage level — green for L3, yellow for L2, red or blank for L1. This becomes your leadership reporting artifact.
  5. Cross-reference against your threat intel — what techniques are the threat actors targeting your sector actually using right now? Any L1 gap that overlaps with an active campaign is your highest priority build.
The honest mapping rule

If you're unsure whether a rule deserves L3 or L2, check the last 30 days of alert history. If it fired zero times and your environment should theoretically have triggered it, it's L2 at best — something in the detection logic isn't matching your environment's actual data.

The Techniques You're Almost Certainly Missing

Based on coverage gaps that appear consistently across enterprise SOCs, these are the techniques most likely to show L1 gaps even in mature programs:

T1078 — Valid Accounts

Attackers using legitimate credentials look exactly like legitimate users. Detection requires behavioral baselines — time-of-day patterns, location patterns, access scope — not just event-based rules. Most orgs have the events but not the behavioral layer. This is the most dangerous L1 gap in most environments because it's the technique used in almost every significant breach.

T1562.001 — Impair Defenses: Disable or Modify Tools

Attackers disabling your EDR or clearing event logs. You need to be alerted on this. A detection engineering shop that doesn't have coverage here is in a very dangerous position — an attacker who can turn off your visibility without triggering an alert owns the environment.

T1136 — Create Account

New local admin accounts created on endpoints, especially outside of provisioning windows or in bulk. Frequently present in ransomware pre-deployment activity and almost always an L2 gap — visible in 4720 events but not alerted on.

T1021.002 — SMB/Windows Admin Shares

Lateral movement via SMB is one of the most common techniques in ransomware deployment chains and one of the most consistently uncovered in enterprise environments. CrowdStrike detects some of this behaviorally, but Sentinel and Splunk environments without Sysmon or explicit SMB logging have significant visibility gaps here.

Prioritizing What to Build Next

With a completed coverage map, prioritize the build backlog using three factors:

Leadership reporting format

Report coverage as "X techniques at L3 confidence out of Y techniques relevant to our threat profile" — not as a percentage of the full ATT&CK matrix. The full matrix has 200+ techniques; most orgs are only realistically targeted on 40-60. Denominator matters.

Weekly Intelligence Pack
Every detection includes the MITRE mapping

Every Tuesday issue ships with the detection rule, the MITRE ATT&CK technique ID and sub-technique mapping, the data sources required, and the investigation steps an analyst needs to close the alert. Tracking your coverage gets easier when every new rule comes pre-mapped.

Join — $14.99/mo IR Runbook Bundle — $49
Founding member pricing locked for life · 30-day money back