MITRE ATT&CKGap Assessment
Map your detection capabilities against the MITRE ATT&CK framework. Identify coverage gaps and build a prioritized detection engineering roadmap.
201
Techniques Assessed
14
Tactics Covered
85%
Target Coverage
What We Assess
Comprehensive coverage analysis across all ATT&CK tactics
Initial Access
Entry point detection
Execution
Code execution monitoring
Persistence
Foothold mechanisms
Privilege Escalation
Elevation detection
Defense Evasion
Bypass detection
Credential Access
Credential theft alerts
Discovery
Reconnaissance monitoring
Lateral Movement
Network traversal
Assessment Process
A systematic approach to mapping your detection capabilities against the MITRE ATT&CK framework and building a prioritized improvement roadmap
Current State Analysis
Review existing detection capabilities including SIEM rules, EDR configurations, network monitoring, and security tool coverage. Document all current detections and their effectiveness.
Key Activities
- SIEM rule inventory and effectiveness review
- EDR detection coverage assessment
- Log source completeness analysis
- Current alert volume and quality metrics
Tools Used
ATT&CK Mapping
Map all existing detections to MITRE ATT&CK techniques and sub-techniques. Identify which tactics have coverage and document the detection logic for each mapped technique.
Key Activities
- Detection-to-technique mapping
- Sub-technique granularity analysis
- Detection quality scoring (High/Medium/Low)
- Data source dependency mapping
Tools Used
Gap Identification
Compare mapped detections against the full ATT&CK matrix to identify coverage gaps. Prioritize gaps based on threat intelligence about techniques used against your industry.
Key Activities
- Full matrix coverage comparison
- Technique gap categorization
- Data source gap identification
- Visibility blind spot analysis
Tools Used
Priority Assessment
Prioritize detection gaps using threat intelligence, industry reports, and attack prevalence data. Focus on techniques most likely to be used against your organization.
Key Activities
- Threat intelligence integration
- Industry-specific threat analysis
- Attack prevalence scoring
- Risk-based prioritization matrix
Tools Used
Roadmap Development
Create a phased detection engineering roadmap with specific detection rules, data source requirements, and success metrics. Include timeline and resource estimates.
Key Activities
- Phased implementation plan
- Detection rule specifications
- Resource and timeline estimates
- Success metrics and KPIs
Tools Used
Sample Report Structure
Comprehensive ATT&CK gap assessment with actionable detection engineering recommendations
Executive Summary
High-level overview of MITRE ATT&CK coverage assessment
Tactics Assessed
14 tactics
Techniques Mapped
201 techniques
Current Coverage
34%
Critical Gaps
47 techniques
High Priority Gaps
89 techniques
Target Coverage
85%
Key Recommendation
Critical detection gaps in Initial Access and Execution tactics require immediate attention. Prioritize detection engineering for top 20 most-used techniques by threat actors targeting your industry.
Typical Coverage Gaps
Real examples of detection gaps we frequently identify during ATT&CK assessments
Initial Access Gaps
Current Coverage
25%
Description
Phishing, drive-by compromise, and exploitation of public-facing applications are undetected. These are the primary entry points for threat actors.
Undetected Techniques
Remediation
Deploy email security integration, web proxy analysis, and VPN/RDP monitoring with correlation rules.
MITRE ATT&CK Reference
TA0001 - Initial Access
Map Your Detection Gaps
Get comprehensive MITRE ATT&CK coverage assessment with prioritized detection engineering roadmap.