ATT&CK mapped to what adversaries actually do
Every catalogued indicator is tagged against MITRE ATT&CK Enterprise. The result is a coverage matrix that reflects what adversaries are doing this quarter — not a tabletop estimate. Plan your detection investment against live pressure.
Operators use the coverage matrix to prioritise detection investment where adversaries are actually spending their effort, not where threat reports say they might.
Detection coverage on paper is not detection capability in production
A security program can claim coverage of every MITRE technique on paper and still miss every campaign that matters. The difference between coverage and capability is whether the rules actually fire — whether they fire at thresholds that the SOC can triage, whether they fire on the right telemetry, whether they survive contact with reality outside of test data, and whether they correlate against the same techniques that adversaries are actively using.
The platform’s coverage view is built from real observations, not from a checklist. When the matrix shows that C2 (TA0011) is at 98 percent observation density, that means the catalogue saw command-and-control activity in nearly every cycle this quarter. When it shows that Impact (TA0040) is at 40 percent, that means roughly half the cycles had observed impact-stage activity. Your detection investment should weight against that distribution, not distribute uniformly across tactics that adversaries are not currently exercising.
Coverage shifts over time. Tracking those shifts is one of the platform’s primary outputs. A drift away from observed Lateral Movement and toward observed Defense Evasion tells you something operational — and it tells you to update your portfolio accordingly.
Where adversaries are spending effort right now
A heat-map of MITRE tactic columns. Darker cells indicate higher observation density in the current cycle.
Same pressure, different angle
A radar projection of the same tactic-pressure data. Useful for at-a-glance comparison between cycles.
What adversaries did most
Ranked by absolute observation count in the current cycle. The top four account for the majority of indicator volume.
Reading the top-of-list as detection priorities: T1105 (Ingress Tool Transfer) and T1041 (Exfiltration over C2) dominate the chart, which is exactly what you would expect in a cloud-network-heavy adversary environment. Your network telemetry needs to detect anomalous outbound transfers as a first-class signal. Your C2 detection needs to handle encrypted channels. Your exfiltration scoring needs to account for legitimate cloud-egress volume without false-positiving every backup job.
T1059 (Command and Scripting Interpreter) is third because adversaries continue to use the operating system’s own tools to operate. PowerShell, bash, Python — defense-in-depth needs telemetry that catches behaviour, not just signatures of bad binaries. T1071 (Application Layer Protocol) is fourth because adversaries operate over HTTPS, DNS, and other commodity protocols to blend with legitimate traffic. Pattern-based detection is necessary; signature-based detection is insufficient.
Detection mapped to data
Ingress Tool Transfer
Hunt outbound HTTP/HTTPS to first-seen domains delivering executable payloads. Pivot via TLS fingerprint and JA3/JA4 overlap.
Exfiltration over C2
Detect low-and-slow byte streams over established C2 sessions. Combine isolation-forest scoring with LSTM seasonality.
Command & Scripting
Telemetry-side: process tree anomalies, interpreter spawn from non-interactive parents, base64 chain decoding.
App Layer Protocol C2
TLS anomaly detection (JA3/JA4/JARM clustering), DNS tunnel hunting, beacon FFT analysis on netflow.
Phishing
Lure-document hash correlation, sender-domain age, link-redirect chain analysis, brand-impersonation fingerprinting.
Public-Facing Exploit
Edge-device exploitation signal: CVE-to-IOC linking, scanner triangulation, post-exploit beacon emergence.
