Implement a threat-informed defense and continuously assess your ATT&CK coverage

Most organizations are still using spreadsheets or other manual tools to understand their ATT&CK coverage. It’s true that many SIEMs provide out-of-the-box detections with ATT&CK tags, but these rules are typically not deployed because they’re too generic or noisy.

So if you’re looking for a comprehensive view of your ATT&CK coverage, you need to map the custom detections your team has developed over time based on their detailed understanding of your network and organization.

That’s where the CardinalOps Detection Posture Management platform comes in. Our platform connects via the native API of your existing SIEM/XDR and ingests all your rules, as well as metadata about your log sources. (Your sensitive log data never leaves the SIEM/XDR.).

It then uses specialized, ML-based analytics and feature extraction to map your detections to the most appropriate ATT&CK technique and sub-technique, producing a heatmap and coverage score that’s continuously updated whenever you add detections or the ATT&CK framework gets updated.

The heatmap and metrics can easily be filtered based on selected variables including APT groups, ATT&CK matrices, security layers (endpoint, network, IAM, cloud, etc.), and whether you want to examine covered or uncovered techniques.