HOME Resources White Papers & Videos Quantifying the ATT&CK Coverage Gap in Production SIEMs


Quantifying the ATT&CK Coverage Gap in Production SIEMs

NOTE: this is the 2nd annual report from 2022, the 3rd annual report from 2023 can be found here.

In our second annual report, CardinalOps analyzed aggregated and anonymized data from production SIEM instances to understand SOC preparedness to detect the latest adversary techniques in MITRE ATT&CK. This is important because detecting malicious activity early in the intrusion lifecycle is a key factor in preventing material impact to the organization.

The analysis shows that actual detection coverage remains far below what most organizations expect, and that many organizations are unaware of the gap between their assumed theoretical security and the defenses they actually have in place.

The data set for this analysis spanned diverse SIEM solutions – including Splunk, Microsoft Sentinel, and IBM QRadar – encompassing more than 14,000 log sources, thousands of detection rules, and hundreds of log source types.


Download the report to benchmark your detection coverage in key areas including:

  • Coverage for the top 14 ATT&CK techniques used by adversaries in the wild.
  • Coverage as a % of all 190+ techniques in the ATT&CK knowledge base.
  • Detection quality as measured by the % of rules that are non-functional and will never fire due to common issues such as misconfigured data sources and missing fields.
  • The top 3 log sources that are ingested by the SIEM but not associated with any detection rules (the answer will surprise you).
  • % of generic, out-of-the-box content from SIEM vendors that gets disabled due to noisiness and customization challenges.

The report also includes a series of best practice recommendations for improving the robustness of your detection coverage.

Download Now

This field is for validation purposes and should be left unchanged.