MITRE ATT&CK Coverage Mapping: Finding and Filling Your Detection Gaps

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
ATT&CK coverage mapping answers a question that every CISO eventually asks: if a threat actor targets us today, which of their techniques would we detect? The honest answer for most organizations is: fewer than you think.
The ATT&CK framework documents over 600 techniques and sub-techniques used by real threat actors in real intrusions. No detection program covers all of them, and none should try. The goal is not complete coverage. It is prioritized coverage: detecting the techniques most likely to be used against your specific organization by the threat actors most likely to target your industry.
This guide builds the full gap analysis workflow in four phases. Phase one maps your existing SIEM rules to ATT&CK techniques. Phase two uses MITRE CTI threat group profiles to identify the technique subset that matters most for your threat model. Phase three scores your coverage gaps. Phase four tracks improvement over time. All tools referenced are free.
ATT&CK Navigator JSON Layer Format
The ATT&CK Navigator visualizes coverage as a heat map over the ATT&CK matrix. It reads JSON layer files that specify which techniques are covered and at what confidence level. Understanding the layer format is necessary whether you are building layers manually or generating them programmatically.
A minimal layer file: { "name": "My Detection Coverage", "versions": { "attack": "16", "navigator": "5.1.0", "layer": "4.5" }, "domain": "enterprise-attack", "techniques": [ { "techniqueID": "T1078", "score": 1, "comment": "Rule: Valid Accounts - Admin Login from New Country" }, { "techniqueID": "T1059.001", "score": 1, "comment": "Rule: PowerShell Encoded Command Execution" } ], "gradient": { "colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1 } }.
The score field is numeric. Use 0 for no detection, 1 for partial detection (detects some variants), and 2 for strong detection (detects most known variants with low false positive rate). The gradient maps scores to colors in the Navigator UI. Use the comment field to record which specific SIEM rule covers the technique. This makes the layer file a queryable index of your detection logic.
Exporting SIEM Rules to Map: Sentinel API and Splunk
Before you can map rules to techniques, you need a machine-readable list of your rules. Do not do this manually for large rule sets.
For Sentinel, use the Analytics Rules REST API to export all scheduled rules: GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules?api-version=2023-11-01. Authenticate with az login and retrieve a bearer token. The response includes each rule's displayName, query, tactics, and techniques fields. Sentinel rules that were created from the Content Hub or from Sigma templates often already have techniques populated in the ATT&CK format (T1078, T1059.001). Extract these directly.
For Splunk, query the saved searches endpoint: GET https://splunk:8089/servicesNS/nobody/search/saved/searches?search=alert.severity. Parse the results XML for the title and action.correlationsearch.annotations fields. The annotations field, when present, contains ATT&CK technique IDs in the format { "mitre_attack": ["T1078", "T1059"] }.
Write a Python script that calls both APIs, extracts rule names and technique tags, and outputs a CSV: rule-name, siem-platform, technique-ids, last-modified. This CSV is the input to your gap analysis.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Manual Mapping for Rules Without Sigma Tags
Many custom rules in production SIEM environments were written before detection-as-code was standard practice and have no technique tags. These require manual mapping.
For each untagged rule, read the rule logic and answer three questions: (1) What attacker behavior does this detect? (2) At what point in the kill chain does this behavior occur? (3) Which ATT&CK technique definition most closely matches?
The ATT&CK website provides detailed descriptions, examples, and real-world procedure examples for every technique. Search by keyword using the MITRE ATT&CK STIX data or the website search. For a rule detecting PowerShell with Base64-encoded arguments, the match is T1059.001 (Command and Scripting Interpreter: PowerShell). For a rule detecting new local admin account creation, the match is T1136.001 (Create Account: Local Account).
Use Uncoder.IO to assist with mapping if the rule is in Sigma or a supported SIEM format. Uncoder can suggest ATT&CK technique mappings based on the rule logic. Treat these as suggestions and verify them against the ATT&CK technique definitions manually.
Document your mapping decisions in a spreadsheet alongside the CSV from the API export. Note whether the mapping is high confidence (the rule specifically detects the technique) or low confidence (the rule may partially detect the technique but misses important variants). Low-confidence mappings should be flagged for improvement.
Using Threat Group Profiles to Prioritize Coverage
With your technique inventory mapped, the next step is determining which gaps matter most. The answer comes from your threat model: which threat groups are most likely to target your organization?
Use the MITRE CTI GitHub repository (github.com/mitre/cti) to programmatically query threat group technique usage. The repository contains STIX 2.0 JSON files for all ATT&CK groups and software. To get all techniques used by APT29: download enterprise-attack.json, parse all relationship objects where relationship_type == "uses" and source_ref matches APT29's group ID (intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542), then resolve the target_ref to the technique objects.
For ransomware-focused threat models, prioritize FIN7 (financial sector), Lazarus Group (cryptocurrency, SWIFT), and the ransomware groups relevant to your vertical. For nation-state-focused threat models, prioritize APT29 (government, defense, critical infrastructure), APT41 (healthcare, technology, financial), and Salt Typhoon (telecommunications).
Build a priority technique list: the union of all techniques used by your top three threat groups. Techniques used by multiple groups in your list are highest priority. Then cross-reference against your coverage map. Gaps in high-priority techniques represent the most consequential coverage deficiencies in your current detection program.
Coverage Gap Scoring and Quarterly Tracking
Assign a gap score to each uncovered technique in your priority list. The score combines two factors: threat group frequency (how many of your priority groups use this technique) and data source availability (do you have the log data needed to detect this technique if you wrote the rule?).
For data source availability, use the ATT&CK technique definition's Data Sources field. Each technique lists which data sources can be used to detect it: process creation logs, network traffic, Windows event logs, command history. Cross-reference against your SIEM ingestion inventory. A technique that requires process creation logs and you ingest Sysmon is actionable. A technique that requires memory forensics and you have no EDR is not actionable without a data source investment first.
Gap score = (threat group count / max threat group count) x 0.6 + (data source available ? 1 : 0) x 0.4. Score ranges from 0 to 1. Rank uncovered techniques by gap score and address the top 10 in each quarter.
Track progress quarterly by regenerating your coverage layer file and comparing it to the previous quarter's baseline. The Navigator supports layer comparison natively: load two layers and use the "Layer from other operations" feature to generate a delta layer showing newly covered techniques in green and newly uncovered techniques in red. Export this delta layer as a PNG for your quarterly detection engineering review.
Set a coverage target: not a percentage of all 600-plus techniques, but a percentage of your priority technique list. A team that covers 80% of the techniques used by their top three threat groups has a more meaningful posture than a team with 40% coverage of the full ATT&CK matrix populated with low-signal detection rules.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
Coverage mapping is only useful if it drives rule development decisions. Every quarter, produce a ranked list of the top 10 uncovered priority techniques with assigned owners and target completion dates. A coverage map that is reviewed and acted on quarterly will produce a meaningfully different detection posture within 12 months.
Frequently asked questions
How do I handle techniques where I have a detection but it only covers one sub-technique out of five?
Score it as partial (score: 1 in the Navigator layer file) with a comment noting which sub-techniques are covered. Add the uncovered sub-techniques to your gap list with a lower priority than fully uncovered techniques, since you have some detection capability. Track sub-technique coverage separately from parent technique coverage in your metrics.
Which ATT&CK version should I use as my baseline?
Use the current version (v16 as of May 2026) for all new mapping work. Do not update existing layer files to a new version mid-quarter, as technique IDs occasionally change between versions and will invalidate your mapping. Perform ATT&CK version upgrades at the start of a new quarter with a documented migration step.
How do I map a detection rule that covers behavior that spans multiple ATT&CK techniques?
Map it to all applicable techniques. A single rule can appear in multiple technique entries in your layer file. This is common for rules that detect attack chains: a PowerShell script that establishes persistence and exfiltrates data in one step legitimately maps to both T1059.001 and T1041. Multi-technique coverage from a single rule is a sign of high-quality detection logic.
Is ATT&CK coverage percentage a meaningful board-level metric?
Not on its own. Raw percentage coverage of the full ATT&CK matrix is easily gamed by adding low-quality rules. A more meaningful board-level metric is coverage percentage of your named threat group priority list, combined with MTTR for incidents involving those techniques. This ties detection coverage to actual threat response outcomes rather than rule counts.
How do I get started if my SIEM rules have no existing ATT&CK tags and I have more than 500 rules?
Do not try to map all 500 rules at once. Start with the rules currently firing most frequently in production, as these are the detections generating actual analyst work. Map the top 50 by alert volume manually over two weeks. Then use that sample to identify patterns in your rule naming conventions or query logic that can automate tagging for similar rules in bulk.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
