Published: March 2026 | Last reviewed: March 22, 2026
// mitre_coverage
See Every Gap in Your Detection Coverage
The MITRE ATT&CK Coverage Map visualizes 465 techniques across 14 tactics, showing exactly where your detection rules exist, where gaps remain, and how to prioritize your security engineering efforts based on real threat data.
Coverage by Tactic
Technique coverage is tracked across all 14 MITRE ATT&CK tactics. The numbers below reflect techniques with at least one active detection rule on the platform.
Initial Access
42
techniques
Defense Evasion
52
techniques
Credential Access
28
techniques
Lateral Movement
22
techniques
How the Coverage Map Works
The Threadlinqs MITRE coverage map is not a static checklist. It is a live view computed from the actual threat reports, detection rules, and actor profiles on the platform.
- Color-coded heatmap -- Techniques are colored by detection depth: number of rules, number of threats referencing the technique, and confidence level of detections.
- Technique drill-down -- Click any technique to see every threat that uses it, every detection rule that covers it, and every actor associated with it.
- Gap identification -- Uncovered techniques are clearly marked, sorted by risk priority based on how frequently active threat actors use them.
- Sub-technique resolution -- Coverage tracks at the sub-technique level (e.g., T1059.001 PowerShell vs T1059.003 Windows Command Shell), not just parent techniques.
Detection Debt Analysis
Detection debt measures the gap between techniques that active threats use and techniques your detections cover. Threadlinqs computes a debt score for each uncovered technique based on three factors.
Threat Frequency
How many active threats on the platform use this technique. Higher frequency means more exposure if left undetected.
Severity Weight
Techniques used by critical and high-severity threats are weighted more heavily in the debt calculation.
Actor Prevalence
Techniques used by multiple distinct threat actors represent a broader risk surface and rank higher in debt priority.
Coverage Ratio
The ratio of detection rules to threats using a technique. A technique with 10 threats but only 1 rule has high debt.
Sample Technique View
Below is what the technique drill-down looks like for a high-activity technique.
TECHNIQUETechnique: T1059.001 -- PowerShell
Tactic: Execution
Threats: 47 linked reports
Detections: 23 rules (8 SPL, 9 KQL, 6 Sigma)
Actors: Volt Typhoon, FIN7, APT29, Lazarus Group,
Black Basta, Turla, MuddyWater, +14 more
Severity: Critical (used in 19% of all tracked threats)
Detection Coverage:
SPL: 8 rules ||||||||____________ (67%)
KQL: 9 rules |||||||||___________ (75%)
Sigma: 6 rules ||||||______________ (50%)
Top Linked Threats:
TL-2026-0042 Volt Typhoon LOTL Campaign [CRITICAL]
TL-2026-0087 FIN7 PowerShell Loader [HIGH]
TL-2026-0103 APT29 Midnight Blizzard Update [HIGH]
TL-2026-0156 Lazarus Operation DreamJob v3 [CRITICAL]
Integration with Other Features
The MITRE coverage map connects directly to every other feature on the platform.
- Detection Engineering -- Click a technique to see all detection rules covering it, then export to your SIEM.
- Attack Simulations -- Run simulations for techniques with low detection coverage to validate your gaps are real.
- Actor Attribution -- See which threat actors rely on techniques where your coverage is weakest.
- MCP Server -- Query MITRE coverage programmatically through the MCP server from AI coding agents.
// author
Threadlinqs Intel Team
Security Engineer at Threadlinqs Intelligence. Researching active threats, building detection rules, and mapping adversary tradecraft across SPL, KQL, and Sigma.
medium.com/@hatim.bakkali10