MITRE ATT&CK Coverage Map
Complete visibility across 503 techniques and 14 enterprise tactics. Every technique mapped to detection rules in Splunk SPL, Microsoft KQL, and Sigma. Drill from tactic to technique to threat to detection in one view.
What Is MITRE ATT&CK
MITRE ATT&CK is the industry-standard knowledge base of adversary tactics and techniques, built from direct observation of real-world cyberattacks. Maintained by The MITRE Corporation and freely accessible to every security team, it catalogs how threat actors actually operate — from initial reconnaissance and resource development through lateral movement, data exfiltration, and destructive impact. The framework organizes adversary behavior into 14 enterprise tactics (the "why" behind an action) and hundreds of techniques and sub-techniques (the "how"), giving defenders a shared language for describing threats that works across vendors, tools, and organizational boundaries.
For security operations centers, detection engineers, and threat intelligence analysts, ATT&CK is the backbone of coverage analysis. It answers the questions that matter: which adversary behaviors can we detect today, which ones can we not, and where should we invest next? Without a structured mapping between your detection rules and ATT&CK techniques, you are operating blind to the gaps in your defenses. Threadlinqs closes that gap by maintaining a continuously updated mapping of 3,553 detection rules across 503 techniques, giving your team a single source of truth for coverage posture.
Interactive Coverage Matrix
The Threadlinqs coverage map is built around a split-panel drill-down that lets you navigate the full ATT&CK hierarchy without losing context. The left panel displays the tactic-level heatmap — 14 columns representing each enterprise tactic, with color intensity reflecting the density of mapped techniques and detections. Selecting a tactic expands its technique list in the right panel, sorted by detection count so your strongest and weakest coverage areas surface immediately.
Clicking a technique reveals every threat in the Threadlinqs database that uses it, complete with severity ratings, associated threat actors, and timeline data. Selecting a threat then shows its full set of detection rules — each one copy-ready in Splunk SPL, Microsoft KQL, or Sigma — so you can go from "which tactic am I weakest on" to "deploy this rule in my SIEM" in four clicks. No tab-switching, no separate tools, no manual cross-referencing.
Coverage Heatmap
The heatmap uses five intensity levels to represent detection density per tactic. Tactics with sparse coverage appear in muted tones, while tactics with dense multi-rule coverage display in deep lavender. This visual encoding makes it possible to assess your organization's overall ATT&CK posture at a glance — before drilling into the specifics.
14 Tactics, 503 Techniques
Threadlinqs maps detection rules to every enterprise tactic in the MITRE ATT&CK framework. Each tactic below shows the number of unique techniques tracked and the total detection rules mapped to that tactic.
// technique counts include sub-techniques. Defense Evasion carries the highest density at 74 techniques, reflecting the breadth of evasion methods observed in the wild.
Coverage Gap Analysis
Knowing what you cover is only half the picture. Threadlinqs automatically identifies techniques where your detection posture is thinnest relative to real-world threat activity. The gap analysis engine cross-references three data sources to surface blind spots: the set of techniques used by threats in your watch list, the detection rules currently mapped to each technique, and the frequency with which each technique appears in active campaigns.
Techniques with zero detection rules mapped to them, flagged with the threat IDs that reference them. These represent complete blind spots — adversary behaviors your SIEM cannot see at all.
Techniques with detection rules but disproportionately low coverage relative to how frequently they appear in tracked threats. A technique referenced by 12 threats but covered by a single Sigma rule has a coverage imbalance that the platform surfaces automatically.
Techniques with multi-format detection rules (SPL, KQL, and Sigma) proportional to their threat frequency. These are your strongest posture areas and serve as the benchmark for coverage quality across the rest of the matrix.
Detection Debt Scoring
Detection debt quantifies the gap between what adversaries are doing and what your detection rules can see. Threadlinqs assigns a debt score to every MITRE ATT&CK technique by weighing three factors: how many tracked threats use the technique, the maximum severity of those threats, and how many detection rules currently exist for it. High-frequency, high-severity techniques with few or no detections accumulate the largest debt.
How the Score Works
The debt score is calculated as (threat_count x severity_weight) / (detection_count + 1). A technique referenced by 8 critical-severity threats with only 1 detection rule scores far higher than a technique referenced by 2 low-severity threats with 5 detection rules. The +1 in the denominator prevents division by zero for uncovered techniques while still producing a high score when detections are absent entirely.
Debt scores are surfaced in two places: the coverage map itself (sorted by descending score so the most urgent gaps appear first) and the Advanced Correlations engine, where the Detection Debt view provides a split-panel comparison of your highest-debt versus lowest-debt techniques. This gives detection engineers a prioritized backlog — write the rule that closes the largest gap first.
Connected Across the Platform
The MITRE ATT&CK Coverage Map is not an isolated view. It connects to every other capability in Threadlinqs, creating a feedback loop between intelligence, detection, attribution, and simulation.
- // Detection Engineering — Every technique links directly to its detection rules in Splunk SPL, Microsoft KQL, and Sigma. Copy a rule from the coverage map and deploy it in your SIEM without switching tools.
- // Threat Intelligence — Technique cards display the full list of threats that use them, with severity, category, and actor attribution. You see not just what a technique does but who is using it and how often.
- // Actor Attribution — The coverage map highlights which techniques are favored by specific threat actors and nation-state groups, letting you prioritize detection rules based on your organization's threat model.
- // Attack Simulations — Simulations reference MITRE techniques, so you can validate that your detection rules actually fire against the behaviors they claim to cover. Close the loop from coverage to confidence.
- // Advanced Correlations — The MITRE Heatmap and Detection Debt engines in the correlations module feed directly from the coverage map data, providing aggregate analytics across your entire technique surface.
- // Daily Debriefs — Each daily debrief includes a MITRE coverage badge showing which new techniques were introduced by the day's threats, keeping your team aware of shifting coverage as new intelligence arrives.